CVE-2008-4779
published 2008-10-29CVE-2008-4779: Stack-based buffer overflow in TUGzip 3.5.0.0 allows remote attackers to denial of service (crash) or execute arbitrary code via a long filename in a .zip file.
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.69%
99.1th percentile
Stack-based buffer overflow in TUGzip 3.5.0.0 allows remote attackers to denial of service (crash) or execute arbitrary code via a long filename in a .zip file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tguzip | tguzip | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
ZIP Local File Header magic: \x50\x4B\x03\x04 with oversized filename field (>2504 bytes)
- →Detect ZIP files with a filename field length exceeding 2504 bytes in the Local File Header (offset 26-27), which is the overflow trigger offset for TugZip 3.5.0.0. ↗
- →Look for the egg-hunter tag 'w00tw00t' embedded within a ZIP file's filename or data field, indicating use of the Corelan/Metasploit exploit for CVE-2008-4779. ↗
- →Detect ZIP files where the SEH overwrite address 0x7E0C307E (ztvcabinet.dll POP/POP/RET gadget) appears at offset 376 (372 junk + 4 nSEH) within the filename field. ↗
- →Flag ZIP files containing alphanumeric-encoded shellcode (Metasploit AlphanumMixed encoder) within the filename field, particularly those using EDI as the buffer register. ↗
- →Detect ZIP files where the Central Directory File Header filename length (\xb8\x0b = 3000 bytes) far exceeds normal filename lengths, consistent with the exploit payload size. ↗
- →The vulnerability is triggered when TugZip opens a ZIP file; monitor for TugZip process crashes (access violation at EIP=0x58585858 or similar) after opening a .zip file. ↗
- ·Exploit success rate is low (~2/10 attempts) due to ASLR/stack layout variability; the SEH-based exploit (exploits/12008, Metasploit module) is more reliable than the original PoC. ↗
- ·The Metasploit module targets TugZip 3.5 specifically on Windows XP SP3 (English); the ROP/SEH gadget address 0x7E0C307E is from ztvcabinet.dll version 5.00.2147.1 and will differ on other OS/patch levels. ↗
- ·The egghunter is hardcoded due to a size constraint of approximately 120 usable bytes between nSEH and the end of the controllable buffer. ↗
- ·Payload must avoid bad characters \x00, \x0f, \x14, \x15, \x2f, and all bytes 0x80–0xFF; AlphanumMixed encoding is required. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TugZip 3.5 Archiver - '.ZIP' File Parsing Buffer Overflow (Metasploit)
exploitdb·2011-10-11
CVE-2008-4779 TugZip 3.5 Archiver - '.ZIP' File Parsing Buffer Overflow (Metasploit)
TugZip 3.5 Archiver - '.ZIP' File Parsing Buffer Overflow (Metasploit)
---
##
# $Id: tugzip.rb 13868 2011-10-11 03:30:14Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/zip'
class Metasploit3 'TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in the latest version 3.5 of TugZip archiving utility.
In order to trigger the vulnerability, an attacker must convince someone
to load a specially crafted zip file with TugZip by double click or file op
Exploit-DB
TugZip 3.5 Archiver - '.ZIP' File Buffer Overflow
exploitdb·2010-04-01
CVE-2008-4779 TugZip 3.5 Archiver - '.ZIP' File Buffer Overflow
TugZip 3.5 Archiver - '.ZIP' File Buffer Overflow
---
#!/usr/bin/perl
# Software : TugZip 3.5 (.zip)
# Author : Lincoln
# Assisted by : corelanc0d3r
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Greetz to : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Code :
print "|------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";
print "| / __
Exploit-DB
TugZip 3.00 Archiver - '.zip' Local Buffer Overflow
exploitdb·2008-10-24
CVE-2008-4779 TugZip 3.00 Archiver - '.zip' Local Buffer Overflow
TugZip 3.00 Archiver - '.zip' Local Buffer Overflow
---
/*0day TUGzip 3.00 archiver .ZIP File Local Buffer Overflow
"If you change things ,forever,there's no going back,you see for them you're just a freak, like me ..Mhaaaahaaaaaaaaaaaaaaaaaaaa"(JK)
Well hello there ,greetz from Romania,here is a exploit for the archiver TUGzip.
So the payload doesen't always execute,it's just a matter of patience,from 10
attemps you get success on 2 in the best case.Got 3 more archivers with stack
overflow and heap overflow,I'm bored... I'm looking for a new approach,will see
soon what I'm going to bring you.
"Let's put a smile on that face Mhaaaaaaaaahhaaahaaahhhhhhaaaaaaaaaaaaaaaaaa"
Credits go to Stefan Marin or fl0 fl0w :) .
All the best !
Registers
EAX 00000000
ECX 00000064
EDX 0013F6D0
EBX 0117AB
Metasploit
TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability
metasploit
TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability
TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability
This module exploits a stack-based buffer overflow vulnerability in the latest version 3.5 of TugZip archiving utility. In order to trigger the vulnerability, an attacker must convince someone to load a specially crafted zip file with TugZip by double click or file open. By doing so, an attacker can execute arbitrary code as the victim user.
No writeups or analysis indexed.
http://secunia.com/advisories/32411http://securityreason.com/securityalert/4528http://www.securityfocus.com/bid/31913http://www.vupen.com/english/advisories/2008/2918https://exchange.xforce.ibmcloud.com/vulnerabilities/46120https://www.exploit-db.com/exploits/6831http://secunia.com/advisories/32411http://securityreason.com/securityalert/4528http://www.securityfocus.com/bid/31913http://www.vupen.com/english/advisories/2008/2918https://exchange.xforce.ibmcloud.com/vulnerabilities/46120https://www.exploit-db.com/exploits/6831
2008-10-29
Published