## ## ## ## ## ## ## ## ## ## ## ## # Exploit Title : Nero Platinum - Multiple Vulnerabilities. # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : www.nero.com # Category & Version : Application -12.5.6.0 # Software : https://2ra5-downloads.phpnuke.org/en/c05277/nero-discspeed # Date : 2017 19 March # CVE : N/A # Tested On : Windows10 - Windows NT based 6.2 - AMD64 ## ## ## ## ## ## ## ## ## ## ## ## Nero Platinum Crash And buffer Overflow Vulnerabilities Research By Ashiyane Digital Security Team. Details : Nero Application Tested on Windows 10[Windows NT]base 64 ,Crash with error we encountered . A review of research we realized we had to buffer overflow vulnerability. ## View Crash log : https://goo.gl/sb3n59 ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## Windows NT based 6.2 AMD64 Wow64Process Nero Version: 12.5.6.0 Internal Version: 12,5,6,0 (Nero Express) Recorder : <PIONEER DVD-RW DVR-219L> FW version: 1.02 - HA 1 TA 0 - 12.5.6.0 Device bus : <> HA 1 Host system bus : <IDE> Drive buffer : 2000kB Bus Type : via Inquiry data CD/DVD-ROM : <PIONEER DVD-RW DVR-219L> FW version: 1.02 - HA 1 TA 0 - 12.5.6.0 Device bus : <> HA 1 Host system bus : <IDE> === Scsi-Device-Map === === CDRom-Device-Map === PIONEER DVD-RW DVR-219L I: CdRom0 ======================= AutoRun : 1 Excluded drive IDs: WriteBufferSize: 83886080 (0) Byte BUFE : 0 Physical memory : 2047MB (2097151kB) Free physical memory: 1490MB (1526620kB) Memory in use : 63 % Uncached PFiles: 0x0 Global Bus Type: default (0) Check supported media : Disabled (0) 15.1.2017 UDF compilation 00 60 00 10 20 30 40 50 - 00 00 00 21 00 00 00 00 .`...0@P...!.... 00 02 FE 10 00 02 FF A0 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 1D 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 01 40 C1 FD 9E D8 52 00 - 02 36 0D 11 88 99 90 00 .@....R..6...... 03 50 52 49 4E 43 4F 00 - 04 52 47 4D 31 00 00 00 .PRINCO..RGM1... 05 00 00 00 00 00 00 00 - 06 06 0F 11 98 89 90 00 ................ 07 08 80 00 00 00 00 00 - 08 06 18 0B 11 07 07 00 ................ 09 84 08 0F 0E 6E 08 00 - 0A 00 00 00 00 00 10 00 .....n.......... 0B 00 00 00 00 00 00 00 - 0C 00 00 00 00 00 00 00 ................ 0D 00 00 00 00 00 00 00 - 0E 0A 24 35 2F 29 1A 00 ..........$5/).. 0F 50 1B 29 17 97 B5 00 - 10 88 80 00 00 00 00 00 .P.)............ 11 00 00 00 00 00 00 00 - 12 09 2E 37 2F 29 19 00 ...........7/).. 13 50 1B 29 17 97 B5 00 - 14 88 80 00 00 00 00 00 .P.)............ 15 00 00 00 00 00 00 00 - 16 09 3F 44 3D 24 29 00 ..........?D=$). 17 60 1F 2F 1D 97 B5 00 - 18 88 84 00 04 00 04 00 .`./............ 19 00 00 00 00 00 00 00 - 1A 08 57 46 42 27 24 00 ..........WFB'$. 1B 70 1F 2B 0F AA B5 00 - 1C 88 84 00 04 00 04 00 .p.+............ 1D 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ #26 Text 0 File DVDR.cpp, Line 3135 Recording mode: Sequential Recording Mode for Multisession #27 Text 0 File DVDR.cpp, Line 3293 Start write address at LBA 0 DVD high compatibility mode: Yes #28 SPTI -1066 File SCSIPassThrough.cpp, Line 224 CdRom0: SCSIStatus(x02) WinError(0) NeroError(-1066) CDB Data: 0xAC 00 00 00 00 00 00 00 00 64 00 00 Sense Key: 0x05 (KEY_ILLEGAL_REQUEST) Sense Code: 0x24 Sense Qual: 0x00 Sense Area: 0x70 00 05 00 00 00 00 0A 00 00 00 00 24 Buffer x080cd740: Len x648 ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## Crash Files. CUDFTransferItem2.cpp ThreadedTransfer.cpp Cdrdrv.cpp dlgbrnst.cpp And More. ################################################ # Discovered By : Hassan Shakeri # Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir #######################################################