First of all…thanks b33f from fuzzysecurity.com for your hint which helped a lot in solving the reliability issue of my last exploit 🙂 !

In my last article I wrote about a missing reliable way of executing shellcode. I received a mail from b33f  about the MSVCR70.dll which is installed by the application. Well at this point it seems like I’ve been fooled by an application :-D!  During my investigations I did not notice this DLL and supposed that it’s a system dll like all others, but it is indeed installed by the application:

And there is a usable (and only one…. *puh*) way to run my shellcode via a PUSH ESP / RETN:

This means you’ve got a reliable exploit for WinXP and Win7. But during my play-abouts I noticed that my controllable input (junk, shellcode etc.) is placed on completely different memory addresses on WinXP and Win7 but all in all within a manageable distance. The controllable input starts at:

Windows XP: ESP+400 (Solution: ADD ESP,404 # POP EDI # POP ESI # RETN from SoundEditorPro.exe):

Windows 7:  ESP+5CC (Solution: ADD ESP,838 # POP EDI # POP ESI # POP EBX # RETN from SoundEditorPro.exe):

Therefor…if you try to use the Windows XP ESP alignment in Windows 7 you’ll find out that you move the ESP into an area in front of your actual input which you do not control. If you use the Win7 ESP alignment on Windows XP, the ESP is placed 1092 bytes behind the Win7 ESP alignment point.
The solution: Take the Windows 7 ESP alignment as a base and built a chain of it:

This results in this new exploit:

And et voila: now it’s working on Windows 7 too:

NCMedia Sound Editor Pro v7.5.1 Windows 7 Exploit
Tagged on:     

2 thoughts on “NCMedia Sound Editor Pro v7.5.1 Windows 7 Exploit

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.