Doc Changes

jrobles-r7 · jrobles-r7 · commit ab0d18669e75 · 2018-02-07T19:26:39.000-06:00
diff --git a/documentation/modules/exploit/windows/fileformat/dupscout_xml.md b/documentation/modules/exploit/windows/fileformat/dupscout_xml.md
@@ -1,14 +1,14 @@
 ## Description
 
-This module exploits a buffer overflow in libpal.dll that is used by [Dup Scout Enterprise v10.4.16](http://www.dupscout.com/setups/dupscoutent_setup_v10.4.16.exe). The buffer overflow occurs during a call to the SCA_XmlParser::GetToken function when a user-supplied Command file with a crafted name attribute is imported to the Dup Scout application. The SCA_XmlParser::GetToken function is passed a heap pointer as an argument, which was created by the SCA_XmlParser::LoadXmlFile function and contains data from the user-supplied Command file, and a pointer to a stack buffer that was created in the SCA_XmlParser::ParseXmlElement function. While parsing the name attribute, the SCA_XmlParser::GetToken function copies from the heap buffer to the stack buffer until a single quote (to match name=', or a double quote to match name=") is found or until it finishes reading from the allocated heap buffer.
+This module exploits a buffer overflow in `libpal.dll` that is used by [Dup Scout Enterprise v10.4.16](http://www.dupscout.com/setups/dupscoutent_setup_v10.4.16.exe). The buffer overflow occurs during a call to the `SCA_XmlParser::GetToken` function when a user-supplied Command file with a crafted name attribute is imported to the Dup Scout application. The `SCA_XmlParser::GetToken` function is passed a heap pointer as an argument, which was created by the `SCA_XmlParser::LoadXmlFile` function and contains data from the user-supplied Command file, and a pointer to a stack buffer that was created in the `SCA_XmlParser::ParseXmlElement` function. While parsing the name attribute, the `SCA_XmlParser::GetToken` function copies from the heap buffer to the stack buffer until a single quote (to match `name='`, or a double quote to match `name="`) is found or until it finishes reading from the allocated heap buffer.
 
 ## Vulnerable Application
 
 The vulnerability can be exploited when the size of the name attribute is greater than 1560 bytes.
 
-Note: The allocated stack buffer size is 1564 bytes but the first four bytes are filled with `\xff` during execution of the SCA_XmlParser::GetToken function.
+Note: The allocated stack buffer size is 1564 bytes but the first four bytes are filled with `\xff` during execution of the `SCA_XmlParser::GetToken` function.
 
-Since the stack buffer was allocated as a local variable for the SCA_XmlParser::ParseXmlElement function, the program's control flow isn't taken over until the return of the SCA_XmlParser::ParseXmlElement function even though the return value is overwritten during execution of the SCA_XmlParser::GetToken function.
+Since the stack buffer was allocated as a local variable for the `SCA_XmlParser::ParseXmlElement` function, the program's control flow isn't taken over until the return of the `SCA_XmlParser::ParseXmlElement` function even though the return value is overwritten during execution of the `SCA_XmlParser::GetToken` function.
 
 The format of the crafted Command file will be:
 
