Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:15

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 
Author Message
 Post subject: Malformed .ZIP file with implications
PostPosted: 02 Mar 2009 18:29 

Joined: 03 Feb 2009 01:40
Posts: 31
It causes at a lot of this kind of soft to go boom !! :)))
And a few examples are...
Code:
--
ZipGenius stack buffer overflow (SEH overwrite)

EAX 32323232
ECX 0012EC10
EDX 0012ED44 ASCII 32,"22222222222222222222222222222222222222222222222222"
EBX 010CC401
ESP 0012E164
EBP 0012F154 ASCII "222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
ESI 0012ED08
EDI 010E344E
EIP 00525EEE zipgeniu.00525EEE


00525EEE   . 8B40 14        MOV EAX,DWORD PTR DS:[EAX+14]

SEH chain of main thread, item 2
Address=0012F168
SE handler=32323232

--
zip it fast format string or heap buffer overflow

00401C76  |. 8902           MOV DWORD PTR DS:[EDX],EAX


EAX 32323232
ECX 32323232
EDX 32323232
EBX 00C24CC8 ASCII "222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
ESP 0012FAD8
EBP 00560488 ZipItFas.00560488
ESI 00001024
EDI 00560484 ASCII "2222"
EIP 00401C76 ZipItFas.00401C76

---
ezip wizard stack buffer overflow (SEH overwrite)

EAX 00000002
ECX 00001C1C
EDX 00140608
EBX 00E7CC04
ESP 0012FC60
EBP 32323232
ESI 00E4F2B8
EDI 0012FE44
EIP 32323232

SEH chain of main thread, item 0
Address=0012FC60
SE handler=FCFCFCFC

---
Power zip 7.2 stack buffer overflow


Attachments:
File comment: Open it and boom !!
zip.rar [4.59 KiB]
Downloaded 121 times
Top
 Profile  
 
 
 Post subject: Re: Malformed .ZIP file with implications
PostPosted: 02 Mar 2009 21:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
uhmmm this bug seems to have been already found 4 years ago although it's stated that is has been "partially/wrongly" fixed: http://secunia.com/advisories/17061/
anyway a good exercise about the PoC could be to build the zip file at runtime, it's a joke to do and allows to learn something about the zip file format.
if you need a quick C example of how reading (and consequently writing) the ZIP sections take a look to http://aluigi.org/papers/canhelpaczip.zip
another thing, report EVER the correct version of the software you test.
for example in the orbit downloader one you specified version 2.8.5 which obviously didn't existed yet when you tested the software (and I wasn't aware of betas with that version number)


Top
 Profile  
 
 Post subject: Re: Malformed .ZIP file with implications
PostPosted: 02 Mar 2009 22:32 

Joined: 03 Feb 2009 01:40
Posts: 31
Nice tool , from what I can see it generates two types or structures ,what do you want to name them.
The vs zipGenius 6.1.2.1244, zip it fast 3.0 pro, ezip probably the only one released , power zip last 7.2. Well I'd say that the bug hasn't been fixed at all ,if you search now you'll find in 1 h probably 10 more bugs at least, well let me say that probably a few read sec jurnals , anyways they still make mistakes.I'd try to look for functions that could be called remotly , I'm in the learning process,still takes a litle while,code won't execute, my guess -bad chars,don't know how to fix this issue yet.Dam I spent half a day at a program that I was working on to make that language file for idm and got some errors that pised me off :p .
Maybe someone can help.
Tnx tnx for the observations.


Attachments:
File comment: Compiled with Dev-cpp and Borland 3.1 finalized with exactly the same errors.
idmd.cpp [8.45 KiB]
Downloaded 58 times
Top
 Profile  
 
 Post subject: Re: Malformed .ZIP file with implications
PostPosted: 02 Mar 2009 23:39 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
yeah that code has various errors and then it's incomplete because there are functions declared but not used.
I have attached a code with the corrections for allowing its compiling.

the main problems were the missed argument in the printf() of usage(), prototypes which differ than the real functions (I have commented them since they are not needed), "FILE *f" not initialized, "memcpy (b + offset , KILL, 1);" which is an error (why don't have used directly strcpy?), the calling of the targets() and shellcode() functions and "a[S][S]" declared as char while it's a 32bit field.

some other things I have changed are the functions which use X[SIZE] as first argument because it's probably better to declare them as *X since they are pointers to buffers (and this avoids possible problems with some compilers), the removing of "a[S][S]" in args() because unused.

obviously remains the problem of the unused functions.

another thing could be the avoiding of using names of types not immediately comprehensible (I refer to flo and Stef) and a better aligning of the code (you can use indent but it's better to do the work manually)


Attachments:
idmd.c [8.38 KiB]
Downloaded 57 times
Top
 Profile  
 
 Post subject: Re: Malformed .ZIP file with implications
PostPosted: 03 Mar 2009 13:59 

Joined: 03 Feb 2009 01:40
Posts: 31
Reading now I realize what poor details I missed, I'll work some more, thx a lot professor :) .


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: