Zip bomb is a potentially vulnerable file, which leads to computer crash.
Zip bomb are of two types
- Recursive
- Can be built in Windows environment
- Non-recursive
- Can be built in Linux environment using a tool called zip bomb.
-
Open any text editor and insert null value (press ALT+255 in keyboard) continued by < space >.
-
Save the file in a fresh folder and name the file as a.txt.
-
Now copy the file and paste the file for 10-20 times in he same folder.
-
Now club all the a.txt files to one file.
-
Open cmd prompt and navigate to the file location.
-
A new file is generated in the same folder called b.txt by the above command.
-
Delete all the files other that b.txt file.
-
Now repeat the same process from point 3(copy b.txt file and paste for 10-20 times...).
-
Continue till f.txt file with a solid file size of 1GB.
-
-
Now Zip the f.txt file with
7ZIP
with the below options and name it as exploit0.zip (zipping takes some time). -
Now DELETE the f.txt file and copy the exploit0.zip file and paste for 10 times.
-
Select all and zip the files using
7ZIP
by following point 5 options and name it as exploit1.zip. -
Now DELETE the exploit0.zip files and repeat the same process as point 6.
-
Continue the same process till exploit9.zip file with a size of 99KB.
Now the recursive Zip Bomb is ready.
Size mentioned in the table to original (uncompressed) size of the file.
a.txt | >>> | f.txt | exploit0.zip=1GB | exploit1.zip=10GB | exploit2.zip=100GB | >>> | exploit9.zip=1,000,000,000GB or 1000PB |
---|---|---|---|---|---|---|---|
1KB | >>> | 1GB | 1GB | 1GB | 100GB | >>> | 100PB |
1GB | 100GB | >>> | 100PB | ||||
1GB | 100GB | >>> | 100PB | ||||
1GB | 100GB | >>> | 100PB | ||||
1GB | 100GB | >>> | 100PB | ||||
1GB | 100GB | >>> | 100PB | ||||
1GB | 100GB | >>> | 100PB | ||||
1GB | 100GB | >>> | 100PB | ||||
1GB | 100GB | >>> | 100PB | ||||
1GB | 100GB | >>> | 100PB |
- Open Terminal and clone the zip bomb tool using this
git clone https://www.bamsoftware.com/git/zipbomb.git
. - Navigate to
zip bomb
folder and type inpython3 zipbomb --mode=quoted_overlap --num-files=250 --compressed-size=21179 > zbsm.zip
. - This will create a malicious zip file
zbsm.zip
. - Now the zip bomb is ready, you can also insert script in the malicious zip file.
- For more information please refer to the README file in the tool.
cat README
Now the non-recursive Zip Bomb is ready.
Reference: https://www.bamsoftware.com/hacks/zipbomb/
THANK YOU
- Hari Mypala