29a_fu.zip 29A-7.013

www.pudn.com > 29a_fu.zip > 29A-7.013
 
exploiting winrar 3.10 
 
last friday(24/1), while looking in bugtraq, i found the enclosed advisorie 
(/doc/bugtraq.txt). quickly, my mind started to see the possibilities of a 
exploit over this vulnerability. if it worked as i would expect, sending a 
email with a attached .rar was almost like a autorun: winrar its popular, and 
the vulnerable version is widely used(i was using); and, as its one of the 
first vulnerabilities in archivers to pop in last times, users where not 
attent to the dangers to double-click these files, to inspect their contents. 
 
i first started by hand-constructing a bugged .rar. altought the format was 
very know, this job taked a time: i had to build a setup program to insert 
the right crc32 values in the right places. 
 
as was in advisorie, i just had to put 260 chars after the dot, in filename, 
to trigger the exploit. at crash time, 256 after the dot, its the place to put 
your new EIP, and, in the dword before it, a value that goes inside EBX(who 
care, anyway). at crash time, several places in stack contained addresses 
for our code. there was pointers to the content after the dot, and other to 
the start of filename. perfect. 
 
better yet, several registers where usable to reach these addresses: EBP, EDI 
and, of course, ESP. it dont take too much time: in a couple of minutes, i 
found a JMP [EDI-8], at 0x0047b936, that looked perfect! but not... winrar 
translate high chars(>128), to other ones, and the address was crippled. note 
that i could use 0 as highest byte of my address: it was the last char of my 
buffer, anyway :) 
 
well, so, i did more search. soon a JMP [EBP+18h], in a valid address, 
appeared, as in a dream: 0x0048671a. jusr recompiled, and it work perfect. my 
"A", that i used to fill the buffer, where running as a row of INC ECX. so, 
now to the shellcode... 
 
api usage, in w32 exploits, always cause troubles. but not for winrar: it 
imported almost all apis we need, and some more. with a tool i coded for such 
occasions(/ut/list_iat), i dumped the import list. the only api we need, 
MessageBoxA(), was there. 
 
soon, the high char problem appeared again. high chars where translated to 
something else. but i notice a thing: we had a great variation. thus, by 
using 0xde, instead of oxcc(int 3), after translation, i had a breakpoint in 
the exact place. 
 
faced with this problem, i did the following table(/doc/opcode.bin): 
 
       00 01 02 03   04 05 06 07   08 09 0A 0B   0C 0D 0E 0F 
 
00000  00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00   ................ 
00010  00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00   ................ 
00020  00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00   ................ 
00030  00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00   ................ 
00040  00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00   ................ 
00050  00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00   ................ 
00060  00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00   ................ 
00070  00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00 ³ 00 00 00 00   ................ 
00080  C7 FC E9 E2 ³ E4 E0 E5 E7 ³ EA EB E8 EF ³ EE EC C4 C5   ÇüéâäàåçêëèïîìÄÅ 
00090  C9 E6 C6 F4 ³ F6 F2 FB F9 ³ FF D6 DC F8 ³ A3 D8 D7 83   ÉæÆôöòûùÿÖÜø£Ø×ƒ 
000A0  E1 ED F3 FA ³ F1 D1 AA BA ³ BF AE AC BD ³ BC A1 AB BB   áíóúñÑªº¿®¬½¼¡«» 
000B0  A6 A6 A6 A6 ³ A6 C1 C2 C0 ³ A9 A6 A6 2B ³ 2B A2 A5 2B   ¦¦¦¦¦ÁÂÀ©¦¦++¢¥+ 
000C0  2B 2D 2D 2B ³ 2D 2B E3 C3 ³ 2B 2B 2D 2D ³ A6 2D 2B A4   +--+-+ãÃ++--¦-+¤ 
000D0  F0 D0 CA CB ³ C8 69 CD CE ³ CF 2B 2B A6 ³ 5F A6 CC AF   ðÐÊËÈiÍÎÏ++¦_¦Ì¯ 
000E0  D3 DF D4 D2 ³ F5 D5 B5 FE ³ DE DA DB D9 ³ FD DD AF B4   ÓßÔÒõÕµþÞÚÛÙýÝ¯´ 
000F0  AD B1 3D BE ³ B6 A7 F7 B8 ³ B0 A8 B7 B9 ³ B3 B2 A6 A0   ±=¾¶§÷¸°¨·¹³²¦  
 
with this table, all the rest of the shellcode coding was very easy. just a 
check in .lst file, and substitution of some high chars for others. 
 
after setting the params for the api call, a db 098h,10h, that translated to 
a db 0ffh,10h,(call eax) after parsing, was placed, and a jmp $, also encoded, 
to hang the process where put at the end, and all was ready for the final 
test. 
 
it worked perfect under w98 and nt4 sp6. my guess its that it also will work 
without problem in any other win32 OS, being the only variable the version of 
winrar: surely, others versions dont have the JMP [EBP+18h] that helped me so 
much here. 
 
vecna/29a