4 comments on “IrfanView PlugIns JP2 Image Processing Buffer Overflow Exploit

  1. Hi,

    Could you explain what do you mean by “these are the offset for the vulnerability”?
    Also you write “ESP contains 6 bytes of our buffer”. What does it mean? Since ESP is the stack pointer, that means only 6 bytes from the buffer are on the stack?

    Thanks 🙂

  2. Well for the QCD data when overflowing the buffer due to incorrect QCD our EIP is overwritten after 196 bytes of data entered. Yes only 6 bytes end up being on our stack which we control.

  3. Could you please explain how do you know that the address 0x0049014f contains the “call esi” instruction. And how do you know that 0x00460ef0 contains the “jmp esp” instruction?


  4. I searched for those instructions in IrfranView process i_view32.exe. The base address for the process is 00400000. So at those addresses will contain those instructions.

Leave a Reply

Your email address will not be published. Required fields are marked *