cbcvebase.
CVE-2008-4779
published 2008-10-29

CVE-2008-4779: Stack-based buffer overflow in TUGzip 3.5.0.0 allows remote attackers to denial of service (crash) or execute arbitrary code via a long filename in a .zip file.

PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.69%
99.1th percentile
Stack-based buffer overflow in TUGzip 3.5.0.0 allows remote attackers to denial of service (crash) or execute arbitrary code via a long filename in a .zip file.

Affected

1 ranges
VendorProductVersion rangeFixed in
tguziptguzip

Detection & IOCsextracted from sources · hover to see the quote

otherSEH overwrite return address: 0x7e0c307e (ztvcabinet.dll POP EBX > POP EBP > RETN)
otherSEH overwrite return address: 0x7e0c307e (ztvcabinet.dll)
othernSEH bytes: \x61\x5c\x7a\x04
otherEgg tag: w00tw00t
otherEgg tag: w00tw00t
otherPayload bad characters: \x00\x0f\x14\x15\x2f and 0x80-0xff
otherEncoder type: AlphanumMixed with BufferRegister EDI (egghunter)
otherEIP overwrite value: 0x58585858 (XXXX)
otherSEH handler overwrite value: 0xC9C9C9C9
bytes
ZIP Local File Header magic: \x50\x4B\x03\x04 with oversized filename field (>2504 bytes)
  • Detect ZIP files with a filename field length exceeding 2504 bytes in the Local File Header (offset 26-27), which is the overflow trigger offset for TugZip 3.5.0.0.
  • Look for the egg-hunter tag 'w00tw00t' embedded within a ZIP file's filename or data field, indicating use of the Corelan/Metasploit exploit for CVE-2008-4779.
  • Detect ZIP files where the SEH overwrite address 0x7E0C307E (ztvcabinet.dll POP/POP/RET gadget) appears at offset 376 (372 junk + 4 nSEH) within the filename field.
  • Flag ZIP files containing alphanumeric-encoded shellcode (Metasploit AlphanumMixed encoder) within the filename field, particularly those using EDI as the buffer register.
  • Detect ZIP files where the Central Directory File Header filename length (\xb8\x0b = 3000 bytes) far exceeds normal filename lengths, consistent with the exploit payload size.
  • The vulnerability is triggered when TugZip opens a ZIP file; monitor for TugZip process crashes (access violation at EIP=0x58585858 or similar) after opening a .zip file.
  • ·Exploit success rate is low (~2/10 attempts) due to ASLR/stack layout variability; the SEH-based exploit (exploits/12008, Metasploit module) is more reliable than the original PoC.
  • ·The Metasploit module targets TugZip 3.5 specifically on Windows XP SP3 (English); the ROP/SEH gadget address 0x7E0C307E is from ztvcabinet.dll version 5.00.2147.1 and will differ on other OS/patch levels.
  • ·The egghunter is hardcoded due to a size constraint of approximately 120 usable bytes between nSEH and the end of the controllable buffer.
  • ·Payload must avoid bad characters \x00, \x0f, \x14, \x15, \x2f, and all bytes 0x80–0xFF; AlphanumMixed encoding is required.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.