cbcvebase.
CVE-2009-1028
published 2009-03-20

CVE-2009-1028: Stack-based buffer overflow in ediSys eZip Wizard 3.0 allows remote attackers to execute arbitrary code via a crafted .zip file.

PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.01%
98.1th percentile
Stack-based buffer overflow in ediSys eZip Wizard 3.0 allows remote attackers to execute arbitrary code via a crafted .zip file.

Affected

1 ranges
VendorProductVersion rangeFixed in
edisysezip_wizard

Detection & IOCsextracted from sources · hover to see the quote

registry0x10020710
commandSEH overwrite at offset 50 with nseh=\x61\x61\x7a\x04, seh=\x10\x07\x02\x10
bytes
\x61\x61\x7a\x04
bytes
\x61\x61\x7a\x04 (nseh) + \x10\x07\x02\x10 (seh)
bytes
\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34
bytes
w00tw00t (egg tag)
bytes
w00tw00t
  • Exploit triggers when a victim double-clicks a file inside the crafted ZIP archive opened with eZip Wizard 3.0; monitor for eZip Wizard spawning unexpected child processes.
  • Crafted ZIP local file header contains the magic bytes 50 4B 03 04 followed by timestamp bytes B7 AC CE 34; detect anomalous ZIP files with this specific timestamp pattern.
  • SEH chain overwrite: look for 0x58585858 / 0x41414141 pattern in SEH chain of eZip Wizard process, as shown in the PoC.
  • The Metasploit module uses AlphanumMixed encoder (x86/alpha_mixed) with BufferRegister=ESP; detect alphanumeric shellcode in ZIP filename fields.
  • Egg-hunter tag 'w00t' (w00tw00t marker) present in ZIP filename or file data field indicates exploitation attempt.
  • The crafted ZIP filename field is padded to ~2500 bytes (\xc4\x09 = 2500 in filename length field); ZIP files with abnormally large filename lengths targeting eZip Wizard should be flagged.
  • The exploit filename inside the ZIP is crafted as 'Admin passwords.txt' padded to 50 bytes before the SEH overwrite; monitor for ZIP entries with this filename pattern.
  • ·The SEH return address 0x10020710 is labeled 'Windows Universal' but was tested specifically on XP SP3 EN (VirtualBox); reliability on other Windows versions is not guaranteed.
  • ·The junk offset of 50 bytes to reach SEH may require adjustment depending on the USERNAME length supplied; USERNAME >= 9 characters changes the padding calculation.
  • ·The Metasploit module adjusts padding based on USERNAME length: if USERNAME length >= 9, padding = Offset - 8; otherwise padding = Offset - USERNAME.length.
  • ·Badchars that do not apply to the final payload but must be avoided in the egghunter/SEH overwrite region include null bytes and path separator characters.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.