DIRECT RETURN - EXPLOIT RM-MP3 Converter

BUFFER OVERFLOW

Here we will try to exploit mini-stream RM-MP3 converter with a direct return
First we prepare our first fuzzer munuliskan as below. And stored with ekstendid .py is a python.
Later on when you have saved your fuzzer publish its file generated by the fuzzer is fuzzer.m3u

By the time you want to share to xp are in VMbox you must first enable SSH, Apache, and MySQL. After that you can open a browser and type in the IP of Linux and you coud also download the file.

After that you open OllyDbg and then click open file and then search for the location of the application of RM-MP3 converter and click ok.

At the time already in the running OllyDbg will open the application from the converter converter is then you can open the file from the fuzzer has been downloaded earlier.
and how the results ....??

Uuuuuuuwwwwwwhhhh ....   
thus the result register EIP is affected by the 4242424224 and ESP joined struck with the letter BBBBBBB..
why not ESP AAAAAAAA and EIP is not 41414141 ....?
well here due to over-write the EIP in 3000 the second byte.

After you create a pattern that as many as 3000 with a command like the following.

And you open the fuzzer that had been modified by copying it into the right pattern fuzzer, buffer second in the cation a # so not in execution for replaced by the pattern.

then run the fuzzer with the same process as above.
Then we see that the EIP and ESP is overwritten so that coud we calculate how the of EIP and ESP..

below is how to calculate the EIP and ESP.
ESP just grab the 7 digits.

below we can see in the 3000 buffer was replaced with a 417 and plus the
buffer + = '\ XEF \ xBE \ xAD \ xDE' after it in the store.

Then run the fuzzer with the same process as above.
Below shows that the value of existing on registers EIP have been turned into DEADBEEF,
is trying to do the writing on the ESP.

then add more buffer + = '\ xCC' * 2000, This will overwrite the existing value in the registers ESP.

then run again the same as the ones above.
below we can see that it was stricken with cccccccccc.

The next stage is to find  JMP ESP in the memory application by clicking view --> executable modules later double click on SHEL32.dll

then proceed to click right  select a search for -> command  or can be directly  ctrl + f on the keyboard...

and write the JMP ESP as below and click on find

in addition to the script that we can see the JMP ESP is 7C9D30D7 and write on fuzzer script  we are on the side like a buffer + = '\ xD7 \ x30 \ x9D \ x7C'

then run again still the same as the above process, and we get a result like below ...

Now we try breackpoint here to find out whether there is access to the address 7C9D30D7 by the register EIP.

and below are the results

Now we proceed to make the PAYLOAD. 
first with the command as shown below.

and into the browser type the address 127.0.0.1:55555
then click payload and select a category 0s: win32 then select the Windows Shell Bind

then fill in the fields as below.

below we can see the PAYLOAD that we have made earlier

and copy the payload is on our fuzzer script like below.

and after that run the file from the fuzzer is the same as the above process.
when it is executed then the application will crash just like the picture below

when it's like the above you can run telnet with the following command.

waoooooowwwww .....
you've made it into the command from windows xp.
it's a sign you are believers.
warning: if you bener believe it when the practice to other people is you do not do evil. ckckckckckckc

GOOD LUCK :)o