Exploits / Vulnerability Discovered : 2019-04-02 |
Type : local |
Platform : windows
This exploit / vulnerability Aida64 extreme / engineer / network audit 5.99.4900 seh buffer overflow (egghunter) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#!/usr/bin/python #
# Exploit Title: AIDA64 Extreme 5.99.4900 - SEH Buffer Overflow (EggHunter) #
# Date: 2019-04-01 #
# Vendor Homepage: https://www.aida64.com #
# Software Link: http://download.aida64.com/aida64extreme599.exe #
# Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe #
# Exploit Author: Peyman Forouzan #
# Tested Version: 5.99.4900 #
# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #
# Special Thanks to my wife #
# The program has SEH Buffer Overflow in several places.(this code show one of them) #
# Note 1 : To optimize code, I've used a "stack pivot" that is the same in #
# (Extreme, Engineer, Network Audit) Editions. #
# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4900 #
# But the stack pivots in Business Edition are different. #
# Note 2 : All the old versions of the program that are available on the sites like soft32.com, #
# or in https://www.aida64.com/downloads/archive #
# have the same vulnerabily in different offsets (for example version 5.70.3800 ) #
# Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions. #
# Steps : #
# 1- Run python code : Aida64-Extreme.py ( Three files are created ) #
# 2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt #
# into "Display name" --> Ok #
# 3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt #
# or egghunter-win10.txt (depend on your windows version) into "Load from file" --> Next #
# --> Wait a minute --> Shellcode (Calc) open #
#---------------------------------------------------------------------------------------------------------#