0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ImageMagick 6.8.8-4 - Local Buffer Overflow (SEH)
[ 0Day-ID-21901 ]
Full title
ImageMagick 6.8.8-4 - Local Buffer Overflow (SEH)
[ Highlight ]
Highlight - is paid service, that can help to get more visitors to your material.
Price: 10
Price:
10Date add
Category
Platform
Verified
Price
free
Risk
[Security Risk High
]Rel. releases
Description
I saw the notice for this CVE today but there was no known published expoits so
# I figured I'd put together this quick POC. Note, all app modules for the tested
# version were compiled with safeSEH so my use of an OS module may require adjustment
# of the offsets. There also appears to be several bad chars that fail the sploit.
# For this POC I only generate a basic messagebox using FatalAppExit(). It may take
# some work to get it to do more.
# I figured I'd put together this quick POC. Note, all app modules for the tested
# version were compiled with safeSEH so my use of an OS module may require adjustment
# of the offsets. There also appears to be several bad chars that fail the sploit.
# For this POC I only generate a basic messagebox using FatalAppExit(). It may take
# some work to get it to do more.
Usage info
This particular BOF takes advantage of insecure handling of the english.xml file
# which the app uses to display various error messages. I didn't spend much time
# investigating the app so there may be additional vulnerable locations
#
# This script generates two files:
# 1) a malfored .bmp file that will cause ImageMagick to generate a specific
# error when opened (LengthAndFilesizeDoNotMatch), as defined in the
# english.xml file
# 2) a modified english.xml file that replaces the original error message with
# our exploit code
#
# To test this POC:
# 1) run the script, replace the original english.xml file (in App's folder)
# 2) open the .bmp file with ImageMagick
# which the app uses to display various error messages. I didn't spend much time
# investigating the app so there may be additional vulnerable locations
#
# This script generates two files:
# 1) a malfored .bmp file that will cause ImageMagick to generate a specific
# error when opened (LengthAndFilesizeDoNotMatch), as defined in the
# english.xml file
# 2) a modified english.xml file that replaces the original error message with
# our exploit code
#
# To test this POC:
# 1) run the script, replace the original english.xml file (in App's folder)
# 2) open the .bmp file with ImageMagick
Vendor
http://ftp.sunet.se/pub/multimedia/graphics/ImageMagick/binaries/
Affected ver
ImageMagick (all versions prior to 6.8.8-5)
Tested on
Windows XP SP3
CVE
CVE-2014-1947
Other Information
Abuses
0
Comments
0
Views
4 379
We DO NOT use Telegram or any messengers / social networks! Please, beware of scammers!
free
Open Exploit
You can open this source code for free
You can open this source code for free
[ Comments: 0 ]
Terms of use of comments:
- Users are forbidden to exchange personal contact details
- Haggle on other sites\projects is forbidden
- Reselling is forbidden
Login or register to leave comments
Login or register to leave comments