CloudMe 1.11.2 SEH / DEP / ASLR Buffer Overflow Exploit

Exploit Title: CloudMe 1.11.2 - SEH/DEP/ASLR Buffer Overflow Exploit Author: Xenofon Vassilakopoulos Vendor Homepage: https://www.cloudme.com/en Software Link: https://www.cloudme.com/downloads/CloudMe1112.exe Version: CloudMe 1.11.2 Tested on: Windows 7 Professional x86 SP1 Steps to reproduce: 1...

Windows/x86 - MSVCRT System + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)

644 bytes small Microsoft Windows x86 shellcode that disables the Windows firewall, adds the user MajinBuu with password TurnU2C@ndy!! to the system, adds the user MajinBuu to the local groups Administrators and Remote Desktop Users, and then enables the RDP Service. Exploit Title: Windows/x86 -...

Windows/10 Pro - Dynamic Null-Free PopCalc Shellcode (223 bytes)

; Shellcode Title: Dynamic, Null-Free PopCalc Shellcode 223 Bytes ; Shellcode Author: Bobby Cooke ; Technique: PEB & Export Directory Table ; Tested On: Windows 10 Pro x86 10.0.18363 Build 18363 Create a new stack frame push ebp ; push current base pointer to the stack mov ebp, esp ; Set Base Sta...

Windscribe WindscribeService Named Pipe Privilege Escalation

The Windscribe VPN client application for Windows makes use of a Windows service WindscribeService.exe which exposes a named pipe \.\pipe\WindscribeService allowing execution of programs with elevated privileges. Windscribe versions prior to 1.82 do not validate user-supplied program names,...

Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)

Shellcode Title: Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode 571 Bytes Shellcode Author: Bobby Cooke Technique: PEB & Export Directory Table Tested On: Windows 10 Pro x86 10.0.18363 Build 18363 Shellcode Function: When executed, this shellcode creates a cmd.exe bind shell, using the...

DeviceViewer 3.12.0.1 - (add user) Local Buffer Overflow (DEP Bypass) Exploit

Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow DEP Bypass Date: 08/10/2019 Exploit Author: Alessandro Magnosi Vendor Homepage: http://www.sricam.com/ Software Link: http://download.sricam.com/Manual/DeviceViewer.exe Version: v3.12.0.1 Exploit type: Local Tested on:...

DeviceViewer 3.12.0.1 Local Buffer Overflow

Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow DEP Bypass Date: 08/10/2019 Exploit Author: Alessandro Magnosi Vendor Homepage: http://www.sricam.com/ Software Link: http://download.sricam.com/Manual/DeviceViewer.exe Version: v3.12.0.1 Exploit type: Local Tested on:...

ThreadBoat - Program Uses Thread Execution Hijacking To Inject Native Shellcode Into A Standard Win32 Application

Program uses Thread Hijacking to Inject Native Shellcode into a Standard Win32 Application. With Thread Hijacking, it allows the hijacker.exe program to suspend a thread within the target.exe program allowing us to write shellcode to a thread. Usage int main System sys; Interceptor incp; Exceptio...

Windows/x86 - bitsadmin Download and Execute Shellcode (210 Bytes)

/ ; Windows/x86 - bitsadmin Download and Execute http://192.168.10.10/evil.exe c:\evil.exe Shellcode 210 Bytes ; Shellcode Title : bitsadmin download and execute ; Shellcode Author : Joseph McDonagh ; Date June 26, 2019 ; Shellcode Length 210 ; However, if the application you are exploiting alrea...

Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption

Exploit Title: Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Date: 03/2019 Author: Simon Zuckerbraun Vendor: https://www.microsoft.com/ Version: February 2019 patch level Tested on: Windows 10 1809 17763.316 CVE: CVE-2019-0752 Content Dim ar1&h3000000...

Description of the security update for the remote code execution vulnerability in Windows Embedded POSReady 2009: April 9, 2019

Description of the security update for the remote code execution vulnerability in Windows Embedded POSReady 2009: April 9, 2019 Summary A remote code execution vulnerability exists in the manner in which the VBScript engine handles objects in memory. To learn more about the vulnerability, go to...

MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method Exploit

Not only the GET method is vulnerable to BOF CVE-2004-2271. HEAD and POST methods are also vulnerable. The difference is minimal, both are exploited in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length ------------------------------------------------------------------- EAX...

MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow

Not only the GET method is vulnerable to BOF CVE-2004-2271. HEAD and POST methods are also vulnerable. The difference is minimal, both are exploited in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length ------------------------------------------------------------------- EAX...

Microsoft Internet Explorer 11 #InternetExplorer #IE - javascript Code Execution Exploit

Exploit for windows platform in category local exploits ARRSIZE = 3248; firstgadgetoffsets = 150104,149432,152680,3202586,214836,3204663,361185,285227,103426,599295,365261,226292,410596,180980,226276,179716,320389,175621,307381,792144,183476; stackpivotgadgetoffsets =...

Windows/x64 - API Hooking Shellcode (117 bytes)

/ Title : Windows x64 API Hooking Shellcode Author : Roziul Hasan Khan Shifat Size : 117 bytes Date : 16/10/2017 Email : email protected Tested On : Windows 7 Ultimate x64 / / This Shellcode hooks DeteleFileW API Warning: Do no Use this Shellcode on explorer.exe Otherwise You won't be able to...

EMC AlphaStor Device Manager Opcode 0x72 Buffer Overflow

require 'msf/core' class MetasploitModule 'EMC AlphaStor Device Manager Opcode 0x72', 'Description' = %q This module exploits a stack based buffer overflow vulnerability found in EMC Alphastor Device Manager. The overflow is triggered when sending a specially crafted packet to the rrobotd.exe...

Microsoft Edge Chakra - Heap Buffer Overflow Exploit

Exploit for windows platform in category dos / poc IsCoroutine ... else InterpreterStackFrame::Setup setupfunction, args; sizet varAllocCount = setup.GetAllocationVarCount; //printf"varAllocCount: %d%X\r\n", varAllocCount, varAllocCount; sizet varSizeInBytes = varAllocCount sizeofVar; // //...

Microsoft MsMpEng - mpengine x86 Emulator Heap Corruption in VFS API Exploit

Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1282&desc=2 In issue 1260 I discussed Microsoft's "apicall" instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in al...

Microsoft MsMpEng - mpengine x86 Emulator Heap Corruption in VFS API

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1282&desc=2 In issue 1260 I discussed Microsoft's "apicall" instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in all recent versions of Windows. I asked Microsoft if...

Microsoft MsMpEng - mpengine x86 Emulator Heap Corruption in VFS API

Microsoft MsMpEng - mpengine x86 Emulator Heap Corruption in VFS API Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1282&desc=2 In issue 1260 I discussed Microsoft's "apicall" instruction that can invoke a large number of internal emulator apis and is exposed to remote attacker...