Exploits / Vulnerability Discovered : 2020-07-17 |
Type : local |
Platform : windows
This exploit / vulnerability Simple startup manager 1.17 file local buffer overflow (poc) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)
# Exploit Author: PovlTekstTV
# Date: 2020-07-15
# Vulnerable Software: Simple Startup Manager
# Software Link Download: http://www.ashkon.com/download/startup-manager.exe
# Version: 1.17
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 and 64 bit)
# DEP and ASLR Disabled on system
# Space for shellcode: 264
#!/usr/bin/python
# Two sets of instructions are needed:
# 1. JMP EDI
# 2. JMP EBX
# I found these in the OS-module: SETUPAPI.dll, which is usually protected using ASLR
# The exploit will properly not work unless changed/bruteforced.
# It is also possible to overwrite the SEH-handler with 600+ bytes,
# however I did not find any POP, POP, RETs.
# Walkthrough:
# 1.- Run the python script, it will create a new file "exploit.txt"
# 2.- Copy the content of the new file 'exploit.txt' to clipboard
# 3.- Turn off DEP for startup-manger.exe
# 4.- Open 'startup-manger.exe'
# 5.- Click 'New' or go to 'File' and click 'New'
# 6.- Paste content from clipboard into 'File' parameter
# 7.- Click on 'OK'
# 9.- Calc.exe runs.