Microsoft Internet Explorer / MSN ICC Profiles Crash PoC Exploit
2005-07-15T00:00:00
ID EDB-ID:1110 Type exploitdb Reporter Edward Gagnon Modified 2005-07-15T00:00:00
Description
MS Internet Explorer / MSN ICC Profiles Crash PoC Exploit. Dos exploit for windows platform
*/-----------------------------edwardgagnon--------------/*
Can crash msn and execute commands
Windows has a buffer overflow vulnerability in the processing of embedded ICC Profiles
inside images (jpeg, tiff, etc...)
To test - create a jpeg in adobe photoshop and save it with the ICC checkbox enabled,
make sure you set it to RGB (that does not really matter, just so you can find which
bytes to change for the test).
Open in a hex editor and search for "RGB XYZ " (no quotes, case sensitive)
You are now inside the header of the ICC Profile which is 128 bytes.
104 bytes away is a 4 byte number which is the Tag Count of the ICC Profile.
Change this to "FF FF FF FF" (it will be followed by a 4 byte string which is
part of a 12 byte tag. there are several such tags, it should help you identify
which bytes to change).
Save, open in internet explorer, and see the crash.
and this is the crash:
CODE
.text:73B323BC loc_73B323BC: ; CODE XREF: GetColorProfileElement+D6j
.text:73B323BC cmp [ebx], eax
.text:73B323BE jz short loc_73B323DD
.text:73B323C0 add ebx, 0Ch
.text:73B323C3 inc edx
.text:73B323C4 cmp edx, ecx
.text:73B323C6 jb short loc_73B323BC
.text:73B323C8
.text:73B323C8 loc_73B323C8: ; CODE XREF: GetColorProfileElement+CAj
.text:73B323C8 push 7DCh ; dwErrCode
.text:73B323CD call ds:SetLastError
ebx is controlable. but gets a read access violation.
....be kool and create a PoC and change your sig to the exploit.jpg
# milw0rm.com [2005-07-15]
{"id": "EDB-ID:1110", "hash": "00b2829c684f5b76f88c695a7e52b8e6", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft Internet Explorer / MSN ICC Profiles Crash PoC Exploit", "description": "MS Internet Explorer / MSN ICC Profiles Crash PoC Exploit. Dos exploit for windows platform", "published": "2005-07-15T00:00:00", "modified": "2005-07-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/1110/", "reporter": "Edward Gagnon", "references": [], "cvelist": [], "lastseen": "2016-01-31T13:34:08", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-01-31T13:34:08"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1110/", "sourceData": "*/-----------------------------edwardgagnon--------------/*\r\n\r\nCan crash msn and execute commands\r\n\r\nWindows has a buffer overflow vulnerability in the processing of embedded ICC Profiles \r\ninside images (jpeg, tiff, etc...)\r\n\r\nTo test - create a jpeg in adobe photoshop and save it with the ICC checkbox enabled, \r\nmake sure you set it to RGB (that does not really matter, just so you can find which \r\nbytes to change for the test).\r\n\r\nOpen in a hex editor and search for \"RGB XYZ \" (no quotes, case sensitive)\r\n\r\nYou are now inside the header of the ICC Profile which is 128 bytes.\r\n104 bytes away is a 4 byte number which is the Tag Count of the ICC Profile.\r\nChange this to \"FF FF FF FF\" (it will be followed by a 4 byte string which is \r\npart of a 12 byte tag. there are several such tags, it should help you identify \r\nwhich bytes to change).\r\n\r\nSave, open in internet explorer, and see the crash.\r\n\r\nand this is the crash:\r\n\r\nCODE\r\n.text:73B323BC loc_73B323BC: ; CODE XREF: GetColorProfileElement+D6\u0019j\r\n.text:73B323BC cmp [ebx], eax\r\n.text:73B323BE jz short loc_73B323DD\r\n.text:73B323C0 add ebx, 0Ch\r\n.text:73B323C3 inc edx\r\n.text:73B323C4 cmp edx, ecx\r\n.text:73B323C6 jb short loc_73B323BC\r\n.text:73B323C8\r\n.text:73B323C8 loc_73B323C8: ; CODE XREF: GetColorProfileElement+CA\u0018j\r\n.text:73B323C8 push 7DCh ; dwErrCode\r\n.text:73B323CD call ds:SetLastError\r\n\r\n\r\nebx is controlable. but gets a read access violation.\r\n\r\n....be kool and create a PoC and change your sig to the exploit.jpg\n\n# milw0rm.com [2005-07-15]\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}