Xcode, 2014/03/31 unto them

0 x00 background


A few days later, I took a closer look at the File extension spoofing bug in the Winrar4.x series and got some new ideas and suggestions through some testing. (To be exact, it should not be a file extension spoofing, not only the extension, the entire file name can be spoofed)

I believe that the specific causes of vulnerability are very clear in the article. Let me briefly say:

There are two filename1 names in the zip format. Generally, when an application opens the ZIP, the preview will use Filename2. Clicking on the preview will also open the preview in Filename2 mode, and filename1 will only be used when decompressing. However, in Winrar4. x, clicking on Preview opens by previewing Filename1.

What is the result of this? Exe file and readme. TXT file in winrar4.x. When you open the file in winrar4.x, you will see the file named readme. TXT. This creates a loophole.

This article shows how to exploit this bug by changing Filename2. But the author does it manually, so can it be written as a script? Is there any requirement for filename2 to be the same length as Filename1? This is exactly what this paper will study.

0 x01 details


Before we explore this question, let’s take a look at the ZIP format (download appnote.txt for the full version).

The ZIP format consists of three parts:

File content source data 2. Directory source data 3. Directory end identifier structureCopy the code

For example, a zip file with only one file compressed is in the following format:

[file header]
[file data]
[data descriptor]
[central directory file header]
[end of central directory record]
Copy the code

The key fields are:

[file header]: 

Offset           Bytes               Description 
18                 4                   Compressed size 
26                 2                   File name length (n) 
28                 2                   Extra field length (m) 
30                 n                   File name 
30+n               m                  Extra field 


[central directory file header]: 

Offset           Bytes            Description 
28                 2                   File name length (n) 
30                 2                   Extra field length (m) 
34                 2                   File comment length (k) 


[end of central directory record]: 

Offset           Bytes                Description 
12                 4                   Size of central directory (bytes) 
16                 4                   Offset of start of central directory, relative to start of archive 
Copy the code

After understanding the basic format of ZIP, I have analyzed the Zip files generated by WinRAR compression and those generated by Windows. The difference between them is that the Zip files of WinRAR have been filled with some data in the Extra field section.

Since it is not clear whether the value of the Extra field will affect the verification of WinRAR, several tests are made according to different situations. When the length of Filename2 is changed, and all fields affected by the length of Filename2 (except the Extra field) are modified, the file can be opened normally. The test results prove that the Extra field value does not affect winrar’s ability to open the ZIP file.

This way, you can write a exploit script by simply changing all the fields associated with Filename2 in the zip format.

Wait, the article also mentioned that there is one limitation to this vulnerability: decompression. If you open the package with a right-click extract, only Filename1 will be used, regardless of Filename2, and this vulnerability will not exist. At the end of the article, the author mentioned that LRO can be used to solve this limitation. How should RLO be combined with LRO?

Use WinHex to analyze normal ZIP files and zip files with character inversion:

Through comparative analysis, it can be seen that when files containing RLO file names are used for compression, the compression format is a little different. Several tests are carried out and it is found that the information added by WinRAR in the Extra field does not affect the utilization of vulnerabilities.

Therefore, these two vulnerabilities can be perfectly combined together to write an exploit script.

Take Python as an example.

1. Generate a file with LRO filename and compress it into ZIP with WinRAR. In Python, you can use u'\u202e' to construct string inversion, and use the os.system() function to execute the winrar command. 2. Process the data in the ZIP file and change Filename2 to the string you want to define. Read in order the zip format, modify filename2 into a new string, calculate the length of the new, and modify the File name length2 fields, Sizeofcentraldirectory and Offsetofstartofcentraldirectory fields, Take care of their new offset positions. 3. Re-generate a new ZIP.Copy the code

A complete exploit script winrarexp.py is attached at the end of the article

This program is only used for testing, only for safety study, research, do not use for illegal purposes, otherwise all the consequences caused by.

Usage:

#! bash WinrarExp.py [-f <open file>][-s <forged name>][-v <reversed string>]Copy the code

Exe -s indicates the file name to be disguised. For example, readme. TXT -v indicates the string to be reversed. This parameter is optional. For example, if you want to reverse the file name to readmeexe.jpg, just set the parameter to exe.jpg

Download from winrarexp.py