CVE-2018-16302
Description
A crafted file triggers a stack-based buffer overflow in MediaComm Zip-n-Go before v4.95, enabling local arbitrary code execution via SEH overwrite.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted file triggers a stack-based buffer overflow in MediaComm Zip-n-Go before v4.95, enabling local arbitrary code execution via SEH overwrite.
Vulnerability
MediaComm Zip-n-Go versions prior to 4.95 contain a stack-based buffer overflow vulnerability that is triggered when processing a specially crafted file. The vulnerability resides in the application's file parsing logic, allowing an attacker to overwrite the structured exception handler (SEH) chain. No special configuration is required; the bug is reachable simply by opening a malicious archive file (e.g., .zip) within the affected software [1].
Exploitation
An attacker sends a crafted file to a target user. The user must open the file with the vulnerable version of Zip-n-Go (v4.9 and earlier). The exploit code published on Exploit-DB shows a SEH-based overflow that uses a payload encoded with x86/alpha_mixed to bypass character restrictions. The attacker does not need prior authentication; the attack vector is local (user interaction required) [1].
Impact
Successful exploitation gives the attacker arbitrary code execution with the privileges of the user running Zip-n-Go. The published proof-of-concept payload opens a bind shell on TCP port, allowing remote command execution on the compromised system. This results in full compromise of the target's confidentiality, integrity, and availability at the user level [1].
Mitigation
MediaComm released version 4.95 on June 3, 2018, which contains a patch that nullifies the vulnerability after collaborative testing with the researcher. Users should upgrade to version 4.95 or later immediately. No other workaround is available, and this CVE is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Buffer overflow in Zip-n-Go's ZIP file parsing: the file name length field in the local file header is set to 0x0fe4 (4068 bytes), but the application copies that many bytes into a fixed-size stack buffer without bounds checking, allowing SEH-based code execution."
Attack vector
An attacker crafts a malicious ZIP file (Evil.zip) where the local file header's file name length field is set to 0x0fe4 (4068 bytes) [ref_id=1]. The file name field is then filled with a long buffer (3066 bytes of padding, shellcode, a short-jump gadget, and a SEH overwrite pointer) followed by ".txt" [ref_id=1]. When Zip-n-Go opens the crafted archive, it copies the oversized file name into a stack buffer, overwriting the Structured Exception Handler (SEH) chain. The SEH pointer (0x00404c6e) points to a "pop ecx; pop ebp; retn" sequence in zip-n-go.exe, which redirects execution to the attacker's shellcode [ref_id=1]. The exploit binds a shell on TCP port 4444 (default for windows/shell_bind_tcp) [ref_id=1].
Affected code
The vulnerable code resides in the ZIP file parsing routine of Zip-n-Go versions prior to 4.95. The exact function name is not disclosed in the public exploit, but the crash occurs when the application processes the file name field of a ZIP local file header, copying up to 4068 bytes into a stack buffer without length validation [ref_id=1].
What the fix does
The vendor released version 4.95 on 2018-06-03 after coordinated disclosure [ref_id=1]. The initial patch from the vendor did not fully resolve the issue; a second patch was applied on 2018-05-31 that successfully nullified the vulnerability [ref_id=1]. The fix likely adds proper bounds checking on the file name length field when parsing ZIP local file headers, preventing the oversized copy into the stack buffer. No patch diff is available in the public record.
Preconditions
- inputThe victim must open a crafted .zip file using Zip-n-Go v4.9 or earlier
- authNo authentication or special privileges required; the attack is triggered by file open
- configThe exploit targets Windows 7 SP1 x86, but the vulnerability likely affects all supported Windows platforms
Reproduction
1. Run the provided Python script to generate Evil.zip: `python exploit.py` [ref_id=1]. 2. Open Evil.zip with Zip-n-Go v4.9 (or earlier) on a Windows 7 SP1 x86 system [ref_id=1]. 3. The application will trigger a SEH-based buffer overflow, executing the bind shell payload on TCP port 4444 [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/44828/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.