## ## ## ## ## ## ## ## ## ## ## ##
# Exploit Title : Nero Platinum - Multiple Vulnerabilities.
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : www.nero.com
# Category & Version : Application -12.5.6.0
# Software : https://2ra5-downloads.phpnuke.org/en/c05277/nero-discspeed
# Date : 2017 19 March
# CVE : N/A
# Tested On : Windows10 - Windows NT based 6.2 - AMD64
## ## ## ## ## ## ## ## ## ## ## ##
Nero Platinum Crash And buffer Overflow Vulnerabilities
Research By Ashiyane Digital Security Team.
Details : Nero Application Tested on Windows 10[Windows NT]base 64 ,Crash with error we encountered . A review of research we realized we had to buffer overflow vulnerability.
## View Crash log : https://goo.gl/sb3n59
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
## ## ## ## ##
Windows NT based 6.2
AMD64
Wow64Process
Nero Version: 12.5.6.0
Internal Version: 12,5,6,0
(Nero Express)
Recorder : <PIONEER DVD-RW DVR-219L> FW version: 1.02 - HA 1 TA 0 - 12.5.6.0
Device bus : <> HA 1
Host system bus : <IDE>
Drive buffer : 2000kB
Bus Type : via Inquiry data
CD/DVD-ROM : <PIONEER DVD-RW DVR-219L> FW version: 1.02 - HA 1 TA 0 - 12.5.6.0
Device bus : <> HA 1
Host system bus : <IDE>
=== Scsi-Device-Map ===
=== CDRom-Device-Map ===
PIONEER DVD-RW DVR-219L I: CdRom0
=======================
AutoRun : 1
Excluded drive IDs:
WriteBufferSize: 83886080 (0) Byte
BUFE : 0
Physical memory : 2047MB (2097151kB)
Free physical memory: 1490MB (1526620kB)
Memory in use : 63 %
Uncached PFiles: 0x0
Global Bus Type: default (0)
Check supported media : Disabled (0)
15.1.2017
UDF compilation
00 60 00 10 20 30 40 50 - 00 00 00 21 00 00 00 00 .`...0@P...!....
00 02 FE 10 00 02 FF A0 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
1D 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
01 40 C1 FD 9E D8 52 00 - 02 36 0D 11 88 99 90 00 .@....R..6......
03 50 52 49 4E 43 4F 00 - 04 52 47 4D 31 00 00 00 .PRINCO..RGM1...
05 00 00 00 00 00 00 00 - 06 06 0F 11 98 89 90 00 ................
07 08 80 00 00 00 00 00 - 08 06 18 0B 11 07 07 00 ................
09 84 08 0F 0E 6E 08 00 - 0A 00 00 00 00 00 10 00 .....n..........
0B 00 00 00 00 00 00 00 - 0C 00 00 00 00 00 00 00 ................
0D 00 00 00 00 00 00 00 - 0E 0A 24 35 2F 29 1A 00 ..........$5/)..
0F 50 1B 29 17 97 B5 00 - 10 88 80 00 00 00 00 00 .P.)............
11 00 00 00 00 00 00 00 - 12 09 2E 37 2F 29 19 00 ...........7/)..
13 50 1B 29 17 97 B5 00 - 14 88 80 00 00 00 00 00 .P.)............
15 00 00 00 00 00 00 00 - 16 09 3F 44 3D 24 29 00 ..........?D=$).
17 60 1F 2F 1D 97 B5 00 - 18 88 84 00 04 00 04 00 .`./............
19 00 00 00 00 00 00 00 - 1A 08 57 46 42 27 24 00 ..........WFB'$.
1B 70 1F 2B 0F AA B5 00 - 1C 88 84 00 04 00 04 00 .p.+............
1D 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
#26 Text 0 File DVDR.cpp, Line 3135
Recording mode: Sequential Recording Mode for Multisession
#27 Text 0 File DVDR.cpp, Line 3293
Start write address at LBA 0
DVD high compatibility mode: Yes
#28 SPTI -1066 File SCSIPassThrough.cpp, Line 224
CdRom0: SCSIStatus(x02) WinError(0) NeroError(-1066)
CDB Data: 0xAC 00 00 00 00 00 00 00 00 64 00 00
Sense Key: 0x05 (KEY_ILLEGAL_REQUEST)
Sense Code: 0x24
Sense Qual: 0x00
Sense Area: 0x70 00 05 00 00 00 00 0A 00 00 00 00 24
Buffer x080cd740: Len x648
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
Crash Files.
CUDFTransferItem2.cpp
ThreadedTransfer.cpp
Cdrdrv.cpp
dlgbrnst.cpp
And More.
################################################
# Discovered By : Hassan Shakeri
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir
#######################################################