My latest finding: A classic buffer overflow. And this time I’ve used the great mona.py script created by the corelan team to exploit the vulnerability. It helps to find memory addresses for all of your stack adjustment needs (beside this, the script has got a lot of other powerful functions too).

During the investigations on the vulnerability I recognized that it’s quite a long way from the current position at crash-time (0x0012E3E8) to the overwritten part of the Stack (0x0012E7E8):

So you need to jump a lot of bytes to get to the shellcode. Therefor the mona.py script has got a quite cool function:

It looks for all kinds of “stack pivots” (or easier to say “stack adjustments”) in the debbugged application and generates a log-file with all of them including possible protection mechanisms like ASLR or SafeSEH. Since you need roughly 1000 bytes to get to the shellcode, you can now have a look at the mona output and choose one, which moves the ESP to your desired position like e.g.:

This moves the ESP 1036 bytes directly into the shellcode and makes Exploit – development again a lot more easier than doing everything by hand.

Finally my exploit looks like this:

And it works:

To execute my shellcode I had to use a CALL from the shell32.dll which makes the Exploit unreliable on other systems than Windows XP SP3. The executable itself contains a lot of CALLs and JMPs to the ESP, but however for some reasons I cannot use addresses with two zeros in front for the CALL ESP function, otherwise it completely breaks my exploit. Don’t know why yet. Still investigating. There is always a way! 🙂

Exploiting the NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Vulnerability with the help of mona.py
Tagged on:             

3 thoughts on “Exploiting the NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Vulnerability with the help of mona.py

  • September 21, 2012 at 8:36 pm
    Permalink

    hey, i was having a look at this exploit on win7 and i saw NCTAudioEditor2.dll mona tells me it is a OS dll but i highly doubt that could you confirm, if so i’m going to try my hand at writing a rop-chain

    Reply
  • September 21, 2012 at 9:28 pm
    Permalink

    Never mind mate further analysis shows ROP won’t work ;))

    Reply
  • September 23, 2012 at 10:18 pm
    Permalink

    Yes, the NCT* libs are application DLLs, but they’re all rebased ones 🙁

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.