CVE-2006-2439
published 2006-06-01CVE-2006-2439: Stack-based buffer overflow in ZipCentral 4.01 allows remote user-assisted attackers to execute arbitrary code via a ZIP archive containing a long filename.
PriorityP342high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
7.30%
93.6th percentile
Stack-based buffer overflow in ZipCentral 4.01 allows remote user-assisted attackers to execute arbitrary code via a ZIP archive containing a long filename.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zipcentral | zipcentral | <= 4.01 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ZipCentral - '.zip' Local Buffer Overflow (SEH)
exploitdb·2010-07-21
CVE-2006-2439 ZipCentral - '.zip' Local Buffer Overflow (SEH)
ZipCentral - '.zip' Local Buffer Overflow (SEH)
---
# Author : Jiten Pathy
# July 21 2010
#Thanks to the http://en.wikipedia.org/wiki/PKZIP page for heelping me understand zip file format
#Thanks to corelanc0d3r for shredding light on these type of exploits at http://www.offensive-security.com/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/
# Greetz to SSTeam and G4H members
#There is already a exploit on zipcentral filename handling buffer #overflow over 2 months ago which uses an address from a system dll for #SEH which isnt reliable across different platforms so this one uses an #address from exe file which is a little complicated but reliable
my $filename="pwnzipcentral.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00
Exploit-DB
ZipCentral - '.zip' File (SEH)
exploitdb·2010-04-04
CVE-2006-2439 ZipCentral - '.zip' File (SEH)
ZipCentral - '.zip' File (SEH)
---
#!/usr/bin/python
#
# Title: ZipCentral (.zip) SEH exploit
# Author: TecR0c - http://tecninja.net/blog & http://twitter.com/TecR0c
# Download: http://downloads.pcworld.com/pub/new/utilities/compression/zcsetup.exe
# Platform: Windows XP sp3 En (VMWARE)
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
# Unfortunately, no one can be told what the Matrix is. You have to see it for yourself!
# To be able to make sure your hex values
Exploit-DB
ZipCentral 4.01 - '.ZIP' File Handling Local Buffer Overflow
exploitdb·2006-08-30
CVE-2006-2439 ZipCentral 4.01 - '.ZIP' File Handling Local Buffer Overflow
ZipCentral 4.01 - '.ZIP' File Handling Local Buffer Overflow
---
/*
ZipCentral 4.01 Exploit by bratax (http://www.bratax.be/)
Soooooo many thanks to BuzzDee and c0rrupt for helping me with all the
problems I encountered :) Wouldn't have finished this without you guys!
Greetz to everyone I like... (no, that doesn't include you turb00)!
Some technical info:
- vulnerability is available here:
http://secunia.com/secunia_research/2006-35/advisory
- using SEH to exploit this
- some code might look weird in this source.. (e.g. shellcode, offsets,...)
this is because a lot of values are changed in memory.. so use your favorite
debugger to see the real values and codes
- shellcode adds a windows user "bck" with password "bck" (thx metasploit)
- tested on XP Pro English (SP2) and XP Home Dutch
No writeups or analysis indexed.
http://secunia.com/advisories/20179http://secunia.com/secunia_research/2006-35/advisory/http://securitytracker.com/id?1016176http://www.osvdb.org/25830http://www.securityfocus.com/archive/1/435416/100/0/threadedhttp://www.securityfocus.com/bid/18160http://www.vupen.com/english/advisories/2006/2049https://exchange.xforce.ibmcloud.com/vulnerabilities/26737http://secunia.com/advisories/20179http://secunia.com/secunia_research/2006-35/advisory/http://securitytracker.com/id?1016176http://www.osvdb.org/25830http://www.securityfocus.com/archive/1/435416/100/0/threadedhttp://www.securityfocus.com/bid/18160http://www.vupen.com/english/advisories/2006/2049https://exchange.xforce.ibmcloud.com/vulnerabilities/26737
2006-06-01
Published